RBN - McColo R.I.P.

RBN (Russian Business Network) in the USA takes another hit, and another victory in the war against Internet badness.

‘Alas poor McColo I knew them well’ - so does anyone on the planet who receives email / spam.

McColo was host to the world’s major spam botnets (an estimated 50% of spam worldwide), malware, rogue PC security products, cybercrime affiliate payment systems, and child pornography.

The study published by HostExploit.com was based on tracking and documenting the ongoing cyber criminal activity of McColo and others. Get the report here. HostExploit Report

As a result of the first HostExploit Cyber Crime USA report which focused on Atrivo / Intercage and subsequent community actions, there was a quantitative drop of 10% of spam and malware worldwide. While temporary, it does clearly demonstrate that with a concerted and consistent effort by concerned commercial Internet network operators, a safer Internet can ensue.

Following Hurricane Electric's awareness of the report's content, at approximately 4:30pm EST 11/11/08 Hurricane Electric pulled the plug. Just to check on this see the chart from SpamCop below. Yes a huge drop in spam as just one example!

Of course not over yet -

fraudcrew.com on IP = 193.64-62-171.reverse.mccolo.com =
net =
AS6939 HURRICANE Electric. Our favorite ‘CoolWebSearch hijackers’ are still online.

Also as we see on the CIDR report AS26780 MCCOLO - McColo Corporation is still peered by AS3549 GBLX Global Crossing Ltd.

However, we can assume Hurricane Electric will get around to this net block and GBLX is also acting in unison.

Again this is an excellent example of a growing community effort, involving a wide cross section of anti-spammers, malware and botnet researchers, journalists, and Internet network operators. When considering the ongoing war for the heart and soul of the Internet; “Not the end not the beginning of the end, but the end of the beginning”?

RBN - Farewell to EstDomains

In the wake of the demise of Atrivo we now see the demise of EstDomains by an emboldened ICANN.

Many have shown Estdomains et. al., as a source of domain registration badness and used by cyber criminals for many years. As recently described within the HostExploit.com report “Atrivo - Cyber Crime USA” Sunbelt Software , Spamhaus, to name a few, and followed up by The Washington Post by Brian Krebs “A Superlative Scam and Spam Site Registrar”

Ironically EstDomains has been trying to fight back with press releases such as “EstDomains, Inc Takes Next Step in Combating Spam and Malware” with them stating; “Once again EstDomains, Inc would like to address the interactive community and ask for co-operation to make the Internet clear and safe.”

However, even more relevant to the demise of EstDomains was the later Brian Krebs post “A Sordid History and a Storied CEO” relating to the EstDomains CEO Vladimir Tsastsin

As of today ICANN has issued a formal and we assume irrevocable, notice of termination – see fig 2 below:

The formal letter of termination is available for download from ICANN <here> is based on court records from Estonia.

Of course what will be interesting is what happens to the approximately 281,000 domain names under EstDomains’ management. All registrations sponsored by EstDomains will be transferred to an ICANN-Accredited Registrar in accordance with ICANN’s “De-accredited Registrar Transition Procedure”. ICANN goes on to say “It is ICANN's goal to protect registrants’ from unnecessary harm and we look forward to amicably resolving any domain name transition issues that may arise from this termination.”

Hopefully this does demonstrate an emboldened ICANN which has recently become besieged on security issues, is listening to the community. Perhaps we could persuade ICANN to allow the Internet security community to provide solid advice which of these domains is abusive before any transfer is made?

RBN - Russian Cyberwar on Georgia: Report

"In August 2008, cyberwar associated with the Russian Federation struck once more, this time against Georgia. The DDoS attacks began in the weeks running up to the outbreak of the Russian invasion and continued after the Kremlin announced that it had ceased hostilities on August 12th."

This excerpt is from the 29 page report available for download from HostExploit.com or georgiaupdate.gov.ge this is probably the most thorough analysis available on the cyberwarfare related to Georgia.

Concerning RBN (Russian Business Network)

"The individual, with direct responsibility for carrying out the cyber "first strike" on Georgia, is a RBN operative named Alexandr A. Boykov of Saint Petersburg, Russia. Also involved in the attack was a programmer and spammer from Saint Petersburg named Andrey Smirnov. These
men are leaders of RBN sections and are not "script-kiddies" or "hacktivists," as some have maintained of the cyber attacks on Georgia – but senior operatives in positions of responsibility with vast background knowledge.

Intelligence can suggest further information about these individual cyber-terrorists. According to Spamhaus SBL64881, Mr. Boykov operates a hosting service in Class C Network It should be noted that the pre-invasion attacks emanated from, clearly showing professional planning and not merely ‘hacktivism.’ Due to the degree of professionalism and the required massive costs to run such operations, a state-sponsor is suspected. Further information gathered also links the RBN to known disruptive websites.

