Russian Business Network (RBN): 76service

Showing posts with label 76service. Show all posts

RBN – 365fastcash, Panama, and 1488 RU

As regular readers know the Russian Business Network (RBN) originally utilized an extensive virtual base in Panama (Nevacon), we can now report they are back. The new hive centers on AS26426 Optynex Telecom Sa, Calle 53, Piso 18, Panama City, Panama) Phone: 210-9900 and cybercastco.com name servers (special thanks to Jim McQuaid and Snort expertise).

There are numerous domains but to select a sample of domains, in this article we can focus on two, 365fastcash(dot)com and Jidov(dot)net. It is also pleasing to show these are already encompassed within RBN Snort Rules on EmergingThreats.net (bleeding-rbn-BLOCK.rules)

365fastcash has been delivering a truly blended threat by using an automated telephone dialing system to ask people for the last 4 digits of their social security number. This was flooding switchboards at a well known US charitable organization a few days ago, and was obviously the first of many.

Interestingly there are two sub-domains “back1.365fastcash” and “bavk1.365fastcash” both

are similar structures to earlier reported 76service and 76team. The difference on this occasion the likely personal ID data storage is on direct links from the sub-domains to Level3 Communications; box(dot)net, a service that provides the ability to collaborate and share files online. No doubt Level 3 will be able to inform US authorities of the content of these data files, and terminate such services. Further IP and SSL details below.

Jidov(dot)net provides an interesting political twist for the RBN as this is the

safe hosting location for 1488(dot)ru. To those who are not aware 1488 RU is the supposedly banned, violent, and very well financed Russian Nazi group. The 14 represents the 14-word slogan: "We must secure the existence of our people and a future for White children” and 88 represents eighth letter of the alphabet, with HH standing for Heil Hitler. The question now arises does this represent the source of the RBN’s political views or just an expensive bullet proof (was) hosting.

Forum Intro:

(RU) Друзья, мы рады сообщить Вам, что теперь сайт 1488.ru доступен из доменной зоны Jidov.net . Развитие проекта идет полным ходом. Благодарим Вас за внимание к нашему ресурсу. Скоро мы сможем предложить Вам регистрацию доменов третьего уровня в наших доменных зонах (Ваш ник.1488.ru и Ваш ник.jidov.net). Так же, мы готовы предложить вам размещение банеров на страницах нашего ресурса.

(EN) Friends, we are glad to report to you that now the site to 1488.ru is accessible from the domain zone Jidov.net. The development of design occurs full speed. We thank you for the attention to our resource. Soon we will be able to propose to you registration it is pre-barter the third level in our domain zones (your nik.1488..ru and your it nik..jidov.net). So, we are prepared to propose to you the arrangement of banners for the pages of our resource.

Further details: 365Fastcash - 200.115.173.215 - Registrar: KEY-SYSTEMS GMBH, Whois Server: whois.rrpproxy.net Name Server: NS1.CYBERCASTCO.COM, NS2.CYBERCASTCO.COM: 06-dec-2007

SSL Information for 200.115.173.215


SSLv2	Yes	Cipher Spec: SSL2_RC4_128_WITH_MD5 [010080] Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 [030080] Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 [0700c0] Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 [060040] Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 [020080] Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 [040080] Connection ID: 26ad291530a4cc910e9c066877bda0f0
SSLv3	Yes	Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (256 bit) [000039]
TLS 1.0	Yes	Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (256 bit) [000039]

JIDOV(dot)NET - 200.115.171.200 Registrar: ESTDOMAINS; Name Servers: NS1.CYBERCASTCO.COM, NS2.CYBERCASTCO.COM, 11-nov-2007

SSL Information for 200.115.171.200


SSLv2	Yes	Cipher Spec: SSL2_RC4_128_WITH_MD5 [010080] Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 [030080] Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 [0700c0] Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 [060040] Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 [020080] Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 [040080] Connection ID: 85feb66767c2560349e7409f2b25118f
SSLv3	Yes	Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (256 bit) [000039]
TLS 1.0	Yes	Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (256 bit) [000039]

RBN - The Good, Bad and the Ugly

An interesting story in Wired.com by Ryan Singel, based on email correspondence from a representative claiming to be from the Russian Business Network (RBN). As reported, the RBN's man said current reports about the organization “..... is subjective opinion based on guesswork." In keeping with this blog's "quantitative" format we make an attempt to shed some light on this.

Figure 1. Shows a representation of the RBN from the perspective of web infrastructure, it provides three levels of operation:

1. “Good” & "Bad" - RBN Autonomous System (AS) – backbone internet structure (see diagram 2)

2. “Bad” - RBN Global – Core server hosting operations, e.g. RU, UA, BR, DE (Denic.de, crew-gmbh.de), CH (rbnetwork.biz), IT, NL, Panama, UK (Too coin via – Ripe representation – sbttel), Seychelles.

3. “Ugly” - RBN Retail –Specific exploit, ID theft, MPack. e.g. iFrameCash, 76Service.

For the purpose of the Wired.com article there needs to be focus on the RBN Autonomous System – Figure 2.

The problem is the RBN's Autonomous System is integrated within the whole of the Russian , Eastern European, and Eastern Scandinavian internet system overall. For example three of the following:

AS41181 RUSTELECOM, = AS4589 EASYNET, AS20597 ELTEL (general internet for Russia as a whole)

AS34596 CONNECTCOM ConnectCom Ltd Autonomous System, – included within are # AS8426(CLARANET AS ClaraNET UK AS of European ISP)# AS20597(ELTEL AS ELTEL net Autonomous System) any # AS34596 & # AS24919(CUBIO AS Cubio Communications Ltd Helsinki Finland)

AS39848 DELTASYS Delta Systems network – included within # AS20597(ELTEL AS ELTEL net Autonomous System) any AS39848, # AS24919(CUBIO AS Cubio Communications Ltd Helsinki Finland)

Although they are in the RBN Autonomous System they are within other Autonomous Systems. These should be discounted from the RBN "bad" or "ugly" groups.

Therefore, CONNECTCOM’s spokesman to Wired.com is either:

(a) Another innocent caught in the bad and ugly RBN’s maelstrom, they may actually own the RBN, but not the one we know.

(b) A RBN (bad or ugly) stooge trying to misdirect

As with earlier posts here, re; RBN hiding within US hosts, we have to recognize the RBN does the same in Russia and elsewhere. The requirement is to focus on the RBN "ugly" Retail Division. The specific source for website exploits, ID theft, etc.