Hosting Ukraine Burnt Out | HostExploit

Hosting Ukraine Burnt Out | HostExploit

Hosting UA in Odessa one of the main data centers and hosts in Ukraine is offline, due to a major fire.

AS41665 HOSTING-AS National Hosting Provider, UAwith 144,384 IP addresses and was # 4 on the HostExploit Bad Hosts Report in December 2009 out of 34,000 ASNs (autonomous servers / hosts) compared for serving badness on the Internet. Although in the forthcoming HostExploit Top Bad Host report – Hosting Ua had demonstrated some improvement over the first quarter 2010, see forthcomingHostExploit Bad Host Report March 2010.

The fire that occurred on the second floor Business Center Factory of Business St. Dal'nic'ka 46, Odessa occurred at around 10:00 pm local time on the evening on March 27th 2010. (http://watcher.com.ua). At this time there has not been any official explanation as to the cause of the fire.

Figure3 - shows currently Hosting UA disconnected from the Internet. Of the 5,381 web sites tested on this network over the past 90 days, 291 of the web sites served content that resulted in malicious software being downloaded and installed.

RBN - McColo R.I.P.

RBN (Russian Business Network) in the USA takes another hit, and another victory in the war against Internet badness.

‘Alas poor McColo I knew them well’ - so does anyone on the planet who receives email / spam.

McColo was host to the world’s major spam botnets (an estimated 50% of spam worldwide), malware, rogue PC security products, cybercrime affiliate payment systems, and child pornography.

The study published by HostExploit.com was based on tracking and documenting the ongoing cyber criminal activity of McColo and others. Get the report here. HostExploit Report

As a result of the first HostExploit Cyber Crime USA report which focused on Atrivo / Intercage and subsequent community actions, there was a quantitative drop of 10% of spam and malware worldwide. While temporary, it does clearly demonstrate that with a concerted and consistent effort by concerned commercial Internet network operators, a safer Internet can ensue.


Following Hurricane Electric's awareness of the report's content, at approximately 4:30pm EST 11/11/08 Hurricane Electric pulled the plug. Just to check on this see the chart from SpamCop below. Yes a huge drop in spam as just one example!

SpamCop Charts live here

Of course not over yet -

fraudcrew.com on IP 64.62.171.193 = 193.64-62-171.reverse.mccolo.com =
net 64.62.128.0/18 =
AS6939 HURRICANE Electric. Our favorite ‘CoolWebSearch hijackers’ are still online.

Also as we see on the CIDR report AS26780 MCCOLO - McColo Corporation is still peered by AS3549 GBLX Global Crossing Ltd.


However, we can assume Hurricane Electric will get around to this 64.62.128.0/18 net block and GBLX is also acting in unison.

Again this is an excellent example of a growing community effort, involving a wide cross section of anti-spammers, malware and botnet researchers, journalists, and Internet network operators. When considering the ongoing war for the heart and soul of the Internet; “Not the end not the beginning of the end, but the end of the beginning”?

RBN - Russian Cyberwar on Georgia: Report

"In August 2008, cyberwar associated with the Russian Federation struck once more, this time against Georgia. The DDoS attacks began in the weeks running up to the outbreak of the Russian invasion and continued after the Kremlin announced that it had ceased hostilities on August 12th."

This excerpt is from the 29 page report available for download from HostExploit.com or georgiaupdate.gov.ge this is probably the most thorough analysis available on the cyberwarfare related to Georgia.



Concerning RBN (Russian Business Network)



"The individual, with direct responsibility for carrying out the cyber "first strike" on Georgia, is a RBN operative named Alexandr A. Boykov of Saint Petersburg, Russia. Also involved in the attack was a programmer and spammer from Saint Petersburg named Andrey Smirnov. These
men are leaders of RBN sections and are not "script-kiddies" or "hacktivists," as some have maintained of the cyber attacks on Georgia – but senior operatives in positions of responsibility with vast background knowledge.



Intelligence can suggest further information about these individual cyber-terrorists. According to Spamhaus SBL64881, Mr. Boykov operates a hosting service in Class C Network 79.135.167.0/24. It should be noted that the pre-invasion attacks emanated from 79.135.167.22, clearly showing professional planning and not merely ‘hacktivism.’ Due to the degree of professionalism and the required massive costs to run such operations, a state-sponsor is suspected. Further information gathered also links the RBN to known disruptive websites.



• The IP addresses of the range, 79.135.160.0/19 are assigned to Sistemnet Telecom to provide services to companies who are classified as engaging in illicit activities such as credit card fraud, malware and so on.



• 79.135.160.0/19 Sistemnet Telecom and AS9121 TTNet (Turkey) are associated with AbdAllah_Internet which is linked with cybercrime hosting such as thecanadianmeds.com. These are known Russian Business Network routes. "

The puzzle of StopGeorgia.ru = follow the rabbit?


To add to the report, and shed light on the ongoing puzzle of the attack site StopGeorgia.ru (click on diagrams to enlarge):

Figure 1 - The IP route diagram route for StopGeorgia.ru (note: steadyhoster.com)



Figure 2. - The IP route diagram for SteadyHoster.com (note: for both fig1 /2 74.86.81.232.infomart.reverse.dnska.com)


Protect Details, Inc - (privatecontact@protectdetails.com)
29 Kompozitorov st. Saint Petersburg, 194358 RU







Figure 3. - Welcome to London GB, the IP route diagram for InnovativeITsolutions.com - actual home of 'StopGeorgia.ru' - AKA; dnska.com reseller for AS36351 SOFTLAYER Technologies

Innovation IT Solutions Corp.