• The IP addresses of the range, are assigned to Sistemnet Telecom to provide services to companies who are classified as engaging in illicit activities such as credit card fraud, malware and so on.

• Sistemnet Telecom and AS9121 TTNet (Turkey) are associated with AbdAllah_Internet which is linked with cybercrime hosting such as thecanadianmeds.com. These are known Russian Business Network routes. "

The puzzle of StopGeorgia.ru = follow the rabbit?

To add to the report, and shed light on the ongoing puzzle of the attack site StopGeorgia.ru (click on diagrams to enlarge):

Figure 1 - The IP route diagram route for StopGeorgia.ru (note: steadyhoster.com)

Figure 2. - The IP route diagram for SteadyHoster.com (note: for both fig1 /2

Protect Details, Inc - (privatecontact@protectdetails.com)
29 Kompozitorov st. Saint Petersburg, 194358 RU

Figure 3. - Welcome to London GB, the IP route diagram for InnovativeITsolutions.com - actual home of 'StopGeorgia.ru' - AKA; dnska.com reseller for AS36351 SOFTLAYER Technologies

Innovation IT Solutions Corp.

Andrey Nesterenko(admin@mirhosting.com)

95 Wilton Road,

London,SW1V 1BZ,GB

RBN: Atrivo Goes Dark

Not the end, not the beginning of the end, but perhaps the end of the beginning.

As from today the Internet is a little safer, as Atrivo goes dark.

It is pleasing to report the last remaining peer routing Atrivo (AS 27595 Atrivo/ Intercage), ‘Pacific Internet Exchange’ (PIE) see Spamhaus ref below, was withdrawn at 2:35am EST Sunday Sept 21st 2008.

This is an excellent example of community effort involving a wide cross section of anti-spammers, malware and botnet researchers, journalists, and Internet network operators.

Although this is good news we should not relax too much, some of the bad stuff has migrated elsewhere, similar to the self re-distribution of AS40989 RBN Network last year. However, we look forward to the forthcoming ‘Atrivo – Cyber Crime USA’ report version 2.0 from HostExploit which may cast some light on this re-distribution and other bad actors.

Magnanimous in victory we should give the last word to the vanquished as Emil Kacperski long time spokesman and apologist for Atrivo / Intercage said,

“I just put my fate into companies I shouldn't have.”

For the record the CIDR report - RIP


Spamhaus - PIE - Lasso

Atrivo: Cyber Crime USA Report - Hostexploit.com

Cidr Report - Atrivo / Intercage

RBN - Atrivo: Cyber Crime USA

In a new study entitled "Atrivo - Cyber Crime USA", the authors have extensively tracked and documented ongoing cyber criminal activity from within the Internet servers controlled by the California-based Atrivo, and other associated entities. Atrivo is one of the Internet's Autonomous Systems and controls a large number of IP addresses, which web sites must use to reach consumers.

Produced by cyber crime researcher Jart Armin, in association with Matt Jonkman and James McQuaid, the first of its kind Open Source Security study set out to quantify and continuously track cyber crime using numerous methods of measurement. It focuses specifically on the notorious Atrivo, which has been seen by many over several years as a main conduit for financial scams, identity theft, spam and malware. This study although fully self contained is the first of a series of reports, on a monthly basis there will be a follow up to report on the community response, the efforts of the cyber criminals to evade exposure, listings to assist in blocking the risks to Internet users, and hopefully efforts to stop them.

In addition to original quantitative research conducted by Armin, Jonkman and McQuaid, the study draws upon the findings of other research efforts, including StopBadware, EmergingThreats, Knujon, Sunbelt, CastleCops, Spamhaus, and many others. What emerges is a picture of a front for ruthless cyber criminals, who have specifically targeted consumers in the United States and elsewhere. The study provides hard data regarding specific current activity within Atrivo, explains how consumers are targeted, describes Atrivo's virtual network structure, organizational modeling, and cites Atrivo's collusive failure to r
espond to abuse complaints from 2004 to the present. The study includes three dimensional charts, diagrams, and a YouTube video which make it easy to grasp the statistics or processes discussed.

Document available for download from hostexploit.com

Video of the Exploitation of a PC User - YouTube

RBN - Georgia Cyberwarfare – Attribution & Spam Botnets

Further attribution highlighting specific RBN (Russian Business Network) leadership and RBN directed spam botnet observations.

Specific RBN Attribution

The individuals with direct responsibility for carrying out the cyber "first strike" on Georgia is a RBN (Russian Business Network) operative named Alexandr A. Boykov of Saint Petersburg, Russia. Also involved in the attack was a programmer and spammer from Saint Petersburg named Andrew Smirnov. These men are leaders of RBN sections and are not "script-kiddies" or "hacktivists" (as some have maintained of the cyber attacks on Georgia).

Mr. Boykov has been engaged in criminal activity for some time. He best known for distributing the malware VirusIsolator (which downloads trojans to take control of the victims computer). He has been directly involved in financial crime, and operated scam sites including: Harbor Lending, Oakwood Lending, and Capital Lending. Mr Boykov is also a purveyor of porn spam.

