RBN – New and Improved Storm Botnet for 2008

Obviously the Russian Business Network (RBN) is working overtime during the Christmas and New Year holiday, no doubt planning for many in the ISP security and anti-spam arena to be on skeleton staff.

Many will now have already seen reports of the Storm Botnet outbreak which started on December 24th “MerryChristmasDude” with good write up at ComputerWorld and for technical details at ISC Sans or HolisticInfoSec (links on footer). This picture is changing rapidly and by December 26th there were new web sites “Uhavepostcard” , “HappyCards2008” and no doubt more to come over the next few days.

Three of the key web sites have the following registrant information, all registered via “ANO REGIONAL NETWORK INFORMATION CENTER DBA RU (Russia)” in chronological order:

Domain Name: MERRYCHRISTMASDUDE.COM - Creation Date: Nov 27 2007

Domain Name: UHAVEPOSTCARD.COM - Creation Date: Dec 23 2007
Domain Name: HAPPYCARDS2008.COM - Creation Date: Dec 26 2007

The key objective for the RBN is to rebuild the Storm Botnet which is shown in various reports over the last few months, from a few million enslaved PCs to more recently a few 100,000’s. One can only further guess as to what the RBN’s main goal is to use a rebuilt Storm Botnet for, e.g. earlier DDOS (Denial of Service attack) on Estonia.

There are some interesting elements concerning which make this attack innovative:

# Although much of that detected is conventional spam, however there is also a large amount of spam which is getting through many anti-spam defenses due to the use of “fake” BlogSpot (Blogger) links for example on a small sample;

hxxp://dantipXXXX.blogspot.com/?soapwerzpordeecaspewtkk153trajspeak hxxp://isakovkapitonXXXX.blogspot.com/?harkwerzpordeecaspewtkk153trajfloor

The common part of the suffix is “pewtkk153traj” which redirects to Geocities web sites and then a further redirect to the Storm exploit domains.

# Although most have identified as the Zhelatin Storm email worm or variant, it is also as the more recent fake codec downloads, dependent upon where the unfortunate user has come from. This now shows a “polymorphic” format, i.e. the virus or exploit has the ability to alter its signature in an attempt to combat anti-virus tools.

# The fast-flux technique used to avoid detection in this case is actually “double-flux” characterized by multiple nodes within the network registering and de-registering their addresses (see sample maps below taken within one hour periods and show the fast-flux DNS changes). It is also safe to say this newer Storm Network has now also has improved defense mechanisms, if examined too closely.

Computerworld - Storm Worm Christmas
Computerworld - Storm New Year
ISC Sans - Anticipated Storm

RBN – $$$ - the retail payment systems

In an extension to analysis of the Russian Business Network (RBN) this is the first element of a series on RBN payment systems.

This article focuses on just one of the several payment systems for its “fakes” retail division i.e. isoftpay.com, this has been reported before namely the Sunbelt Blog (see links on footer) Oct 3rd 06 in the report on the rogue software, also more recently reported within 2-spyware on Dec 10th 07.

In exploring this node of the RBN’s organization it raises several areas of interest; the location(s) of internet operation, SSL and transactional base. Briefly by way of an introduction to later more in depth analysis malware revenue models, analysis solely of isoftpay does provide a starting point for some generalized assumptions of RBN retail revenue. Therefore as mentioned within earlier articles here on fakes and current analysis:

(a) Isoftpay serves as the payment point for such fakes as Bravesentry, and others.

(b) Secure. Isoftpay.com over the last 30 days (mid Nov – Mid Dec) received 187,750 direct unique visitors from the US.

(c) This tends to demonstrate approximately 25% of the unique visitors to those rogue software web sites go back to the payment site. As directed by the exploits downloaded from the “free” trial of the fake anti-spyware.

(d) On a reasonable assumption a high proportion of those directly visiting the secure payment area after downloading the exploit to make the purchase, say 75%, this would provide gross revenue of say $4 million per month from solely US visitors.

(e) As US visitors represent 17 – 40% of the world wide audience for such sites one can assume gross revenue as being in the region of $10 million / month, $120 million per annum.

A significant component is the SSL (Secure Sockets Layer) and certification the figure below shows the current certificate for Isoftpay.

The certificate appears legitimate unfortunately we have not as yet ascertained from Equifax or Geotrust whether it is a forgery, and if not, they should be able to inform us who the purchaser was.

Also of interest is the payment transactions and as site takes Visa and MasterCard, and further enquiries are outstanding as to who the revenues collected are paid to.

Finally as several victims have contacted the authors of this blog, and any transaction is fraudulent. No doubt Equifax, Geotrust, Visa and MasterCard will act swiftly to prevent further fraudulent transactions and ensure victims at least gain a return of their payments?

From the perspective of the RBN’s nodes of operation originally as noted by Sunbelt the IP address in Oct 06 was - AS27595 ATRIVO. The figure below shows the current (Dec 19th 07) and a comparison with locations on Oct 28th 07, the actual only difference is the addition of name server (ns3.isoftpay.com) served from AS4837 CNC Group China. The other servers are some of the RBN’s usual suspects AS9930 TTnet Malaysia, AS4657 StarHub Singapore, and it goes without saying AS27595 Atrivo AKA Intercage, Inhoster, etc.

Below is shown in figures two IP and AS maps of the Isoftpay and related domains

References: Sunbelt 10/06 2-Spyware.com 21/07