Andrey Nesterenko(admin@mirhosting.com)

95 Wilton Road,

London,SW1V 1BZ,GB

RBN - Georgia Cyberwarfare – Attribution & Spam Botnets

Further attribution highlighting specific RBN (Russian Business Network) leadership and RBN directed spam botnet observations.



Specific RBN Attribution

The individuals with direct responsibility for carrying out the cyber "first strike" on Georgia is a RBN (Russian Business Network) operative named Alexandr A. Boykov of Saint Petersburg, Russia. Also involved in the attack was a programmer and spammer from Saint Petersburg named Andrew Smirnov. These men are leaders of RBN sections and are not "script-kiddies" or "hacktivists" (as some have maintained of the cyber attacks on Georgia).

Mr. Boykov has been engaged in criminal activity for some time. He best known for distributing the malware VirusIsolator (which downloads trojans to take control of the victims computer). He has been directly involved in financial crime, and operated scam sites including: Harbor Lending, Oakwood Lending, and Capital Lending. Mr Boykov is also a purveyor of porn spam.

Mr. Smirnov is known for operating a number a scam sites including canadian-pharmacy-support and canadiandiscountmeds. Mr. Smirnov is known to hold Russian nationalist views, and supported cutting off natural gas supplies to the Ukraine. The Ukrainian authorities should note that he often travels between Russia and the Ukraine.

According to Spamhaus SBL64881, Mr. Boykov operates a hosting service in Class C Network 79.135.167.0/24. It should be noted that the pre-invasion attacks emanated from 79.135.167.22. Presently, there is a large-scale spam campaign underway purporting to be from the BBC which accuses the President of Georgia of being gay. When an individual clicks on the link in the email, a virus is downloaded from 79.135.167.49. (Sistemnet Telecom - AS9121 TTNet (Turkey) associated with AbdAllah_Internet) Spamhaus issued a warning regarding 79.135.167.49 on July 29th in SBL66533.

Further investigation of Mr. Boykov and Mr. Smirnov are likely to implicate the Russian authorities in the cyber first strike.

Contribution - James McQuaid

Fig 1 - Sistemnet Telecom - AS9121 TTNet (Turkey) associated with AbdAllah_Internet (click to enlarge)

Further spam botnet analysis - Knujon

They are part of a botnet that came into existence in 2008. The vast majority show up in Mar/Apr 2008, but some have been sending spam since 2006

80.255.244.19 - Web Media Services - Russian Federation
nslookup = mx1.privatehost.nl
79 hits from April 2008 and 4 from Mar 2008.

85.71.224.34 - Czech Republic nslookup = 34.224.broadband4.iol.cz
5 hits spread over Feb, Mar and Apr 2008.

242.3.213.198 = mailrouter2.austincc.edu
107 in Mar/Apr 2008, 1 in Jan 08 and 1 in 2006

57.83.52.200 = mail5.hostweb.com.mx
1 in Jul 2007

100.192.162.206 = mx2.seidata.com
90 in Mar/Apr 2008, 1 in Oct 2007

16.164.163.212 = dns2.tea-cegos.es
104 in Mar/Apr 2008

5.197.8.212 = mx2.teuto.net
209 total. 159 in Mar/Apr, 2 Jan, 6 Feb 2008. 39(2007) 3(2006)

118.32.147.216 = adoptolder.org
8 Mar/Apr 2008

165.209.35.217 = mx2.bt.net
100 Mar/Apr, 1 Jan 2008,65 2007) 9 (2006)

Mar/Apr 2008 period

mail7.jetblue.com 106
autoliike.com 3
smtp.cablebahamas.net 151
mx4.mardelhosting.net 1
mx1.privatehost.nl 83
34.224.broadband4.iol.cz 5
un-158-235.domainunused.net 31
pool-96-234-41-61.nwrknj.fios.verizon.net 8
123-193-82-34.dynamic.kbronet.com.tw 7
mbox.edmaster.it 90
smtp3.willamette.edu 77
argo.regione.toscana.it 92
msgsrv1.itellium.net 177

Again special thanks to the many community contributions and messages of support of the RBN blog, in our efforts to expose cyber crime and the Russian Business Network. We welcome ongoing observations, send to RBNexploit gmail.com

Refs:

RBN info from James McQuaid his blog here

Spam Botnet analysis Dr. Bob Bruen of Knujon.com.

RBN –Georgia Cyberwarfare – Continuation..

On Friday August 15th and over the weekend another dimension has emerged on tracking RBN (Russian Business Network) server ranges. This concerns a new spam campaign which mocks Georgia's President, purporting to come from the BBC and spreads a new virus. This is very well described by UAB (University of Alabama) Spam Data Mine and on Gary Warner’s blog (see refs below).