Mr. Smirnov is known for operating a number a scam sites including canadian-pharmacy-support and canadiandiscountmeds. Mr. Smirnov is known to hold Russian nationalist views, and supported cutting off natural gas supplies to the Ukraine. The Ukrainian authorities should note that he often travels between Russia and the Ukraine.

According to Spamhaus SBL64881, Mr. Boykov operates a hosting service in Class C Network It should be noted that the pre-invasion attacks emanated from Presently, there is a large-scale spam campaign underway purporting to be from the BBC which accuses the President of Georgia of being gay. When an individual clicks on the link in the email, a virus is downloaded from (Sistemnet Telecom - AS9121 TTNet (Turkey) associated with AbdAllah_Internet) Spamhaus issued a warning regarding on July 29th in SBL66533.

Further investigation of Mr. Boykov and Mr. Smirnov are likely to implicate the Russian authorities in the cyber first strike.

Contribution - James McQuaid

Fig 1 - Sistemnet Telecom - AS9121 TTNet (Turkey) associated with AbdAllah_Internet (click to enlarge)

Further spam botnet analysis - Knujon

They are part of a botnet that came into existence in 2008. The vast majority show up in Mar/Apr 2008, but some have been sending spam since 2006 - Web Media Services - Russian Federation
nslookup = mx1.privatehost.nl
79 hits from April 2008 and 4 from Mar 2008. - Czech Republic nslookup = 34.224.broadband4.iol.cz
5 hits spread over Feb, Mar and Apr 2008. = mailrouter2.austincc.edu
107 in Mar/Apr 2008, 1 in Jan 08 and 1 in 2006 = mail5.hostweb.com.mx
1 in Jul 2007 = mx2.seidata.com
90 in Mar/Apr 2008, 1 in Oct 2007 = dns2.tea-cegos.es
104 in Mar/Apr 2008 = mx2.teuto.net
209 total. 159 in Mar/Apr, 2 Jan, 6 Feb 2008. 39(2007) 3(2006) = adoptolder.org
8 Mar/Apr 2008 = mx2.bt.net
100 Mar/Apr, 1 Jan 2008,65 2007) 9 (2006)

Mar/Apr 2008 period

mail7.jetblue.com 106
autoliike.com 3
smtp.cablebahamas.net 151
mx4.mardelhosting.net 1
mx1.privatehost.nl 83
34.224.broadband4.iol.cz 5
un-158-235.domainunused.net 31
pool-96-234-41-61.nwrknj.fios.verizon.net 8
123-193-82-34.dynamic.kbronet.com.tw 7
mbox.edmaster.it 90
smtp3.willamette.edu 77
argo.regione.toscana.it 92
msgsrv1.itellium.net 177

Again special thanks to the many community contributions and messages of support of the RBN blog, in our efforts to expose cyber crime and the Russian Business Network. We welcome ongoing observations, send to RBNexploit gmail.com


RBN info from James McQuaid his blog here

Spam Botnet analysis Dr. Bob Bruen of Knujon.com.

RBN –Georgia Cyberwarfare – Continuation..

On Friday August 15th and over the weekend another dimension has emerged on tracking RBN (Russian Business Network) server ranges. This concerns a new spam campaign which mocks Georgia's President, purporting to come from the BBC and spreads a new virus. This is very well described by UAB (University of Alabama) Spam Data Mine and on Gary Warner’s blog (see refs below).

The spam loads malware from various locations which in turn actually causes the virus to be delivered from a single location; the IP address: The name of the malware is "name.avi.exe", and at the moment, only FOUR out of 36 anti-virus products detect it.
Why RBN or rather as in the title of this blog ‘RBN and Related Enterprises’? We have commented on before within the blog (see ref below) - Sistemnet Telecom - AS9121 TTNet (Turkey) associated with AbdAllah_Internet - cybercrime hosting - thecanadianmeds.com etc., see Spamhaus’ many Rokso listings (refs below)

This provides a further element associated with Georgia and Mikheil Saakashvili with an ongoing attempt of character assassination. Similar to the linking of the President to Nazi images, as Lenta.ru displayed with one of this blog’s images.

RBN or Cyberwar or not? - Nomenclature

Given this opportunity there has been a great deal of discussion within the community, after the event, as to RBN (Russian Business Network) or not RBN, Cyberwar or Hacktivists, Russian or not………..

Without denigrating this important topic but “What walks like a duck, sounds like a duck, looks like a duck = maybe it’s a ______? (Fill in the blank)”

The cyber attacks against Georgia which first originated from IP space in TTnet Turkish Telekom (as this latest spam incident) were known RBN, and the subsequent server actions, botnet methodology, and tools used were also known RBN: there is no question about the facts, and there is no compelling reason to doubt the implications.

