RBN - Atrivo: Cyber Crime USA

In a new study entitled "Atrivo - Cyber Crime USA", the authors have extensively tracked and documented ongoing cyber criminal activity from within the Internet servers controlled by the California-based Atrivo, and other associated entities. Atrivo is one of the Internet's Autonomous Systems and controls a large number of IP addresses, which web sites must use to reach consumers.

Produced by cyber crime researcher Jart Armin, in association with Matt Jonkman and James McQuaid, the first of its kind Open Source Security study set out to quantify and continuously track cyber crime using numerous methods of measurement. It focuses specifically on the notorious Atrivo, which has been seen by many over several years as a main conduit for financial scams, identity theft, spam and malware. This study although fully self contained is the first of a series of reports, on a monthly basis there will be a follow up to report on the community response, the efforts of the cyber criminals to evade exposure, listings to assist in blocking the risks to Internet users, and hopefully efforts to stop them.

In addition to original quantitative research conducted by Armin, Jonkman and McQuaid, the study draws upon the findings of other research efforts, including StopBadware, EmergingThreats, Knujon, Sunbelt, CastleCops, Spamhaus, and many others. What emerges is a picture of a front for ruthless cyber criminals, who have specifically targeted consumers in the United States and elsewhere. The study provides hard data regarding specific current activity within Atrivo, explains how consumers are targeted, describes Atrivo's virtual network structure, organizational modeling, and cites Atrivo's collusive failure to respond to abuse complaints from 2004 to the present. The study includes three dimensional charts, diagrams, and a YouTube video which make it easy to grasp the statistics or processes discussed.

Document available for download from hostexploit.com

Video of the Exploitation of a PC User - YouTube

RBN - Storm Botnet, the Changing Chessboard

In a follow up to the earlier Russian Business Network (RBN) "New and Improved Storm Botnet for 2008" the chessboard changes yet again. In this game of chess our opponents started over Christmas with a full frontal attack, but have already now switched to a flanking moves. Perhaps on this occasion the community may be able to slow down the advance to force a draw or maybe even win this particular game of chess?

The key is to understand and combat the Storm 2008's innovative elements and attempt to quantify progress of the game. With the aid of early analysis by Thorsten Holz / The German Honeynet Project and based on limited initial data we have attempted to produce a predictive trend analysis of the Storm Botnet to rebuild and reach 1 million PCs. This is shown in figure 1, given current analysis shows a growth from say 10,000 on Dec-22 to 30/40,000 by Jan-03, on a conservative analysis Storm should reach 1 million by Mid Feb 08.

So at least a we now have a potential game progress definition; for the RBN it would be a disappointment if they did not easily clear this target, for the community the aim is to limit the target. Game on?

To play this game we all better know the rules of deception, on a current assessment of progress against the innovative Storm elements:

# First the good news so far 2,147 fake and or infected Blogspots have been detected and are flagged by Google as shown in the StopBadWare clearing house.

# Further good news on checking most of the Storm attack domains (see list below) are either SBL or XBL listed on Spamhaus et. al.

# Some confusion in the ranks as assumptions are made as to locations or even selective attacks. As described elsewhere the botnet control panel(s) are now much more sophisticated, with the ability to decide which geographic region and areas to attack. Interestingly if the PC still subject to earlier infection there will be no further re-infection. # As noted the polymorphic nature is clearly present to confuse i.e. the virus or exploits have the ability to alter its signature in an attempt to combat anti-virus tools.

# Most worrying is the constant stream of domains and the "fast-flux" technique used to avoid detection as mentioned in this case is actually “double-flux” characterized by multiple nodes within the network registering and de-registering their addresses. This implies as fast as IPs are block listed, it would seem "Snort" which is capable of performing packet logging and real-time traffic analysis on IP networks, may at last demonstrate its earlier promise.

# Finally it is fairly safe to predict there will be further attacks on the search engines and via social engineering i.e. Face Book, etc.