The spam loads malware from various locations which in turn actually causes the virus to be delivered from a single location; the IP address: 79.135.167.49. The name of the malware is "name.avi.exe", and at the moment, only FOUR out of 36 anti-virus products detect it.
Why RBN or rather as in the title of this blog ‘RBN and Related Enterprises’? We have commented on before within the blog (see ref below) - 79.135.160.0/19 Sistemnet Telecom - AS9121 TTNet (Turkey) associated with AbdAllah_Internet - cybercrime hosting - thecanadianmeds.com etc., see Spamhaus’ many Rokso listings (refs below)




This provides a further element associated with Georgia and Mikheil Saakashvili with an ongoing attempt of character assassination. Similar to the linking of the President to Nazi images, as Lenta.ru displayed with one of this blog’s images.






RBN or Cyberwar or not? - Nomenclature

Given this opportunity there has been a great deal of discussion within the community, after the event, as to RBN (Russian Business Network) or not RBN, Cyberwar or Hacktivists, Russian or not………..


Without denigrating this important topic but “What walks like a duck, sounds like a duck, looks like a duck = maybe it’s a ______? (Fill in the blank)”


The cyber attacks against Georgia which first originated from IP space in TTnet Turkish Telekom (as this latest spam incident) were known RBN, and the subsequent server actions, botnet methodology, and tools used were also known RBN: there is no question about the facts, and there is no compelling reason to doubt the implications.


From a popular idiom the movie “The Usual Suspects” used the phrase regarding the arch criminal Keyser Soze – “The greatest trick the Devil ever pulled was to make us believe he does not exist.” This was and still is the RBN’s greatest skill; to avoid detection, use deception and cause most onlookers to consider other suspects, i.e. in this case hacktivists who are easily labeled unsophisticated, uncontrollable, and should be ignored as simpleton fanatics.


This provides a convenient transition to one sided CYBERWAR against Georgia by Russia. Do we really expect Russia, or for that matter any state aggressor to openly announce what methods of warfare they are using. For example there is no specific information from Russian government sources about Russian army actions still underway within Georgia despite the ceasefire. Nor do they inform us the 22nd Guards ObrSpN ‘Spetsnaz’ of Rostov Oblast, may have been operating within Abkhazia, and South Ossetia, dressed in the uniforms of the local militia since mid July 2008, if such an action was the case. Why would we expect them to announce CYBERWAR techniques also being used?


Two good sources of information may assist making a reasonable judgment:

Firstly the political, as Russian State Duma and member of the Security Committee Deputy Nikolai Kuryanovich stated in 2006 within a formal Russian parliamentary letter of appreciation to hackers who had taken down several Israeli web sites:

"In the very near future many conflicts will not take place on the open field of battle, but rather in spaces on the Internet, fought with the aid of information soldiers, that is hackers. This means that a small force of hackers is stronger than the multi-thousand force of the current armed forces." – Prediction or intent?


For the strategic a few days ago;
“Cyber-attacks are part of the information war, making your enemy shut up is a potent weapon of modern warfare.” As mentioned by Alexander Denezhkin, editor of the Russian journal - Cybersecurity.ru


Finally a reasonable conclusion associated with the nomenclature is to consider the absurdity of treating the cyber criminal and national cyber security problems as a separate matter. Consider if any country had such a successful and existing Internet ‘black ops’ entity as the RBN within its borders, is it not logical that it would utilize or capitalize on such skills?


Perhaps what many find unpalatable is the example from the history of the 20th century where there were similar apologists and we ignored developments in strategy and warfare such as the Blitzkrieg, at a huge later cost. This could be an early example of Russia’s hegemony or controlling its neighbors via an emerging “Cyber Iron Curtain”



Jart Armin - RBNexploit.com



Refs:

UAB Spam Data Mine

UAB Blog

CanadianMeds - Sistemnet - TTnet

Spamhaus (a)

Spamhaus (b)

RBN - Partners Official Sponsors of ICANN?

Russian Business Network (RBN); what if they were out to own the Internet by owning the DNS? The Internet totally relies on DNS (Domain Name System) so obviously this must be the stuff that Hollywood movies are made of, but this nightmare scenario is more real than any of us would like to believe.


This article draws a few of the ingredients together, it is important to stress this is not to discredit ICANN, but to show just how RBN and their associates are applying themselves to the weakness of DNS allocation and exploiting ICANN’s vulnerability via influence, commercial sponsorship and registrar development.

• Firstly, RBN’s normal chaos creation, shown within the important and recent security research paper “Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority” by David Dagon, Niels Provos, et. al.; “291,528 hosts on the Internet performing either incorrect or malicious DNS service. With DNS resolution behavior so trivially changed, numerous malware instances in the wild, we urge the security community to consider the corruption of the (DNS) resolution path as an important problem.” [ref 1]

• Connect this to the newer RBN technique to now ‘auto-generate’ 1,000’s of new malware and rogue domain registrations via duped or controlled registrars, e.g. Tucows (Ca), EstDomains, and shielded by PrivacyProtect - which now can outrun most security bloggers, security companies, black listing or rogue domain listings. [ref 2]

So, who runs or has the responsibility for DNS and keeping it safe? - ICANN (Internet Corporation for Assigned Names and Numbers) mostly self elected and privately operated as ICANNwatch.org describes “avoiding governmental accountability mechanisms, but ICANN also lacks much of the accountability normally found in corporations and in nonprofits.” [ref 3]



The facts – who?