From a popular idiom the movie “The Usual Suspects” used the phrase regarding the arch criminal Keyser Soze – “The greatest trick the Devil ever pulled was to make us believe he does not exist.” This was and still is the RBN’s greatest skill; to avoid detection, use deception and cause most onlookers to consider other suspects, i.e. in this case hacktivists who are easily labeled unsophisticated, uncontrollable, and should be ignored as simpleton fanatics.

This provides a convenient transition to one sided CYBERWAR against Georgia by Russia. Do we really expect Russia, or for that matter any state aggressor to openly announce what methods of warfare they are using. For example there is no specific information from Russian government sources about Russian army actions still underway within Georgia despite the ceasefire. Nor do they inform us the 22nd Guards ObrSpN ‘Spetsnaz’ of Rostov Oblast, may have been operating within Abkhazia, and South Ossetia, dressed in the uniforms of the local militia since mid July 2008, if such an action was the case. Why would we expect them to announce CYBERWAR techniques also being used?

Two good sources of information may assist making a reasonable judgment:

Firstly the political, as Russian State Duma and member of the Security Committee Deputy Nikolai Kuryanovich stated in 2006 within a formal Russian parliamentary letter of appreciation to hackers who had taken down several Israeli web sites:

"In the very near future many conflicts will not take place on the open field of battle, but rather in spaces on the Internet, fought with the aid of information soldiers, that is hackers. This means that a small force of hackers is stronger than the multi-thousand force of the current armed forces." – Prediction or intent?

For the strategic a few days ago;
“Cyber-attacks are part of the information war, making your enemy shut up is a potent weapon of modern warfare.” As mentioned by Alexander Denezhkin, editor of the Russian journal - Cybersecurity.ru

Finally a reasonable conclusion associated with the nomenclature is to consider the absurdity of treating the cyber criminal and national cyber security problems as a separate matter. Consider if any country had such a successful and existing Internet ‘black ops’ entity as the RBN within its borders, is it not logical that it would utilize or capitalize on such skills?

Perhaps what many find unpalatable is the example from the history of the 20th century where there were similar apologists and we ignored developments in strategy and warfare such as the Blitzkrieg, at a huge later cost. This could be an early example of Russia’s hegemony or controlling its neighbors via an emerging “Cyber Iron Curtain”

Jart Armin - RBNexploit.com


UAB Spam Data Mine

UAB Blog

CanadianMeds - Sistemnet - TTnet

Spamhaus (a)

Spamhaus (b)

RBN - Georgia Cyberwarfare – Status and Attribution

The ongoing cyber siege of Georgia by Russian Internet servers is starting to show signs of weakness or rather weaknesses are being exploited.

Just as in “The Great Escape” there are always methods to bypass even the most sophisticated virtual fences.

Fortunately long term study of RBN (Russian Business Network) or Russia’s “FSB Cyber Warriors” techniques assist. Conventionally they are normally adept at trying to hide their true origins. For such a siege on the scale of this one they are openly showing more of their routing than they would like to, which will assist us now and in the future. In this case it helped pin point some obviously forged web sites, which are now offline, and assist in rerouting. Good lessons for future cyber wars.

To our many readers on ‘Lenta.Ru’ we would like to stress we are not anti-Russian. We have Russian based supporters and contributors. However we are anti; cyber criminal, hackers, and cyber war, hopefully Russia will realize this simply restricts all Internet users , including themselves, from the freedom of speech.

There was rightful indignation as the cyber war has extended to where the Russian news agency ‘RIA Novosti ‘was offline by DDos attack for 10 hours over Sunday night and Monday morning.

Georgia – Web Status

Russian based servers AS12389 ROSTELECOM, AS8342 RTCOMM, AS8359 COMSTAR and with the more recent addition of AS8631 Routing Arbiter for Moscow Internet Exchange, are still in a commanding position. AS9121 TTNet of Turkey still remains routed through the Russian servers, not directly to Georgia. But alternative links have been made to AS35805 UTG AS United Telecom of Georgia and other servers based in Georgia.

Due to this (at this time) the Georgian Foreign Ministry mfa.gov.ge is back online consistently and president.gov.ge is also now online and showing recent announcements. To demonstrate international solidarity, the web site of the President of Poland was also carrying Georgian state communications as a courtesy.

One interesting aspect has been president.gov.ge using a US based name server, which was also offline due to DDos from Thursday and until Monday pm. This could be considered a transgression by the FSB cyber warriors / Russian forces on US soil?

Note: we still show CyberDefcon = level 5

Georgia – Cyberwar Attribution

There has been a great speculation and discussion with regard to attribution. We do not in normal circumstances reveal this level of detail but due to the serious nature of this situation; (click on the diagram below to enlarge)

This is ‘stopgeorgia.ru’ which is also utilizing ‘stopgeorgia.info’ as a redirect; the web site itself provides DDos attack tools for download and as the screen grab shows the mostly .ge web sites as priority for attack. Note; also targeted for attack is the US embassy in Tbilisi.

