RBN – Real Host, Latvia and the Zeus Botnet

RBN (Russian Business Network) via Real Host Ltd. is a fairly blatant cybercrime and bullet proof hosting hub. Inhabiting AS8206 Junik based in Riga, Latvia, and is high on any watch list. (ref1 & ref2)

As Dynamoo points out “A real sewer” (ref3), moreover this has all the hallmarks and operational elements of the apparently fragmented RBN, either as a resurgence or a clone of the RBN’s business model.

Fig 1 – Front page of installing cc – Zeus botnet rental & loading


Of more current interest, this is the base for distributing the new and as yet un-patched “Zero day Flash/PDF exploit” (ref 4), Zero day MS e.g. Directshow - MS09-028, and a core center for the Zeus botnet C&C (command and control) the # 1 botnet in the US with an estimated 3.6 million PCs infected.


Also known but updated usage of RBN methodologies:

# Rock Phish - which originally introduced the Zeus (aka WSNPOEM) Trojan.

# ZeuEsta (a mix of the ZeuS crimeware and the El Fiesta Exploit Kit). However, since April 17 2009 ZeuEsta in combination with SPack Exploit Kit (ref 5)


Fig 2 – iSell.cc - Stolen: Bank logins, credit cards, PayPal Sales and IDs – On Real Host





Fortunately in more recent times there are several good sources within the Open SEC community of up-to-date information as to malware domains, spam centers, botnets, to select a few:
  • Spamhaus – SBL75831 – lists the net block for Phishing and Malware hosting. (Ref 6.)
  • Fire - shows up to 9 complete malware servers over recent times. (Ref 7.)
  • MalwareURL – shows currently 199 domains hosting amongst other badness; 18 trojans, 25 redirects to exploits and rogue anti-virus, 6 Botnet C&C (command and control) (Ref 8.)
  • Google’s Safe Browsing - shows for AS8206 Junik in the last 90 days; 12 sites providing malicious software for drive by downloads, 102 sites acting as intermediaries for the infection of 11,810 other web sites. Finally it found 161 websites hosting malware that infected 20,681 other web sites.
  • Google’s Safe Browsing - as an example for just one of the domains – 71.speed.info – 32 scripting exploits

The Results of Investigation and Reporting the Issues


Fig 3 – Real Host Routing – as of 073109






Fig 4 – Real Host Routing – as of 080309

Money Mule sites - the Barwells Group and NewskyAG reveals the following:

BarwellsGroup
"During the trial period (1 month), you will be paid 2,000 USD per month while working on average 3 hours per day, Monday-Friday, plus 5 commissions from every transactions or task received and processed. The salary will be sent in the form of wire transfer directly to your account. After the trial period your base pay salary will go up to 3,500USD per month, plus 5 commissions."
Clearly this is a money mule recruitment program. Sounds pretty good for 3 hours work per day!

NewskyAG
Not only does this domain operate a money mule scam, it also ran a Zeus C&C server. What is scary is that people actually fall prey to this scheme as shown by this quote from yahoo answers:
In summary Real Host from within Junik serves;
  • exploits including un patched (or soon to be patched) 0days
  • Payloads to drop on victim PCs including: fake codecs, banking trojans, spambots, fake antivirus, down loaders and even a Mac trojan
  • phishing sites,
  • money mule recruitment sites;
  • Zeus botnet Command and Control servers
  • Distributing licensed software (Warez),
  • Illegal porn content

Added to which is a center for the RBN cybercrime business model;
  • botnet rental,
  • botnet loading,
  • phishing
  • iFrame exploit affiliate,
  • warez
  • credit card trading forums,
  • openly selling credit card, PayPal accounts and bank logins, over 10,000 “newly harvested”
So who is Real Host Ltd.?
To start with the net block is leased from Junik by Alex Spiridonov, Abay Street 2a, Almaty, Kazakhstan. However, here are just a few other tell tale signs:
  • Many of the domains are ex-Estdomains.
  • All of the websites are in Russian or for the trading arm Russian / English.
  • Older entities which many had thought were dead and gone are here; Barwells Group, Newsky, Web-Alfa, and good old Botnet.Su
All of these were operational elements of RBN (Russian Business Network). So this may not be a reincarnation of the RBN but are clearly Russian organized cyber criminals, in the same vein and at least headed by someone from the old RBN school.

Further manual investigation led to the following information on domains supplied by Real Hosts:

IP Domain Purpose
213.182.197.229 yourgoogleanalytics.us Money Mule Recruiting
213.182.197.229 barwellsgroup.cn Money Mule Recruiting
213.182.197.249 Vikd3jj-3.com Malware
213.182.197.251 2k90.cn Malware
213.182.197.13 Mac-videos.com Mac Trojan
213.182.197.236 71speed.info Banking Trojan - Silent Banker
213.182.197.8 bestxvids.info Zlob
213.182.197.249 traffic-searches.cn Botnet C&C
213.182.197.237 1gigabayt.com Zeus C&C
213.182.197.14 iframepartners.com iframe sellers
213.182.197.228 Chlenopopik.com Zeus C&C
213.182.197.14 Megavipsite.cn Malware
213.182.197.20 Traffcount.cn Malware
213.182.197.229 Newskyag.com Money Mule Recruiting & Zeus C&C
213.182.197.235 Traffic-exchange.ru Part of iframe redirection service
213.182.197.10 vlkontacte.ru Russian Social Network Phish
213.182.197.251 Botnet.su Zeus C&C

The Botnet.su & related installs.cc domains, the attackers clearly aren't trying to hide their motives on this one! This domain was previously used by the RBN along with NewskyAG and others. Zeus is of the most common threats being hosted from Real Host's network.