LogicBoxes and Skenzo host a "Taj Mahal Sojourn" for guests at the 31st ICANN Meet in Delhi, India - “The elite list of attendees included the likes of Enom and Tucows head honchos, Paul Stahura and Eliott Noss respectively. Trey Harvin - CEO dotMobi, Jonathan Nevett - Network Solutions, Alexa Raad CEO PIR, Tim Cole - Chief Registrar Liaison at ICANN, Craig Schwartz - Chief gTLD Registry Liaison at ICANN, Tina Dam - Director, IDN Program ICANN, Dave Wodelet, Wendy Seltzer, Thomas Narten – ICANN Board members” [ref 4]



Directi, LogicBoxes and Skenzo - controls / manages / owns ‘PrivacyProtect’ – a domain privacy service which shields cybercrime, and does so by design. It currently shields 759,172 domains. [fig 2]



“LogicBoxes currently powers the infrastructure and software of over 50 ICANN Accredited Domain Registrars including EST Domains” [ref 5] LogicBoxes online corporate profile – EstDomains, which is associated with Atrivo aka Intercage. It is estimated Estdomains provide Atrivo with 40% to 60% of its revenue.



Directi, LogicBoxes and Skenzo associated with – Everyones Internet (US) and The Planet (US), rack space etc., for opticaljungle / orderbox-dns. Coincidentally both are within the top 10 of hosts in the world with infected web sites = 6,000 . [ref 6]



Bhavin Turakhia - CEO and Chairman of The Directi Group “Directi to continue growing at triple digit growth rates year after year, technical advisor to the local CyberCrime Investigation Cell, Bhavin was also former chairman for the Global ICANN Accredited Registrars Constituency for two consecutive terms. He has been the youngest elected chair for this post in the history of ICANN” - [ref 7] [ref 8]



The facts (just a few notable examples) – what?


Historical Aug 07 - Bank of India iFrame hack - X-TRAFFIC.BIZ – RBN, ICANN Registrar: ESTDOMAINS [ref 9]


Ongoing – RBN retail - Loads.cc - ICANN Registrar = DIRECTI – Registrant = PrivacyProtect.org [ref 10] [ref 11] [ref 12]


Ongoing - RBN retail payment systems isoftpay – Current; ICANN Registrar: ESTDOMAINS Registrant: PrivacyProtect.org [ref 13]


Current - Robotraff: A Hacker's Go-To For Clicks – Brian Krebs Washington Post - robotraff.com; ICANN Registrar = DIRECTI – Registrant = PrivacyProtect.org [ref14]


Newer rogue / fake sample – malwarebell; The filename MALWAREBELL.EXE was first seen on Apr 14 2008 in CANADA, BELGIUM on Apr 15 2008, SPAIN on Apr 23 2008, GERMANY on Apr 23 2008; ICANN Registrar = Estdomains; Registrant = PrivacyProtect.org [ref 15]


Brand New - Mass File Injection Attack from Russia with Zlob - “If you do a Google search for these URLs, you get about 400,000 sites" - The key domain = xprmn4u.info ("HaCKeD By BeLa & BodyguarD" = 90,000 hits on Google); ICANN registrar for = Estdomains; Registrant = PrivacyProtect.org [ref 16]

Fig 2 - PrivacyProtect - map

Conclusions

“But if someone broke — or worse, subverted — the fundamental way in which we find web sites, we wouldn’t trust URLs any more. Own the DNS and you own the Internet.” [ref 17]



The background research and this summary article has been around four months in the making within the community. It should be emphasized there is considerably more ‘who’ and ‘what’ which will be presented in full later.



We feel even the most casual reader will be concerned, as this affects every user of the internet. We as a group want to further stress we are believers of an open and unrestricted internet however, if this trend of a parallel DNS system being developed with an unofficial DNS architecture that will fake all records, this will be a real mess, resulting in a groundswell of Internet users who rightly request governmental action in some form to assume some form of control.



We hope many readers as a minimum many will contact ICANN [ref 18] to at least determine what they are going to do about Estdomains, PrivacyProtect and anonymous domain registrants – right now! This also begs the question of the commercial approach of ICANN apparently supporting unfettered registrar development and who it allows in sponsorship or election. If ICANN does not rapidly clean up its own act to encourage the view that the DNS is safe in their hands, realistically several Internets will evolve, “Good, Bad, and the Ugly”



As for Directi and co., there will undoubtedly be arguments of; we are unaware, not responsible, we only manage, or a very small minority……. From their logged and monitored action we do not believe them. Even so, with their claimed expertise and if they were unaware of the role of EstDomains or PrivacyProtect, thus RBN, then should they be trusted within or in any form of association with ICANN?

Special thanks, to name but a few:
Jim McQuaid, Debbie Rosman, David Bizeul, EmergingThreats.net malwaredomains.com, open source security community, Robtex, CyberDefCon, et.al.



