RBN – New and Improved Storm Botnet for 2008

Obviously the Russian Business Network (RBN) is working overtime during the Christmas and New Year holiday, no doubt planning for many in the ISP security and anti-spam arena to be on skeleton staff.

Many will now have already seen reports of the Storm Botnet outbreak which started on December 24th “MerryChristmasDude” with good write up at ComputerWorld and for technical details at ISC Sans or HolisticInfoSec (links on footer). This picture is changing rapidly and by December 26th there were new web sites “Uhavepostcard” , “HappyCards2008” and no doubt more to come over the next few days.

Three of the key web sites have the following registrant information, all registered via “ANO REGIONAL NETWORK INFORMATION CENTER DBA RU (Russia)” in chronological order:

Domain Name: MERRYCHRISTMASDUDE.COM - Creation Date: Nov 27 2007

Domain Name: UHAVEPOSTCARD.COM - Creation Date: Dec 23 2007
Domain Name: HAPPYCARDS2008.COM - Creation Date: Dec 26 2007

The key objective for the RBN is to rebuild the Storm Botnet which is shown in various reports over the last few months, from a few million enslaved PCs to more recently a few 100,000’s. One can only further guess as to what the RBN’s main goal is to use a rebuilt Storm Botnet for, e.g. earlier DDOS (Denial of Service attack) on Estonia.

There are some interesting elements concerning which make this attack innovative:

# Although much of that detected is conventional spam, however there is also a large amount of spam which is getting through many anti-spam defenses due to the use of “fake” BlogSpot (Blogger) links for example on a small sample;

hxxp://dantipXXXX.blogspot.com/?soapwerzpordeecaspewtkk153trajspeak hxxp://isakovkapitonXXXX.blogspot.com/?harkwerzpordeecaspewtkk153trajfloor

The common part of the suffix is “pewtkk153traj” which redirects to Geocities web sites and then a further redirect to the Storm exploit domains.

# Although most have identified as the Zhelatin Storm email worm or variant, it is also as the more recent fake codec downloads, dependent upon where the unfortunate user has come from. This now shows a “polymorphic” format, i.e. the virus or exploit has the ability to alter its signature in an attempt to combat anti-virus tools.

# The fast-flux technique used to avoid detection in this case is actually “double-flux” characterized by multiple nodes within the network registering and de-registering their addresses (see sample maps below taken within one hour periods and show the fast-flux DNS changes). It is also safe to say this newer Storm Network has now also has improved defense mechanisms, if examined too closely.

Computerworld - Storm Worm Christmas
Computerworld - Storm New Year
ISC Sans - Anticipated Storm

RBN – $$$ - the retail payment systems

In an extension to analysis of the Russian Business Network (RBN) this is the first element of a series on RBN payment systems.

This article focuses on just one of the several payment systems for its “fakes” retail division i.e. isoftpay.com, this has been reported before namely the Sunbelt Blog (see links on footer) Oct 3rd 06 in the report on the rogue software, also more recently reported within 2-spyware on Dec 10th 07.

In exploring this node of the RBN’s organization it raises several areas of interest; the location(s) of internet operation, SSL and transactional base. Briefly by way of an introduction to later more in depth analysis malware revenue models, analysis solely of isoftpay does provide a starting point for some generalized assumptions of RBN retail revenue. Therefore as mentioned within earlier articles here on fakes and current analysis:

(a) Isoftpay serves as the payment point for such fakes as Bravesentry, and others.

(b) Secure. Isoftpay.com over the last 30 days (mid Nov – Mid Dec) received 187,750 direct unique visitors from the US.

(c) This tends to demonstrate approximately 25% of the unique visitors to those rogue software web sites go back to the payment site. As directed by the exploits downloaded from the “free” trial of the fake anti-spyware.

(d) On a reasonable assumption a high proportion of those directly visiting the secure payment area after downloading the exploit to make the purchase, say 75%, this would provide gross revenue of say $4 million per month from solely US visitors.

(e) As US visitors represent 17 – 40% of the world wide audience for such sites one can assume gross revenue as being in the region of $10 million / month, $120 million per annum.

A significant component is the SSL (Secure Sockets Layer) and certification the figure below shows the current certificate for Isoftpay.

The certificate appears legitimate unfortunately we have not as yet ascertained from Equifax or Geotrust whether it is a forgery, and if not, they should be able to inform us who the purchaser was.

Also of interest is the payment transactions and as site takes Visa and MasterCard, and further enquiries are outstanding as to who the revenues collected are paid to.

Finally as several victims have contacted the authors of this blog, and any transaction is fraudulent. No doubt Equifax, Geotrust, Visa and MasterCard will act swiftly to prevent further fraudulent transactions and ensure victims at least gain a return of their payments?

From the perspective of the RBN’s nodes of operation originally as noted by Sunbelt the IP address in Oct 06 was - AS27595 ATRIVO. The figure below shows the current (Dec 19th 07) and a comparison with locations on Oct 28th 07, the actual only difference is the addition of name server (ns3.isoftpay.com) served from AS4837 CNC Group China. The other servers are some of the RBN’s usual suspects AS9930 TTnet Malaysia, AS4657 StarHub Singapore, and it goes without saying AS27595 Atrivo AKA Intercage, Inhoster, etc.

Below is shown in figures two IP and AS maps of the Isoftpay and related domains

References: Sunbelt 10/06 2-Spyware.com 21/07

RBN – The Russian Business Network, Now and Then

Observing the Russian Business Network (RBN) this blog is pleased to introduce readers to a highly informative 70 page study of RBN by David Bizeul which you can download in PDF format in English (see links on article footer).

Figure 1 – RBN Offices
12 Levashovskiy Prospect.
197110 Saint-Petersburg, - Russia

The study provides extensive information and analysis on the background of the RBN; from its probable physical locations (see figure 1 for the RBN offices), Russian cybercrime, and one of the study’s conclusions is very telling, this blog wholeheartedly agrees with and also add international law enforcement.

“There are some countermeasures available but none makes sense for the home user or even companies. Only ISPs, IXPs and Internet regulators can help in mitigating the risks originating from RBN and other malicious groups.”

As with most investigation of RBN, including this blog, we are confined to retrospective analysis, however David’s RBN study is very important, as it provides a definitive image of the RBN just before they reorganized. This is crucial for authors of this blog and other researchers as it provides a comparative base for current analysis and RBN activity. For example within a very early article on this blog we described the Internet serving locations of a number of exploit and Rock phish, landing web sites. This can be seen in Figure 2 (click to enlarge) with the previous and current servers for these domains.

Interestingly AS36420 for the IP address resolves to Everyones-Internet3 – for this and to show connection, this is the same route as shown on Castlecops for Lloyds TSB, Rock Phish (banking ID phishing).

The name servers shown for all in Figure 2, are our good friends, i.e. AS 27595 i.e. Atrivo, Intercage, Inhoster, Estdomains. With even more interest is the same name-server also hosts the following “fakes”.

e.g. - antispygolden.com, hitvirus.com, malwareburn.com, procodec.com, videohook.com, virusheal.com

These are purely a sample for this server, below are shown in Figures 3 and 4 the IP mapping as samples.

We hope this provides further examples of the RBN’s current well being, also to add we are pleased to announce in collaboration with David Bizeul we will provide an update for this RBN study, within the next few weeks.

Figure 3. Name Server Map example

Figure 4 - IP Map example

References and downloads:

David Bizeul - RBN Study here or here - Castlecops Rock Phish - Original RBN IP blog article