The current Storm attack domains and related fakes (also ref links below: Malwaredomains, Emerging Threats, honeywall blog, and US Cert) although of limited number to begin with are now:
10000xing(dot)cn - 222360(dot)com - adslooks(dot)info - bnably(dot)com - eqcorn(dot)com - familypostcards2008(dot)com - freshcards2008(dot)com -happy2008toyou(dot)com - happysantacards(dot)com - hellosanta2008(dot)com - hohoho2008(dot)com - kqfloat(dot)com - ltbrew(dot)com - mymetavids(dot)com - obebos(dot)cn - parentscards(dot)com - postcards-2008(dot)com - ptowl(dot)com - qavoter(dot)com - santapcards(dot)com - santawishes2008(dot)com - siski(dot)cn - snbane(dot)com - snlilac(dot)com - tibeam(dot)com - tushove(dot)com - wxtaste(dot)com - yxbegan(dot)com

The specific Storm exploits have overlapped with fake anti-malware and fake codecs which are polymorphic in their nature: ArcadeWorld(dot)exe - ArcadeWorldGame(dot)exe - ClickHere(dot)exe - codecnice1126(dot)dmg - codecnice1126(dot)exe - codecultra1123(dot)dmg - codecultra1123(dot)exe - ecard(dot)exe - fck2008(dot)exe - Flash_Postcard(dot)exe - FlashPostcard(dot)exe - Full Story(dot)exe - FullClip(dot)exe - FullNews(dot)exe - FullVideo(dot)exe - GreetingCard(dot)exe - GreetingPostcard(dot)exe - happy_2008(dot)exe - happy2008(dot)exe - Install_video_3913230(dot)exe - MoreHere(dot)exe - NflStatTracker(dot)exe - Postcard(dot)exe - Read_More(dot)exe - ReadMore(dot)exe - sony(dot)exe - stripshow(dot)exe - Video(dot)exe - VideoAccessCodecInstall(dot)exe - virusranger(dot)exe - vrsvc(dot)exe

Storm Growth analysis - German HoneyNet
Malwaredomains
Emerging Threats
US Cert

RBN – $$$ - the retail payment systems

In an extension to analysis of the Russian Business Network (RBN) this is the first element of a series on RBN payment systems.


This article focuses on just one of the several payment systems for its “fakes” retail division i.e. isoftpay.com, this has been reported before namely the Sunbelt Blog (see links on footer) Oct 3rd 06 in the report on the rogue software, also more recently reported within 2-spyware on Dec 10th 07.

In exploring this node of the RBN’s organization it raises several areas of interest; the location(s) of internet operation, SSL and transactional base. Briefly by way of an introduction to later more in depth analysis malware revenue models, analysis solely of isoftpay does provide a starting point for some generalized assumptions of RBN retail revenue. Therefore as mentioned within earlier articles here on fakes and current analysis:

(a) Isoftpay serves as the payment point for such fakes as Bravesentry, and others.


(b) Secure. Isoftpay.com over the last 30 days (mid Nov – Mid Dec) received 187,750 direct unique visitors from the US.


(c) This tends to demonstrate approximately 25% of the unique visitors to those rogue software web sites go back to the payment site. As directed by the exploits downloaded from the “free” trial of the fake anti-spyware.


(d) On a reasonable assumption a high proportion of those directly visiting the secure payment area after downloading the exploit to make the purchase, say 75%, this would provide gross revenue of say $4 million per month from solely US visitors.


(e) As US visitors represent 17 – 40% of the world wide audience for such sites one can assume gross revenue as being in the region of $10 million / month, $120 million per annum.

A significant component is the SSL (Secure Sockets Layer) and certification the figure below shows the current certificate for Isoftpay.

The certificate appears legitimate unfortunately we have not as yet ascertained from Equifax or Geotrust whether it is a forgery, and if not, they should be able to inform us who the purchaser was.

Also of interest is the payment transactions and as site takes Visa and MasterCard, and further enquiries are outstanding as to who the revenues collected are paid to.

Finally as several victims have contacted the authors of this blog, and any transaction is fraudulent. No doubt Equifax, Geotrust, Visa and MasterCard will act swiftly to prevent further fraudulent transactions and ensure victims at least gain a return of their payments?