References:

[ref 1] Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority

[ref 2] Top 25 Exploit Hosts

[ref 3] ICANN for Beginners

[ref 4] LogicBoxes and Skenzo host a "Taj Mahal Sojourn" for ICANN

[ref 5] LogicBoxes online corporate profile

[ref 6] The Planet and Everyones Internet

[ref 7] Directi CEO

[ref 8] CyberCell Mumbai India

[ref 9] Bank of India Hack Aug 07

[ref 10] RBN Retail

[ref 11] Loads cc

[ref 12] One-Stop Shopping for Hackers

[ref 13] RBN payment systems

[ref 14] Robotraff – Brian Krebs

[ref 15] Rogue - Malwarebell

[ref 16] Mass File Injection Attack from Russia with Zlob – ISC.sans

[ref 17] Alistair Croll '10 Ways the Internet (As We Know It) Will Die'

[ref 18] Contact ICANN



Coming soon - RBN - Automated Mass Malware Domain Registration

RBN – Extortion and Denial of Service (DDOS) Attacks

The Russian Business Network (RBN) has long been known for its bulletproof hosting and its control of botnets such as Storm. Apart from the obvious example of an RBN “hired gun” Distributed Denial of Service (DDos) attack on Estonia in May 2007 many have attempted to comprehend and link the RBN’s usage for botnets. Within this article we shed light via several documented examples extorting potential clients into the use of their “specialized” hosting services by the use of DDos, and a further example of RBN’s ecommerce.

For those who wish to understand how a DDos attack works via a botnet see figure 1.


Figure 2 shows the evolution of DDos over recent years based upon purpose and size currently at 17+ Gbps (gigabytes per second) and potentially 7,000 such attacks daily - courtesy of Prolexic technologies (click on the figs to see full size and see links below).

The business model RBN uses is quite simple and effective; its affiliates and resellers comb various niche market forums and discussion areas for webmasters using or discussing protective web services i.e. DDos prevention. Carry out a DDos attack on the website and then provide a third party sales approach to the webmaster to “encourage” a sign up for their DDos prevention services. The cost of this hosting service is $2,000 per month.



These niche markets for the RBN are usually within the Internet market sectors of pornography, and specialized grey areas, e. g. online pharmaceuticals, and HYIP (High Yield Investment Programs). This blog is not commenting on the legitimate purpose or otherwise of these web sites, the RBN is successful as most of these webmasters are not about to publically complain. However it does appear that legitimate hosting services offering a level of DDos prevention are vulnerable to the RBN’s monopolistic efforts, to capture and control this high income business. It further appears many such recruits are then encouraged to mitigate the costs by becoming resellers themselves of the hosting and other RBN services. It should be added that some of these resellers are unaware, or are happy to be ignorant; they are actually part of the RBN reseller community.



For sample details we can start at a HYIP forum “Talkgold” this is a fascinating knock-about discussion on RBN DDos extortion (see link below) and provides some useful clues for RBN exposure.

However, the clearest evidence can be seen within another forum “HotHYIPs” as we can see in figure 3 the details of RBN DDos reselling, figure 4 shows an example of grateful affiliates with a US based affiliate openly stating “Paid very fast. A very good return from a ddos attack.”

The prime sales link for the RBN hosting is via NEAVE LIMITED a UK registered company, but the actual core serving is ELTEL based in St. Petersburg RU, one of the core replacement servers for the RBN post Nov 08, with AS-peers: 30 and 67,584 IP addresses. This is listed within Spamhaus (see link below) “Botnet criminal Indian & .ru/.ua spammer host: NEAVE LIMITED” as of Jan 12th 08.



Eltel: IP range 81.9.8.0 - 81.9.8.255 AS20597, example site hosting; goldenpiginvest.com /.net – the canadianmeds.com – pharmacy-viagra.net



Already some of the notable blacklisted domains listed within the Spamhaus lasso have moved to other RBN utilized AS servers, also using the RBN’s recent blocking avoidance mechanism “*.badsite.com” for sub domains for example:



rxpharmacy-support.com - ns3.cnmsn.com - 204.13.67.108 - 204.13.64.0/21 AKANOC Solutions Inc - AS 33314 (US)



*.thecanadianmeds.com - 79.135.160.0/19 Sistemnet Telecom - AS9121 TTNet (Turkey)



officialmedicines.com - 79.135.165.0-79.135.166.255 AS9121 TTNet (Turkey)



psxshop.com - 66.197.0.0/17 - AS29748 Carpathia Hosting




To further add and demonstrate RBN connectivity “goldenpiginvest.net” links directly to data storage on Level3 Communications; box(dot)net, - see figure 5 - a service that provides the ability to collaborate and share files online. This was shown in an earlier RBN blog article concerning 365fastcash and the RBN’s Panama based servers (see link below). No doubt Level 3 will be able to (again) inform US authorities of the content of these data files, and terminate such services.






Figure 6 – IP diagram for *.thecanadianmeds.com






Links:

Prolexic technologies - DDos information - figures 1 & 2


RBN DDos extortion Talkgold forum discussion


HotHYIPS forum RBN reseller advertising and remarks


Spamhaus botnet lasso - NEAVE LIMITED / Eltel, St. Petersburg RU


Level3 Communications; box(dot)net; goldenpiginvest.net & 365fastcash common linkages

RBN – Out with the New and in with the Old – Mebroot

The Russian Business Network (RBN) is using one of their usual deceptive approaches of confusing by the use of old domains and recycling exploit techniques, this is the case with Mebroot. There has rightly been a great deal of press (see links below) concerning Mebroot as identified by Symantec on Jan 8th 08. This is a rootkit exploit that overwrites part of a computer's hard drive called the Master Boot Record (MBR). This is still deadly and a difficult exploit with is its ability, once established and undetected it confound most anti-virus software, the purpose is to hijack the user’s PC which will then redirect to download other exploits to steal banking information and ID theft. Good news is there are some straight forward detection and removal tools e.g. GMER – also see on their website a great write up of how a rootkit actually works.