This web site, as seen before is an open site to attract future FSB cyber warriors. How this is hosted and the domain registration provides more clues:

Stopgeorgia.ru – Hosted by AS36351 Softlayer of Plano Texas, well known as associated with Atrivo / Intercage malware hosting connectivity.

Stopgeorgia.info - Hosted by AS28753 NETDIRECT Frankfurt, DE / AS12578 APOLLO LATTELEKOM APOLLO Latvia.

Sponsoring Registrar: EstDomains, Inc.

Registrant: Domain Manager, Protect Details, Inc, Street1: 29 Kompozitorov St., Saint Petersburg, RU, Phone:+7.8129342271

Hopefully most Internet security observers will recognize the ‘usual suspects’ above?

Special thanks to Richard Stiennon and Cyrus Farivar

RBN – Georgia CyberWarfare - Russian Ground Forces Invade Georgia

Russian Ground Forces Invade Georgia

FOR IMMEDIATE RELEASE Monday, August 11 - 20:20 Tbilisi, Georgia

** UPDATE **
URGENT: Russian Ground Forces Invade Georgia, Georgian Army Retreats to Defend Capital; Government Appeals for Urgent International Intervention

At this hour, the invading army of the Russian Federation has entered Georgian territory outside the conflict zones of Abkhazia and South Ossetia. The Georgian army is retreating to defend the capital. The Government is urgently seeking international intervention to prevent the fall of Georgia and the further loss of life.

"We no longer know the limits of the invading Russian army—Russia seems intent on overthrowing the democratically elected government of Georgia and occupying the country," said Alexander Lomaia, the Secretary of the National Security Council. "As a consequence, the National Security Council has just decided to bring the Georgian army to Tbilisi in order to defend the capital and prevent the fall of Georgia."

European political leaders, including Swedish Foreign Minister Carl Bildt, are in Tbilisi meeting now with the President of Georgia to seek a way to stop the Russian onslaught.

The Government of Georgia announced a unilateral cease fire on Sunday morning, withdrew its forces from South Ossetia, and sued for peace. Despite the ceasefire and withdrawal—and in defiance of outraged international criticism of its invasion of Georgia—Russia is continuing its fierce offensive that has left hundreds of civilians dead and thousands injured.

RBN – Georgia CyberWarfare – Conference Call

Media Alert - President Saakashvili To Brief Reporters Via Teleconference

Mikheil Saakashvili, President of Georgia, to Brief International Media on Latest Developments in Georgia

Monday, August 11, 11:00 CET (13:00 TBS, 10:00 UK Time, 05:00 ET)

Tbilisi, Georgia - Mikheil Saakashvili, President of Georgia, will be giving a briefing for international media via teleconference on Monday, August 11, at 11:00 CET (13:00 TBS, 10:00 UK Time, 05:00 ET).

WHEN: The call will take place on Monday, August 11, at 13:00 Tbilisi Time (11:00 Central European Time, 10:00 UK Time, 05:00 Eastern Standard Time); the call will run for approximately 30 minutes.


  • To join the call, dial +1.706.679.3044 (internationally) or 877.810.6130 (in the USA)

  • Provide the operator with this conference ID: 59983245

  • While it is not required in order to join the call, please send your name, affiliation, and email address to GeorgiaNSC@gmail.com if you would like to receive any updated information prior to the call.

HOW TO ASK QUESTIONS: Questions to NSC Secretary Lomaia can be posed live during the call; also, they can be sent via email before or after the conference call to: GeorgiaNSC@gmail.com.

FURTHER INFORMATION & INTERVIEWS: For further information, please send an email to GeorgiaNSC@gmail.com.

RBN – Georgia CyberWarfare – Info Update - Sun Aug 10 - 19 00 GMT – 15 00 East Coast

As requested we relay important information from The Ministry of Foreign Affairs of Georgia.

We also provide an important reminder to use caution with any web sites that appear of a Georgia official source but are without any recent news i.e. Sat / Sun, Aug 9/10, as these may be fraudulent. For example check georgiamfa.blogspot.com this is now providing reliable and most recent statements.

Sunday, August 10 . 20:30 Tbilisi, Georgia - Ministry of Foreign Affairs of Georgia

Russian Fighter Jets Bomb Tbilisi's Civilian Airport

The Government of Georgia confirms that at 19:00 local time, Russian aircraft bombed the civilian airport in Tbilisi. There is no military activity of any kind at the airport.

The attack occurred several hours after Georgia offered a formal ceasefire to Russia, via Russia's Ambassador to Georgia, and declared Georgia's readiness to immediately start negotiations with the Russian Federation on the termination of hostilities.

