RBN – Out with the New and in with the Old – Mebroot

The Russian Business Network (RBN) is using one of their usual deceptive approaches of confusing by the use of old domains and recycling exploit techniques, this is the case with Mebroot. There has rightly been a great deal of press (see links below) concerning Mebroot as identified by Symantec on Jan 8th 08. This is a rootkit exploit that overwrites part of a computer's hard drive called the Master Boot Record (MBR). This is still deadly and a difficult exploit with is its ability, once established and undetected it confound most anti-virus software, the purpose is to hijack the user’s PC which will then redirect to download other exploits to steal banking information and ID theft. Good news is there are some straight forward detection and removal tools e.g. GMER – also see on their website a great write up of how a rootkit actually works.




So what is new? Well the exploit sites are now using a fast-flux P2P botnet and the exploit is polymorphic i.e. the ability to alter its form and mutate. But this approach is the same old stuff by a different name, it is: Torpig, Anserin, Gromozon, etc……even using some of the old domains for distribution. So where does the “new” exploit names come from, unfortunately us. Our constant reductionist approach to BadWare is utilized by RBN to confound and we play right into their hands, every time we rename their stuff it makes it easier for them to blend into the confusion. The old is forgotten or not reported and they reuse the old stuff all over again, when we all start using a commonly accepted holistic linguistic approach to the problem, we may win this war.

For details a “small” sample, especially for our Italian Gromozon readers:

This particular example callsolutions(dot)biz is on one of our old friends Pilosoft AS26627, with a bunch of RBN’s “very young” erotic sites sharing the name server – a(dot)ns(dot)joker(dot)com.

As a comparative link, and no RBN blog article would be complete without mention of the RBN’s US division – kopythian(dot)com - Atrivo AS27595; AKA Inhoster, Intercage, and pecb(dot)cc at Atrivo’s Cernal AS36445.

Also just so no-one could say we are picking on Atrivo or where is the RBN link? See the following “joining up the dots” of a very small sample out of 100’s of exploit domains on the same Atrivo name server managedns1.estboxes.com:

2007postcards(dot)com (Storm),
malwareburn(dot)com (rogue anti-virus),
procodec(dot)com (fake codec),
virusheal(dot)com (rogue anti-virus),
xxl-cash(dot)com (RBN payment site) –
plus a cryptic graphic for our readers from the RBN so they know this is not guesswork.

IP figures:







Gmer - anti-rootkit download

Gmer - how a rootkit works

Symantec - Mebroot article

BBC - Mebroot

RBN – $$$ - the retail payment systems

In an extension to analysis of the Russian Business Network (RBN) this is the first element of a series on RBN payment systems.


This article focuses on just one of the several payment systems for its “fakes” retail division i.e. isoftpay.com, this has been reported before namely the Sunbelt Blog (see links on footer) Oct 3rd 06 in the report on the rogue software, also more recently reported within 2-spyware on Dec 10th 07.

In exploring this node of the RBN’s organization it raises several areas of interest; the location(s) of internet operation, SSL and transactional base. Briefly by way of an introduction to later more in depth analysis malware revenue models, analysis solely of isoftpay does provide a starting point for some generalized assumptions of RBN retail revenue. Therefore as mentioned within earlier articles here on fakes and current analysis:

(a) Isoftpay serves as the payment point for such fakes as Bravesentry, and others.


(b) Secure. Isoftpay.com over the last 30 days (mid Nov – Mid Dec) received 187,750 direct unique visitors from the US.


(c) This tends to demonstrate approximately 25% of the unique visitors to those rogue software web sites go back to the payment site. As directed by the exploits downloaded from the “free” trial of the fake anti-spyware.


(d) On a reasonable assumption a high proportion of those directly visiting the secure payment area after downloading the exploit to make the purchase, say 75%, this would provide gross revenue of say $4 million per month from solely US visitors.


(e) As US visitors represent 17 – 40% of the world wide audience for such sites one can assume gross revenue as being in the region of $10 million / month, $120 million per annum.

A significant component is the SSL (Secure Sockets Layer) and certification the figure below shows the current certificate for Isoftpay.

The certificate appears legitimate unfortunately we have not as yet ascertained from Equifax or Geotrust whether it is a forgery, and if not, they should be able to inform us who the purchaser was.

Also of interest is the payment transactions and as site takes Visa and MasterCard, and further enquiries are outstanding as to who the revenues collected are paid to.

Finally as several victims have contacted the authors of this blog, and any transaction is fraudulent. No doubt Equifax, Geotrust, Visa and MasterCard will act swiftly to prevent further fraudulent transactions and ensure victims at least gain a return of their payments?

From the perspective of the RBN’s nodes of operation originally as noted by Sunbelt the IP address in Oct 06 was 69.50.168.101 - AS27595 ATRIVO. The figure below shows the current (Dec 19th 07) and a comparison with locations on Oct 28th 07, the actual only difference is the addition of name server (ns3.isoftpay.com) served from AS4837 CNC Group China. The other servers are some of the RBN’s usual suspects AS9930 TTnet Malaysia, AS4657 StarHub Singapore, and it goes without saying AS27595 Atrivo AKA Intercage, Inhoster, etc.