So what is new? Well the exploit sites are now using a fast-flux P2P botnet and the exploit is polymorphic i.e. the ability to alter its form and mutate. But this approach is the same old stuff by a different name, it is: Torpig, Anserin, Gromozon, etc……even using some of the old domains for distribution. So where does the “new” exploit names come from, unfortunately us. Our constant reductionist approach to BadWare is utilized by RBN to confound and we play right into their hands, every time we rename their stuff it makes it easier for them to blend into the confusion. The old is forgotten or not reported and they reuse the old stuff all over again, when we all start using a commonly accepted holistic linguistic approach to the problem, we may win this war.

For details a “small” sample, especially for our Italian Gromozon readers:

This particular example callsolutions(dot)biz is on one of our old friends Pilosoft AS26627, with a bunch of RBN’s “very young” erotic sites sharing the name server – a(dot)ns(dot)joker(dot)com.

As a comparative link, and no RBN blog article would be complete without mention of the RBN’s US division – kopythian(dot)com - Atrivo AS27595; AKA Inhoster, Intercage, and pecb(dot)cc at Atrivo’s Cernal AS36445.

Also just so no-one could say we are picking on Atrivo or where is the RBN link? See the following “joining up the dots” of a very small sample out of 100’s of exploit domains on the same Atrivo name server managedns1.estboxes.com:

2007postcards(dot)com (Storm),
malwareburn(dot)com (rogue anti-virus),
procodec(dot)com (fake codec),
virusheal(dot)com (rogue anti-virus),
xxl-cash(dot)com (RBN payment site) –
plus a cryptic graphic for our readers from the RBN so they know this is not guesswork.

IP figures:







Gmer - anti-rootkit download

Gmer - how a rootkit works

Symantec - Mebroot article

BBC - Mebroot

RBN – 365fastcash, Panama, and 1488 RU

As regular readers know the Russian Business Network (RBN) originally utilized an extensive virtual base in Panama (Nevacon), we can now report they are back. The new hive centers on AS26426 Optynex Telecom Sa, Calle 53, Piso 18, Panama City, Panama) Phone: 210-9900 and cybercastco.com name servers (special thanks to Jim McQuaid and Snort expertise).

There are numerous domains but to select a sample of domains, in this article we can focus on two, 365fastcash(dot)com and Jidov(dot)net. It is also pleasing to show these are already encompassed within RBN Snort Rules on EmergingThreats.net (bleeding-rbn-BLOCK.rules)

365fastcash has been delivering a truly blended threat by using an automated telephone dialing system to ask people for the last 4 digits of their social security number. This was flooding switchboards at a well known US charitable organization a few days ago, and was obviously the first of many.

Interestingly there are two sub-domains “back1.365fastcash” and “bavk1.365fastcash” both are similar structures to earlier reported 76service and 76team. The difference on this occasion the likely personal ID data storage is on direct links from the sub-domains to Level3 Communications; box(dot)net, a service that provides the ability to collaborate and share files online. No doubt Level 3 will be able to inform US authorities of the content of these data files, and terminate such services. Further IP and SSL details below.

Jidov(dot)net provides an interesting political twist for the RBN as this is the safe hosting location for 1488(dot)ru. To those who are not aware 1488 RU is the supposedly banned, violent, and very well financed Russian Nazi group. The 14 represents the 14-word slogan: "We must secure the existence of our people and a future for White children” and 88 represents eighth letter of the alphabet, with HH standing for Heil Hitler. The question now arises does this represent the source of the RBN’s political views or just an expensive bullet proof (was) hosting.

Forum Intro:

(RU) Друзья, мы рады сообщить Вам, что теперь сайт 1488.ru доступен из доменной зоны Jidov.net . Развитие проекта идет полным ходом. Благодарим Вас за внимание к нашему ресурсу. Скоро мы сможем предложить Вам регистрацию доменов третьего уровня в наших доменных зонах (Ваш ник.1488.ru и Ваш ник.jidov.net). Так же, мы готовы предложить вам размещение банеров на страницах нашего ресурса.

(EN) Friends, we are glad to report to you that now the site to 1488.ru is accessible from the domain zone Jidov.net. The development of design occurs full speed. We thank you for the attention to our resource. Soon we will be able to propose to you registration it is pre-barter the third level in our domain zones (your nik.1488..ru and your it nik..jidov.net). So, we are prepared to propose to you the arrangement of banners for the pages of our resource.