From the perspective of the RBN’s nodes of operation originally as noted by Sunbelt the IP address in Oct 06 was 69.50.168.101 - AS27595 ATRIVO. The figure below shows the current (Dec 19th 07) and a comparison with locations on Oct 28th 07, the actual only difference is the addition of name server (ns3.isoftpay.com) served from AS4837 CNC Group China. The other servers are some of the RBN’s usual suspects AS9930 TTnet Malaysia, AS4657 StarHub Singapore, and it goes without saying AS27595 Atrivo AKA Intercage, Inhoster, etc.

Below is shown in figures two IP and AS maps of the Isoftpay and related domains









References: Sunbelt 10/06 2-Spyware.com 21/07

RBN – Fake Codecs

With the ongoing tracking of “fake” software websites related to the Russian Business Network (RBN) and their associates it is important to note the growth of the fake codec websites. A codec is a small program that's allows an operating system or a program to properly play audio or video in a particular format, e.g. MP3, WAV, Xvid, MPEG, Indeo and Cinepak.









Figure 1. Sample “fake” codec site - Gamecodec.com



This article is cumulative snapshot report based upon current and historical community reporting from; Zlob Watch (peki.blogspot), Sunbelt, and the excellent earlier work of Jahewi's Fake Codec Information (unfortunately last updated Jan 20th 07). The key issues are:

• Currently shown here (see fig. 2 below) 53 active, with the 60 earlier reported mostly dormant domains (see fig. 3 below) provides for a total of at least 113 “fake” codec web sites operational over an 18 month period. It would appear many of the active domains alternate on a regular basis from being non resolvable (apparently offline) to online.

• The prime exploits from these sites are (a) Zlob - shows fake error messages and silently installs fake anti-spyware products. (b) DNSChanger silently adds rogue DNS name servers to your PC or Mac. These name servers will resolve non-existing domains (typo-squatting) to IP addresses associated with the authors to generate revenue and could potentially re-routes traffic from legitimate web sites to other suspicious web sites. Ref peki.blogspot
  

Note: We should clarify that the Mac fake codecs are only for the DNS changing trojans and that not all the sites listed will spawn Mac stuff.

• These exploits are designed for Mac and Windows users; with the attack vector similar to the “fake” anti-spywares however the technique is varied by constantly emerging new domains but mostly to a singular web landing page interface.

• Most importantly all 113 domains are or were registered with Estdomains, similarly all of the active 53 domains in fig. 2 are hosted by AS27595 by Atrivo; AKA – Intercage, Inhoster, Cernal, etc. Also added should be AS 36445 a newer Autonomous Server apparently used by Cernal. For blocking purposes the following IP ranges should be incorporated:

64.28.176.0/20 AS27595 INTERCAGE
85.255.118.0/20 AS27595 INTERCAGE
85.255.112.0/20 AS36445 CERNEL

Figure 4 - Sample IP Map - Zerocodec

RBN – PC Hijacking via Banner-Ads on Major Web Portals

The Russian Business Network (RBN) in one of its boldest PC hijacking exploits used conventional banner-ads to redirect web visitors to “fake” anti-spyware sites, this is a new attack vector but uses known RBN server routes and exploits. Malware based ads have been spotted on various legitimate websites, ranging from baseball's MLB.com, NHL.com, Canada.com and The Economist. Acting as a conventional Flash file, the exploit is via DoubleClick's DART program, DoubleClick acknowledges the malware, and says it has implemented a new security-monitoring system that has thus far captured and disabled a hundred ads.



How the exploit works, servers and locations (confirm Explabs):

Example for mlb.com ... mlb.com – to - ad.doubleclick.net - to - newbieadguide.com - to - fixthemnow.com - this calls to safetydownload.com for the “fake” download

Example for nhl.com ... nhl.com – to - 2mdn.net -to - ad.doubleclick.net – to - adtraff.com – to -blessedads.com and prevedmarketing.com - to - malware-scan.com, for the “fake” download.