The Secretary of Georgia's National Security Commission, Alexander Lomaia released the following statement:

"The attack on Tbilisi Airport offers further evidence that Russia's invasion of Georgia is not about Abkhazia and South Ossetia. The goal of the Russian Federation-which today also blockaded our Black Sea ports and is relentlessly bombing civilian sites throughout the country-is to overthrow the democratically elected government of this small European nation."

The following graphics (please click to enlarge) released today show the extent of the Russian attack on Georgia

Source: Ministry of Foreign Affairs of Georgia - georgiamfa.blogspot.com

RBN - Georgia CyberWarfare – 2 – Sat 16 00 East Coast, 20 00 GMT

Firstly welcome to the many blog readers from “forum.ge”. Allow us to explain what is going on.

You can see and read us, we cannot get to you . Out bound email is also a possible problem so email rbnexploit@gmail.com (if and when you can) to get messages out and we will relay them to their destination.

To explain to everyone else this is a full cyber siege of Georgia’s cyber space:

As an update; within the community, our friends in Germany had managed to pierce the siege and gain a direct routing to Georgia via AS3320 DTAG Deutsche Telekom for a few hours. this afternoon. For the time being AS8359 COMSTAR Direct Moscow region network CJSC COMSTAR Direct Smolenskaya Sennaya Sq, 27 block 2 119121 Moscow, Russia, have intercepted this and are redirecting this route of cyber traffic via their servers. The good news is other German servers are now also attempting to access Georgia servers directly.

We are receiving further offers to help reroute traffic which is underway in an attempt to lift the siege. Further offers are welcome.

For those of a technical nature we show the latest server routing map (see diagram below) which clearly shows the Russian based servers AS12389 ROSTELECOM, AS8342 RTCOMM, and AS8359 COMSTAR, controlling all traffic to Georgia’s key servers. For example here AS28751 CAUCASUS NET AS Caucasus Network Tbilisi, Georgia & AS20771 DeltaNet Autonomous System DeltaNet ltd 0179 Tbilisi Georgia

Even the Turkish (often RBN controlled) server AS9121 TTNet is now being blocked via COMSTAR, we understand via colleagues in Istanbul, the Turkish authorities are trying to regain control of these servers and provide direct routing to Georgia.

At this time all Georgia government web sites are unobtainable from US, UK, FR, and DE cyber space, as examples. All blog colleagues elsewhere please contact us if you are able to gain direct web access inbound.

We also relay, as requested, the warning not to depend on any web sites that 'appear' of a Georgia official source, but are without any recent statements i.e. Friday / Saturday Aug 8/9, as these are likely to be fraudulent.

Click on the diagram to enlarge:

RBN - Georgia CyberWarfare

RBN (Russian Business Network) now nationalized, invades Georgia Cyber Space

Sat – 2008 08 09 5:00 EST
(click on figs for larger size)

As requested by community relay, the following is a report on the cyber war underway in parallel with conventional warfare. Many of Georgia’s internet servers were under external control from late Thursday, Russia’s invasion of Georgia commenced on Friday. It is further requested of any blog reader the information below is further relayed to the International Press and Community to ensure awareness of this situation. Also as much of Georgia’s cyberspace is now under unauthorized external control the following official press statement is circulated without modification. Report on the cyberwar below:

Official Press Statement from the Government of Georgia

Georgia seeks peaceful resolution to the conflict in South Ossetia Georgian troops mobilize to protect civilian population from rebel attacks TBILISI – Sat 09 August 2008 –

The Government of Georgia has sought to defuse the tense and violent situation in the South Ossetia region yesterday by declaring a unilateral ceasefire and appealing to the leadership of the separatist rebels to begin talks with the State Minister for Reintegration Temuri Yakobashvili. Despite calls for peace, separatist rebels continued to attack Georgian police posts and the civilian population.

Initially government forces did not return fire. However, at 8:30pm the village of Avnevi came under fire from separatists and the village was almost completely destroyed. The government-controlled village of Prisi also came under attack by separatists, which left several people wounded.

In response to separatist attacks on government-controlled villages, Georgian Armed Forces occupied several villages in South Ossetia early this morning. At around 5:30am, Russian Federation forces began moving into the conflict zone through the Roki tunnel, which connects Russia and Georgia and has been an entry point for the illegal transfer and sale of arms to separatist rebels. Two additional Russian units entered into Georgia through the Roki tunnel around 8:00am. The first Russian unit that entered Georgia through the Roki tunnel was killed as they attempted to cross the Gufta Bridge, which was also destroyed in the operation conducted by the government’s air command.

The Russian air force has also been conducting military operations in Georgia. Military fighter planes dropped bombs in four towns. The Russian air force also bombed the villages of Variani, injuring seven civilians, and dropped three bombs on Gori. The OSCE has confirmed the Gori operation was conducted by the Russian air force. So far several people have been killed and wounded, including innocent civilians.

