RBN traceroute - Nevecon Ltd. - 194.146.204.3 - Too coin Software Limited (UK) - SBT Telecom Network (Seychelles); Traceroute
Panama > Ukraine > UK > Seychelles
Too coin Software Limited
SHEARWAY BUSINESS PARK 16, FOLKESTONE, KENT, CT19 4RH, UK
phone: +1 401 369 8152
e-mail: noc@rbnnetwork.com
Its RIPE NCC Association Membership status is: Full
announced by AS41173(SBT AS SBT Telecom) AS24867(Adapt AS Adapt Services Ltd)
* as-sbtel(member of as-arbinet-lon-buyers, as-bandxuk, as-c4l, as-cais, as-interoute, as-mnet-t, as-tiscalicust, as-tsn)
* AS20807 Credolink ASN Credolink ISP Autonomous System St Petersburg
* AS39848 DELTASYS Delta Systems network
* AS40989 RBN AS RBusiness Network
* AS41108 OINVEST AS Online Invest group LLC
* AS41173 SBT AS SBT Telecom
* AS41181 RUSTELECOM AS Rustelecom AS
* AS41731 NEVSKCC AS NEVACON LTD
RBN's IP & Domain Deployment - Nevecon Ltd. Panama - 194.146.204.0/22
AS41731 NEVSKCC as Nevacon Ltd.
| Number of unique AS-peers: | 1 |
| Number of found peering routers: | 0 |
| Number of prefixes: | 1 |
| Number of ip numbers: | 1024 |
Bank of India IT staff are mopping up the mess left by attackers who rigged the firm's website to feed malware to customers trying to access online services.
The bank managed to pry loose the rogue iframe responsible for the malware sometime early Friday morning California time. At time of writing, though, Bank of India's website was effectively cordoned off, bearing a terse notification saying: "This site is under temporary maintenance and will be available after 09:00 IST on 1.09.07."
The shuttering came a day after employees for security provider Sunbelt Software discovered someone had planted an iframe in the site that caused unpatched Windows machines to be infected with some of the most destructive pieces of malware currently in circulation. Sunbelt counted 31 separate pieces in all, including Pinch, a powerful and easy-to-use Trojan that siphons personal information from a user's PC. Other malware included Trojan.Netview, Trojan-Spy.Win32.Agent.ql, various rootkits and several spam bots.
Executives and IT administrators at US offices of Bank of India who were contacted Friday morning by IDG were initially unaware of the attack. A spokesman later told the news service that officials were aware of the problem and were working to correct it, but had no information concerning its severity or duration.
Some of the servers used to install the malware belonged to the notorious Russian Business Network, a group Spamhaus says is involved in child porn, phishing and other misdeeds. According to Verisign's iDefense unit, the RBN also played a hand in bringing us MPack, a powerful Trojan downloader that infected more than 10,000 websites in just three days.
In this case, the attackers appeared to use an exploit kit dubbed n404, according to this post by Dancho Danchev. It relies on a technique known as Fast Flux domain name service, which is proving to be resilient against bot hunters because there is no single point of weakness to take down.
Roger Thompson, a researcher with Exploit Prevention Labs, said he spotted one piece of code that exploited a vulnerability patched by last year's Microsoft Security Bulletin MS06-042."It's pretty much a cut-and-paste of the original proof-of-concept that was put out on Metasploit last July," Thompson said of the code.
MICRONNET-NET: 195.114.16.0 - 195.114.17.255
etname: MICRONNET-NET; descr: Micronnet LTD network; country: RU
Address: Reshetnikova str. HSE 9, 197119 St. Petersburg , Russia
E-mail: info@micronnet.net
ACCORDING to VeriSign, one of the world's largest internet security companies, RBN, an internet company based in Russia's second city, St Petersburg, is "the baddest of the bad". In a report seen by The Economist, VeriSign's investigators unpick an extraordinary story of blatant cybercrime that implies high-level political backing.
In one sense, RBN (Russian Business Network) does not exist. It has no legal identity; it is not registered as a company; its senior figures are anonymous, known only by their nicknames. Its web sites are registered at anonymous addresses with dummy e-mails. It does not advertise for customers. Those who want to use its services contact it via internet messaging services and pay with anonymous electronic cash.
But the menace it poses certainly exists. "RBN is a for-hire service catering to large-scale criminal operations," says the report. It hosts cybercriminals, ranging from spammers to phishers, bot-herders and all manner of other fraudsters and wrongdoers from the venal to the vicious. Just one big scam, called Rock Phish (where gullible internet users were tricked into entering personal financial information such as bank account details) made $150m last year, VeriSign estimates.
Despite the attention it is receiving from Western law enforcement agencies, RBN is not on the run. Its users are becoming more sophisticated, moving for example from simple phishing (using fake e-mails) to malware known as "Trojans" that sit inside a victim's computer collecting passwords and other sensitive information and sending them to their criminal masters.
A favorite trick is to by-pass the security settings of a victim's browser by means of an extra piece of content injected into a legitimate website. An unwary user enters his password or account number into what looks like the usual box on his log-in page, and within minutes a program such as Corpse's Nuclear Grabber, OrderGun and Haxdoor has passed it to a criminal who can empty his bank account. When VeriSign managed to hack into the RBN computer running the scam, it found accumulated data representing 30,000 such infections. "Every major Trojan in the last year links to RBN" says a VeriSign sleuth.
RBN even fights back. In October 2006, the National Bank of Australia took active measures against Rock Phish, both directly and via a national anti-phishing group to which the bank's security director belonged. RBN-based cybercriminals replied by crashing the bank's home-page for three days.
What can be done? VeriSign has tracked down the physical location of RBN's servers. But Western law enforcement officers have so far tried in vain to get their Russian counterparts to pursue the investigation vigorously. "RBN feel they are strongly politically protected. They pay a huge amount of people. They know they are being watched. They cover their tracks," says VeriSign. The head of RBN goes under the internet alias "Flyman". Repeated e-mails to RBN's purported contact addresses asking for comment have gone unanswered.