Further details: 365Fastcash - 200.115.173.215 - Registrar: KEY-SYSTEMS GMBH, Whois Server: whois.rrpproxy.net Name Server: NS1.CYBERCASTCO.COM, NS2.CYBERCASTCO.COM: 06-dec-2007


SSL Information for 200.115.173.215

SSLv2	Yes	Cipher Spec: SSL2_RC4_128_WITH_MD5 [010080] Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 [030080] Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 [0700c0] Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 [060040] Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 [020080] Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 [040080] Connection ID: 26ad291530a4cc910e9c066877bda0f0
SSLv3	Yes	Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (256 bit) [000039]
TLS 1.0	Yes	Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (256 bit) [000039]

JIDOV(dot)NET - 200.115.171.200 Registrar: ESTDOMAINS; Name Servers: NS1.CYBERCASTCO.COM, NS2.CYBERCASTCO.COM, 11-nov-2007

SSL Information for 200.115.171.200

SSLv2	Yes	Cipher Spec: SSL2_RC4_128_WITH_MD5 [010080] Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 [030080] Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 [0700c0] Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 [060040] Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 [020080] Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 [040080] Connection ID: 85feb66767c2560349e7409f2b25118f
SSLv3	Yes	Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (256 bit) [000039]
TLS 1.0	Yes	Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (256 bit) [000039]

RBN - Storm Botnet, the Changing Chessboard

In a follow up to the earlier Russian Business Network (RBN) "New and Improved Storm Botnet for 2008" the chessboard changes yet again. In this game of chess our opponents started over Christmas with a full frontal attack, but have already now switched to a flanking moves. Perhaps on this occasion the community may be able to slow down the advance to force a draw or maybe even win this particular game of chess?

The key is to understand and combat the Storm 2008's innovative elements and attempt to quantify progress of the game. With the aid of early analysis by Thorsten Holz / The German Honeynet Project and based on limited initial data we have attempted to produce a predictive trend analysis of the Storm Botnet to rebuild and reach 1 million PCs. This is shown in figure 1, given current analysis shows a growth from say 10,000 on Dec-22 to 30/40,000 by Jan-03, on a conservative analysis Storm should reach 1 million by Mid Feb 08.

So at least a we now have a potential game progress definition; for the RBN it would be a disappointment if they did not easily clear this target, for the community the aim is to limit the target. Game on?

To play this game we all better know the rules of deception, on a current assessment of progress against the innovative Storm elements:

# First the good news so far 2,147 fake and or infected Blogspots have been detected and are flagged by Google as shown in the StopBadWare clearing house.

# Further good news on checking most of the Storm attack domains (see list below) are either SBL or XBL listed on Spamhaus et. al.

# Some confusion in the ranks as assumptions are made as to locations or even selective attacks. As described elsewhere the botnet control panel(s) are now much more sophisticated, with the ability to decide which geographic region and areas to attack. Interestingly if the PC still subject to earlier infection there will be no further re-infection. # As noted the polymorphic nature is clearly present to confuse i.e. the virus or exploits have the ability to alter its signature in an attempt to combat anti-virus tools.

# Most worrying is the constant stream of domains and the "fast-flux" technique used to avoid detection as mentioned in this case is actually “double-flux” characterized by multiple nodes within the network registering and de-registering their addresses. This implies as fast as IPs are block listed, it would seem "Snort" which is capable of performing packet logging and real-time traffic analysis on IP networks, may at last demonstrate its earlier promise.

# Finally it is fairly safe to predict there will be further attacks on the search engines and via social engineering i.e. Face Book, etc.


The current Storm attack domains and related fakes (also ref links below: Malwaredomains, Emerging Threats, honeywall blog, and US Cert) although of limited number to begin with are now:
10000xing(dot)cn - 222360(dot)com - adslooks(dot)info - bnably(dot)com - eqcorn(dot)com - familypostcards2008(dot)com - freshcards2008(dot)com -happy2008toyou(dot)com - happysantacards(dot)com - hellosanta2008(dot)com - hohoho2008(dot)com - kqfloat(dot)com - ltbrew(dot)com - mymetavids(dot)com - obebos(dot)cn - parentscards(dot)com - postcards-2008(dot)com - ptowl(dot)com - qavoter(dot)com - santapcards(dot)com - santawishes2008(dot)com - siski(dot)cn - snbane(dot)com - snlilac(dot)com - tibeam(dot)com - tushove(dot)com - wxtaste(dot)com - yxbegan(dot)com

The specific Storm exploits have overlapped with fake anti-malware and fake codecs which are polymorphic in their nature: ArcadeWorld(dot)exe - ArcadeWorldGame(dot)exe - ClickHere(dot)exe - codecnice1126(dot)dmg - codecnice1126(dot)exe - codecultra1123(dot)dmg - codecultra1123(dot)exe - ecard(dot)exe - fck2008(dot)exe - Flash_Postcard(dot)exe - FlashPostcard(dot)exe - Full Story(dot)exe - FullClip(dot)exe - FullNews(dot)exe - FullVideo(dot)exe - GreetingCard(dot)exe - GreetingPostcard(dot)exe - happy_2008(dot)exe - happy2008(dot)exe - Install_video_3913230(dot)exe - MoreHere(dot)exe - NflStatTracker(dot)exe - Postcard(dot)exe - Read_More(dot)exe - ReadMore(dot)exe - sony(dot)exe - stripshow(dot)exe - Video(dot)exe - VideoAccessCodecInstall(dot)exe - virusranger(dot)exe - vrsvc(dot)exe

Storm Growth analysis - German HoneyNet
Malwaredomains
Emerging Threats
US Cert

RBN – New and Improved Storm Botnet for 2008

Obviously the Russian Business Network (RBN) is working overtime during the Christmas and New Year holiday, no doubt planning for many in the ISP security and anti-spam arena to be on skeleton staff.