Figure 3 – Secure Hosting Bahamas



As shown above the key servers involved in particular Secure Hosting based in The Bahamas has been utilized on other occasions by RBN. It should also be noted the four specific exploit servers and their AS (Autonomous Server) are:

• AS15146 Cable Bahamas Ltd. (also AS26855 INTERNET BAHAMAS) - SECUREHOST.COM - IP range involved - 190.15.72.0/21

• AS29131 RAPIDSWITCH Ltd - London UK - IP range involved - 87.117.192.0/18

• AS33510 SETUPAHOST - Toronto Canada - IP range involved - 66.244.254.0/24

• AS41947 WEBALTA / Internet Search Company - Moscow Russia - IP range involved - 77.91.224.0/21

Each of these servers houses many other questionable and other exploit based domains within the same specific IP as those specific domains utilized within this PC hijack exploit, figure 4 – shows those domains which include 23 domains as “fake” anti-spyware or rogue software based upon the same RBN exploits as “Winfixer”, “SpySheriff”, etc.

This important exposure is thanks to excellent CYBERINT work within the community, references:

Explabs - Wired.com - Sunbelt

RBN – Russian Business Network - Faking its demise

Although it is true the Russian Business Network (RBN) as AS40989 RBN AS RBusiness Network has relinquished its IP addresses (not the related ‘peers’), this blog has never shown this as the core centre of RBN activity or particularly relevant to its commercial activity. To simply test the hypothesis of the demise of the RBN as in recent headlines in the press using phrases as “Mother of all cybercrime vanishes from the web”, or “RBN goes Poof” is to simple review one of the RBN’s major money earning retail activity.


HYPOTHESIS = Logically RBNs fake anti-spyware or rogue software should show major changes in serving and hosting over the last week or so, if the demise of the RBN is correct. Fortunately based on limited CYBERINT earlier we were able to show 57 well known ‘fakes’ and 34 of the top 40 being RBN related, below can be seen the specifics.


RESULT = With the exception of the loss of replacement of AS40989 secondary name servers there has been little or no change to the core IP addresses.

(a) For example; Antivirgear shows a current Alexa Trend/Rank: #5,473 (out of an estimated 60 million web sites) improved over the last month. 397,296 U.S. visitors per month which is 10.7% of its traffic thus visitors worldwide = 3.7 million, this is just one of many ‘fake’ web sites.

(b) It does assist in highlighting the role of Intercage AS 27595 (AKA; Atrivo (US), Inhoster - xbox.dedi.inhoster.com - Ukraine, and Estdomains) as a fundamental part of the RBN from 2004 (see .

For the results Figure 1 shows an overview of the RBN’s / Atrivo share of the ‘fakes’ market. For completeness (click on the images to enlarge);

Figure 2 - shows the complete list of the 57 ‘fakes’ in alphabetical order.

Figure 3 - shows the complete list of the 57 ‘fakes’ ranked to specific hosts / servers.

N.B. – It should be noted the 6 ‘fakes’ listed as offline, this are currently dormant, historically this has happened before and such domains often come back to use.

RBN – The Russian Business Network Has Closed Shop?

Russian Business Network (RBN) watching requires healthy cynicism and two simple tricks i.e. (1) View their actions as you would an illusionist or as a stage magician, look for the misdirection, (2) Observe a historical perspective.

The good news is the publicity shy RBN does appear to have responded or is being forced to respond to being under the microscope as reported by Brian Krebs of the Washington Post. The bad news is the RBN IP ranges reportedly withdrawn are not the current RBN IP ranges utilized in current exploits. The excellent work of Geoff Huston and his cidr-report provides great information for those interested in the AS (Autonomous Systems) side of the Internet. This shows the following:

Prefixes withdrawn by this origin AS in the past 7 days = AS40989 (RBN)

- 81.95.144.0/22 = Withdrawn

- 81.95.148.0/22 = Withdrawn

- 81.95.154.0/24 = Withdrawn

- 81.95.155.0/24 = Withdrawn

However, as shown here and elsewhere the recent RBN based PDF exploit utilized 81.95.146.130 and 81.95.147.107, further many of the RBN “fake” anti-spyware and anti-malware websites use 81.95.145.186 as one of the many Internet “name servers”. Therefore one can only conclude

- 81.95.145.0/22 = Still active

- 81.95.146.0/22 = Still active

- 81.95.147.0/22 = Still active

Historically there have been many welcome reports of the demise of the RBN and their acolytes stretching back to 2004. Without any political bias it is reminiscent of being told the war in Iraq, is over circa 2003. To maintain a focused watch on the RBN as an organically growing organization is one of the main reasons a few of us created this blog in 2007.

