RBN - More of the RBN's fake anti-spyware and anti-malware tools (2 of 3).

As requested this article (2 of 3) continues from the Russian Business Network (RBN’s) Top 20 “fake” or “rogue software” series concerning the RBN’s Retail Division. The first article provided details of 20 such products focused on the delivery method and the need for dynamic CYBERINT (cyber intelligence) to encompass the multiplicity of other mirrored hosts and servers. This article provides further exposure of 21 to 40, but to extend the theme to a historical awareness of these ongoing and active threats. The third article will focus on the question, “Are these entire 40 fake products all RBN?” – The brief answer here is a quantifiable - yes!

A further example in this 21 – 40 group is AntiVirGear,again the same user exploit mode is used is stealth based malware, and according to McAfee’s Site Advisor provides a host of bad downloads for the unsuspecting user. AntiVirGear makes a fairly recent entrance to this scene, and appears within spyware forums and other security sources e.g. Symantec (September 13, 2007), but AntiVirGear is not new. The exploit variety here is based upon the Trojan Zlob or variant, well known in earlier names such as spysherriff, antispyware-gold, etc., with recorded sightings form 2004 and 2005.

The further batch 21 – to – 40 is shown here in Table 4.

Again many are alive and well and doing good business for the RBN despite most of the core IP addresses are blacklisted. However when compared with the 1st article again there is the common thread of interrelated hosts or mirror servers, see Table 5.

The tables in the 1st article and the tables here, and RBN related information helps to provide two important observations:

(a) The most important $$$ earning or key activities e.g. Malwarealarm, AntiVirGear, within the “fakes” category, but also as shown with the current PDF and Gozi attack are directly served with AS 40989 = RBNetwork (RBN).

(b) 36 out of 40 of the RBN fakes are hosted or mirrored via AS 27596 = Intercage

Intercage (US) AKA; Inhoster (xbox.dedi.inhoster.com - Ukraine), Atrivo (US), (Note: interestingly Broadwing Communications a backbone internet operation now owned by Level 3 Communications, Inc - NASDAQ: LVLT- appears to be the core mail carrier and mirrored hosting for AS 27596 - level of responsibility?). Intercage has a history relating to the RBN “fakes” as noted back as early as 2005 / 2006 for example Spyware Warrior forum. In February 2006 there was an online debate where ZDnet questioned ISC Sans suggestion to drop the blocking of all of Intercage, their arguement being there were “some” legitimate customers there.

There are two conclusions that could be made from this:

1. It has been suggested to the authors of this blog, it will not be until some of the victims of these fakes and RBN begin and successfully pursue legal actions against such server enterprises the legitimate ones will ensure they consider a level of due diligence in accepting or continuing to be the vehicle for such illegal activities.

2. Clearly IP blocking in a fast, responsive and comprehensive “OpenDNS” CYBERINT format as a method for ISPs and users is long overdue. There is a big difference between say iPower when they are careless victims themselves in getting 10,000 web sites hacked, and such an obvious case as Intercage - AKA RBN.

Finally as a reminder that this is a “now” problem and large scale see a sample in Table 6 from 21- 40, this would show about 3-4 million users as visitors worldwide to the 40 sites, per month “NOW”.