Many will now have already seen reports of the Storm Botnet outbreak which started on December 24th “MerryChristmasDude” with good write up at ComputerWorld and for technical details at ISC Sans or HolisticInfoSec (links on footer). This picture is changing rapidly and by December 26th there were new web sites “Uhavepostcard” , “HappyCards2008” and no doubt more to come over the next few days.


Three of the key web sites have the following registrant information, all registered via “ANO REGIONAL NETWORK INFORMATION CENTER DBA RU (Russia)” in chronological order:
Domain Name: MERRYCHRISTMASDUDE.COM - Creation Date: Nov 27 2007
Domain Name: UHAVEPOSTCARD.COM - Creation Date: Dec 23 2007
Domain Name: HAPPYCARDS2008.COM - Creation Date: Dec 26 2007


The key objective for the RBN is to rebuild the Storm Botnet which is shown in various reports over the last few months, from a few million enslaved PCs to more recently a few 100,000’s. One can only further guess as to what the RBN’s main goal is to use a rebuilt Storm Botnet for, e.g. earlier DDOS (Denial of Service attack) on Estonia.


There are some interesting elements concerning which make this attack innovative:

# Although much of that detected is conventional spam, however there is also a large amount of spam which is getting through many anti-spam defenses due to the use of “fake” BlogSpot (Blogger) links for example on a small sample;

hxxp://dantipXXXX.blogspot.com/?soapwerzpordeecaspewtkk153trajspeak hxxp://isakovkapitonXXXX.blogspot.com/?harkwerzpordeecaspewtkk153trajfloor

The common part of the suffix is “pewtkk153traj” which redirects to Geocities web sites and then a further redirect to the Storm exploit domains.


# Although most have identified as the Zhelatin Storm email worm or variant, it is also as the more recent fake codec downloads, dependent upon where the unfortunate user has come from. This now shows a “polymorphic” format, i.e. the virus or exploit has the ability to alter its signature in an attempt to combat anti-virus tools.


# The fast-flux technique used to avoid detection in this case is actually “double-flux” characterized by multiple nodes within the network registering and de-registering their addresses (see sample maps below taken within one hour periods and show the fast-flux DNS changes). It is also safe to say this newer Storm Network has now also has improved defense mechanisms, if examined too closely.

Computerworld - Storm Worm Christmas
Computerworld - Storm New Year
ISC Sans - Anticipated Storm
HolisticInfoSec

RBN – $$$ - the retail payment systems

In an extension to analysis of the Russian Business Network (RBN) this is the first element of a series on RBN payment systems.


This article focuses on just one of the several payment systems for its “fakes” retail division i.e. isoftpay.com, this has been reported before namely the Sunbelt Blog (see links on footer) Oct 3rd 06 in the report on the rogue software, also more recently reported within 2-spyware on Dec 10th 07.

In exploring this node of the RBN’s organization it raises several areas of interest; the location(s) of internet operation, SSL and transactional base. Briefly by way of an introduction to later more in depth analysis malware revenue models, analysis solely of isoftpay does provide a starting point for some generalized assumptions of RBN retail revenue. Therefore as mentioned within earlier articles here on fakes and current analysis:

(a) Isoftpay serves as the payment point for such fakes as Bravesentry, and others.


(b) Secure. Isoftpay.com over the last 30 days (mid Nov – Mid Dec) received 187,750 direct unique visitors from the US.


(c) This tends to demonstrate approximately 25% of the unique visitors to those rogue software web sites go back to the payment site. As directed by the exploits downloaded from the “free” trial of the fake anti-spyware.


(d) On a reasonable assumption a high proportion of those directly visiting the secure payment area after downloading the exploit to make the purchase, say 75%, this would provide gross revenue of say $4 million per month from solely US visitors.


(e) As US visitors represent 17 – 40% of the world wide audience for such sites one can assume gross revenue as being in the region of $10 million / month, $120 million per annum.

A significant component is the SSL (Secure Sockets Layer) and certification the figure below shows the current certificate for Isoftpay.

The certificate appears legitimate unfortunately we have not as yet ascertained from Equifax or Geotrust whether it is a forgery, and if not, they should be able to inform us who the purchaser was.

Also of interest is the payment transactions and as site takes Visa and MasterCard, and further enquiries are outstanding as to who the revenues collected are paid to.

Finally as several victims have contacted the authors of this blog, and any transaction is fraudulent. No doubt Equifax, Geotrust, Visa and MasterCard will act swiftly to prevent further fraudulent transactions and ensure victims at least gain a return of their payments?

From the perspective of the RBN’s nodes of operation originally as noted by Sunbelt the IP address in Oct 06 was 69.50.168.101 - AS27595 ATRIVO. The figure below shows the current (Dec 19th 07) and a comparison with locations on Oct 28th 07, the actual only difference is the addition of name server (ns3.isoftpay.com) served from AS4837 CNC Group China. The other servers are some of the RBN’s usual suspects AS9930 TTnet Malaysia, AS4657 StarHub Singapore, and it goes without saying AS27595 Atrivo AKA Intercage, Inhoster, etc.

Below is shown in figures two IP and AS maps of the Isoftpay and related domains









References: Sunbelt 10/06 2-Spyware.com 21/07