This blog can only repeat the RBN as an organization uses many; guises, name servers, routes, stooges, etc., to operate under the radar and confuse. The excellent recent publicity through the many blogs, e-zines, and newspapers currently must only assist in gaining the necessary attention required. If only for the current 4 million plus and growing Internet users who will visit the RBN fake sites this month, and the many more who will suffer due to iFrame injections, Mpack and more. It is appropriate for a cynical view of any RBN related actions, and even more importantly maintain our vigilance.

There will be a detailed follow up article which will show a current example of the RBN and the "apparent" use of Chinese web space.

RBN - More of the RBN's fake anti-spyware and anti-malware tools (2 of 3).

As requested this article (2 of 3) continues from the Russian Business Network (RBN’s) Top 20 “fake” or “rogue software” series concerning the RBN’s Retail Division. The first article provided details of 20 such products focused on the delivery method and the need for dynamic CYBERINT (cyber intelligence) to encompass the multiplicity of other mirrored hosts and servers. This article provides further exposure of 21 to 40, but to extend the theme to a historical awareness of these ongoing and active threats. The third article will focus on the question, “Are these entire 40 fake products all RBN?” – The brief answer here is a quantifiable - yes!

A further example in this 21 – 40 group is AntiVirGear,again the same user exploit mode is used is stealth based malware, and according to McAfee’s Site Advisor provides a host of bad downloads for the unsuspecting user. AntiVirGear makes a fairly recent entrance to this scene, and appears within spyware forums and other security sources e.g. Symantec (September 13, 2007), but AntiVirGear is not new. The exploit variety here is based upon the Trojan Zlob or variant, well known in earlier names such as spysherriff, antispyware-gold, etc., with recorded sightings form 2004 and 2005.

The further batch 21 – to – 40 is shown here in Table 4.

Again many are alive and well and doing good business for the RBN despite most of the core IP addresses are blacklisted. However when compared with the 1^st article again there is the common thread of interrelated hosts or mirror servers, see Table 5.

The tables in the 1^st article and the tables here, and RBN related information helps to provide two important observations:

(a) The most important $$$ earning or key activities e.g. Malwarealarm, AntiVirGear, within the “fakes” category, but also as shown with the current PDF and Gozi attack are directly served with AS 40989 = RBNetwork (RBN).

(b) 36 out of 40 of the RBN fakes are hosted or mirrored via AS 27596 = Intercage

Intercage (US) AKA; Inhoster (xbox.dedi.inhoster.com - Ukraine), Atrivo (US), (Note: interestingly Broadwing Communications a backbone internet operation now owned by Level 3 Communications, Inc - NASDAQ: LVLT- appears to be the core mail carrier and mirrored hosting for AS 27596 - level of responsibility?). Intercage has a history relating to the RBN “fakes” as noted back as early as 2005 / 2006 for example Spyware Warrior forum. In February 2006 there was an online debate where ZDnet questioned ISC Sans suggestion to drop the blocking of all of Intercage, their arguement being there were “some” legitimate customers there.

There are two conclusions that could be made from this:

1. It has been suggested to the authors of this blog, it will not be until some of the victims of these fakes and RBN begin and successfully pursue legal actions against such server enterprises the legitimate ones will ensure they consider a level of due diligence in accepting or continuing to be the vehicle for such illegal activities.

2. Clearly IP blocking in a fast, responsive and comprehensive “OpenDNS” CYBERINT format as a method for ISPs and users is long overdue. There is a big difference between say iPower when they are careless victims themselves in getting 10,000 web sites hacked, and such an obvious case as Intercage - AKA RBN.

Finally as a reminder that this is a “now” problem and large scale see a sample in Table 6 from 21- 40, this would show about 3-4 million users as visitors worldwide to the 40 sites, per month “NOW”.