In an effort to protect the civilian population, the President of Georgia Mikhail Saakashvili declared a unilateral ceasefire to be in effective between 3:00pm – 6:00pm Friday. During this time, the civilian population and the separatists were invited to cross the line of control. The government has also provided humanitarian assistance and full amnesty for those separatists that choose to surrender. As of 2:30pm, Georgian forces controlled 100% of Tskhinvali with just a few small groups still resisting government presence.
Despite the ceasefire, Russia continued to take aggressive military action within Georgian territory.

At 4:30pm and 5:35pm, Russian military aircraft bombed a Georgian military base in Marneuli three times, in the southern part of the country about 30 kilometres from Tbilisi, resulting in the destruction of grounded Georgian military equipment, severe damage to a number of buildings, and several causalities.

Russian military aircraft also entered Georgian airspace at 3:05pm and dropped two bombs on the Georgian military airbase in Vaziani, just on the outskirts of the capital.

For confirmation and current status of the cyberwar:

Example - Nameservers for www.itdc.ge Georgia’s web development enterprise are continuously showing :
* ns1.garse.net returned (SERVFAIL) * ns2.garse.net returned (SERVFAIL)

Two traceroutes to web site mfa.gov.ge - Georgia Foreign Affairs - show:

(a) From US - Ge = Blocked via TTnet Turkey

(b) From Ukraine - Ge = available & slow; note; cached (forged page),now only via redirect through Bryansk Ru

Other Georgia government websites e.g. mod.gov.ge (Ministry of Defense) - president.gov.ge show:

(c) From US - Ge = Blocked via TTnet Turkey

(d) From Ukraine - Ge = Blocked via TTnet Turkey

Internally - several Georgia based servers now only under external routing control e.g. AS28751 CAUCASUS NET AS Caucasus Network Tbilisi, Georgia & AS20771 DeltaNet Autonomous System DeltaNet ltd 0179 Tbilisi Georgia

Now only available via AS12389 ROSTELECOM AS JSC Rostelecom (Ru) and AS8342 RTCOMM AS RTComm RU Autonomous System (Ru) - servers - Georgia traffic through Deltanet being redirected via TTnet

It should be noted servers; AS8342 RTCOMM (Ru), AS12389 ROSTELECOM (Ru), AS9121 TTNet Autonomous System Turk Telekom (Tk) are well known to be under the control of RBN and influenced by the Russian Government. All efforts are being made to regain server control, and International assistance is requested to provide added Internet routing via neutral cyber space.

RBN - Partners Official Sponsors of ICANN?

Russian Business Network (RBN); what if they were out to own the Internet by owning the DNS? The Internet totally relies on DNS (Domain Name System) so obviously this must be the stuff that Hollywood movies are made of, but this nightmare scenario is more real than any of us would like to believe.

This article draws a few of the ingredients together, it is important to stress this is not to discredit ICANN, but to show just how RBN and their associates are applying themselves to the weakness of DNS allocation and exploiting ICANN’s vulnerability via influence, commercial sponsorship and registrar development.

  • Firstly, RBN’s normal chaos creation, shown within the important and recent security research paper “Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority” by David Dagon, Niels Provos, et. al.; “291,528 hosts on the Internet performing either incorrect or malicious DNS service. With DNS resolution behavior so trivially changed, numerous malware instances in the wild, we urge the security community to consider the corruption of the (DNS) resolution path as an important problem.” [ref 1]
  • Connect this to the newer RBN technique to now ‘auto-generate’ 1,000’s of new malware and rogue domain registrations via duped or controlled registrars, e.g. Tucows (Ca), EstDomains, and shielded by PrivacyProtect - which now can outrun most security bloggers, security companies, black listing or rogue domain listings. [ref 2]

So, who runs or has the responsibility for DNS and keeping it safe? - ICANN (Internet Corporation for Assigned Names and Numbers) mostly self elected and privately operated as ICANNwatch.org describes “avoiding governmental accountability mechanisms, but ICANN also lacks much of the accountability normally found in corporations and in nonprofits.” [ref 3]

The facts – who?

LogicBoxes and Skenzo host a "Taj Mahal Sojourn" for guests at the 31st ICANN Meet in Delhi, India - “The elite list of attendees included the likes of Enom and Tucows head honchos, Paul Stahura and Eliott Noss respectively. Trey Harvin - CEO dotMobi, Jonathan Nevett - Network Solutions, Alexa Raad CEO PIR, Tim Cole - Chief Registrar Liaison at ICANN, Craig Schwartz - Chief gTLD Registry Liaison at ICANN, Tina Dam - Director, IDN Program ICANN, Dave Wodelet, Wendy Seltzer, Thomas Narten – ICANN Board members” [ref 4]

Directi, LogicBoxes and Skenzo - controls / manages / owns ‘PrivacyProtect’ – a domain privacy service which shields cybercrime, and does so by design. It currently shields 759,172 domains. [fig 2]

“LogicBoxes currently powers the infrastructure and software of over 50 ICANN Accredited Domain Registrars including EST Domains” [ref 5] LogicBoxes online corporate profile – EstDomains, which is associated with Atrivo aka Intercage. It is estimated Estdomains provide Atrivo with 40% to 60% of its revenue.

Directi, LogicBoxes and Skenzo associated with – Everyones Internet (US) and The Planet (US), rack space etc., for opticaljungle / orderbox-dns. Coincidentally both are within the top 10 of hosts in the world with infected web sites = 6,000 . [ref 6]

Bhavin Turakhia - CEO and Chairman of The Directi Group “Directi to continue growing at triple digit growth rates year after year, technical advisor to the local CyberCrime Investigation Cell, Bhavin was also former chairman for the Global ICANN Accredited Registrars Constituency for two consecutive terms. He has been the youngest elected chair for this post in the history of ICANN” - [ref 7] [ref 8]

The facts (just a few notable examples) – what?

Historical Aug 07 - Bank of India iFrame hack - X-TRAFFIC.BIZ – RBN, ICANN Registrar: ESTDOMAINS [ref 9]

Ongoing – RBN retail - Loads.cc - ICANN Registrar = DIRECTI – Registrant = PrivacyProtect.org [ref 10] [ref 11] [ref 12]

Ongoing - RBN retail payment systems isoftpay – Current; ICANN Registrar: ESTDOMAINS Registrant: PrivacyProtect.org [ref 13]

Current - Robotraff: A Hacker's Go-To For Clicks – Brian Krebs Washington Post - robotraff.com; ICANN Registrar = DIRECTI – Registrant = PrivacyProtect.org [ref14]

Newer rogue / fake sample – malwarebell; The filename MALWAREBELL.EXE was first seen on Apr 14 2008 in CANADA, BELGIUM on Apr 15 2008, SPAIN on Apr 23 2008, GERMANY on Apr 23 2008; ICANN Registrar = Estdomains; Registrant = PrivacyProtect.org [ref 15]

Brand New - Mass File Injection Attack from Russia with Zlob - “If you do a Google search for these URLs, you get about 400,000 sites" - The key domain = xprmn4u.info ("HaCKeD By BeLa & BodyguarD" = 90,000 hits on Google); ICANN registrar for = Estdomains; Registrant = PrivacyProtect.org [ref 16]

Fig 2 - PrivacyProtect - map


“But if someone broke — or worse, subverted — the fundamental way in which we find web sites, we wouldn’t trust URLs any more. Own the DNS and you own the Internet.” [ref 17]

The background research and this summary article has been around four months in the making within the community. It should be emphasized there is considerably more ‘who’ and ‘what’ which will be presented in full later.

We feel even the most casual reader will be concerned, as this affects every user of the internet. We as a group want to further stress we are believers of an open and unrestricted internet however, if this trend of a parallel DNS system being developed with an unofficial DNS architecture that will fake all records, this will be a real mess, resulting in a groundswell of Internet users who rightly request governmental action in some form to assume some form of control.

We hope many readers as a minimum many will contact ICANN [ref 18] to at least determine what they are going to do about Estdomains, PrivacyProtect and anonymous domain registrants – right now! This also begs the question of the commercial approach of ICANN apparently supporting unfettered registrar development and who it allows in sponsorship or election. If ICANN does not rapidly clean up its own act to encourage the view that the DNS is safe in their hands, realistically several Internets will evolve, “Good, Bad, and the Ugly”

As for Directi and co., there will undoubtedly be arguments of; we are unaware, not responsible, we only manage, or a very small minority……. From their logged and monitored action we do not believe them. Even so, with their claimed expertise and if they were unaware of the role of EstDomains or PrivacyProtect, thus RBN, then should they be trusted within or in any form of association with ICANN?

Special thanks, to name but a few:
Jim McQuaid, Debbie Rosman, David Bizeul, EmergingThreats.net malwaredomains.com, open source security community, Robtex, CyberDefCon, et.al.


[ref 1] Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority

[ref 2] Top 25 Exploit Hosts

[ref 3] ICANN for Beginners

[ref 4] LogicBoxes and Skenzo host a "Taj Mahal Sojourn" for ICANN

[ref 5] LogicBoxes online corporate profile

[ref 6] The Planet and Everyones Internet

[ref 7] Directi CEO

[ref 8] CyberCell Mumbai India

[ref 9] Bank of India Hack Aug 07

[ref 10] RBN Retail

[ref 11] Loads cc

[ref 12] One-Stop Shopping for Hackers

[ref 13] RBN payment systems

[ref 14] Robotraff – Brian Krebs

[ref 15] Rogue - Malwarebell

[ref 16] Mass File Injection Attack from Russia with Zlob – ISC.sans

[ref 17] Alistair Croll '10 Ways the Internet (As We Know It) Will Die'

[ref 18] Contact ICANN

Coming soon - RBN - Automated Mass Malware Domain Registration