Below is shown in figures two IP and AS maps of the Isoftpay and related domains









References: Sunbelt 10/06 2-Spyware.com 21/07

RBN – Fake Codecs

With the ongoing tracking of “fake” software websites related to the Russian Business Network (RBN) and their associates it is important to note the growth of the fake codec websites. A codec is a small program that's allows an operating system or a program to properly play audio or video in a particular format, e.g. MP3, WAV, Xvid, MPEG, Indeo and Cinepak.









Figure 1. Sample “fake” codec site - Gamecodec.com



This article is cumulative snapshot report based upon current and historical community reporting from; Zlob Watch (peki.blogspot), Sunbelt, and the excellent earlier work of Jahewi's Fake Codec Information (unfortunately last updated Jan 20th 07). The key issues are:

• Currently shown here (see fig. 2 below) 53 active, with the 60 earlier reported mostly dormant domains (see fig. 3 below) provides for a total of at least 113 “fake” codec web sites operational over an 18 month period. It would appear many of the active domains alternate on a regular basis from being non resolvable (apparently offline) to online.

• The prime exploits from these sites are (a) Zlob - shows fake error messages and silently installs fake anti-spyware products. (b) DNSChanger silently adds rogue DNS name servers to your PC or Mac. These name servers will resolve non-existing domains (typo-squatting) to IP addresses associated with the authors to generate revenue and could potentially re-routes traffic from legitimate web sites to other suspicious web sites. Ref peki.blogspot
  

Note: We should clarify that the Mac fake codecs are only for the DNS changing trojans and that not all the sites listed will spawn Mac stuff.

• These exploits are designed for Mac and Windows users; with the attack vector similar to the “fake” anti-spywares however the technique is varied by constantly emerging new domains but mostly to a singular web landing page interface.

• Most importantly all 113 domains are or were registered with Estdomains, similarly all of the active 53 domains in fig. 2 are hosted by AS27595 by Atrivo; AKA – Intercage, Inhoster, Cernal, etc. Also added should be AS 36445 a newer Autonomous Server apparently used by Cernal. For blocking purposes the following IP ranges should be incorporated:

64.28.176.0/20 AS27595 INTERCAGE
85.255.118.0/20 AS27595 INTERCAGE
85.255.112.0/20 AS36445 CERNEL

Figure 4 - Sample IP Map - Zerocodec

RBN – Russian Business Network - Faking its demise

Although it is true the Russian Business Network (RBN) as AS40989 RBN AS RBusiness Network has relinquished its IP addresses (not the related ‘peers’), this blog has never shown this as the core centre of RBN activity or particularly relevant to its commercial activity. To simply test the hypothesis of the demise of the RBN as in recent headlines in the press using phrases as “Mother of all cybercrime vanishes from the web”, or “RBN goes Poof” is to simple review one of the RBN’s major money earning retail activity.


HYPOTHESIS = Logically RBNs fake anti-spyware or rogue software should show major changes in serving and hosting over the last week or so, if the demise of the RBN is correct. Fortunately based on limited CYBERINT earlier we were able to show 57 well known ‘fakes’ and 34 of the top 40 being RBN related, below can be seen the specifics.


RESULT = With the exception of the loss of replacement of AS40989 secondary name servers there has been little or no change to the core IP addresses.

(a) For example; Antivirgear shows a current Alexa Trend/Rank: #5,473 (out of an estimated 60 million web sites) improved over the last month. 397,296 U.S. visitors per month which is 10.7% of its traffic thus visitors worldwide = 3.7 million, this is just one of many ‘fake’ web sites.

(b) It does assist in highlighting the role of Intercage AS 27595 (AKA; Atrivo (US), Inhoster - xbox.dedi.inhoster.com - Ukraine, and Estdomains) as a fundamental part of the RBN from 2004 (see .

For the results Figure 1 shows an overview of the RBN’s / Atrivo share of the ‘fakes’ market. For completeness (click on the images to enlarge);

Figure 2 - shows the complete list of the 57 ‘fakes’ in alphabetical order.

Figure 3 - shows the complete list of the 57 ‘fakes’ ranked to specific hosts / servers.

N.B. – It should be noted the 6 ‘fakes’ listed as offline, this are currently dormant, historically this has happened before and such domains often come back to use.

RBN – The Russian Business Network Has Closed Shop?

Russian Business Network (RBN) watching requires healthy cynicism and two simple tricks i.e. (1) View their actions as you would an illusionist or as a stage magician, look for the misdirection, (2) Observe a historical perspective.

The good news is the publicity shy RBN does appear to have responded or is being forced to respond to being under the microscope as reported by Brian Krebs of the Washington Post. The bad news is the RBN IP ranges reportedly withdrawn are not the current RBN IP ranges utilized in current exploits. The excellent work of Geoff Huston and his cidr-report provides great information for those interested in the AS (Autonomous Systems) side of the Internet. This shows the following:

Prefixes withdrawn by this origin AS in the past 7 days = AS40989 (RBN)

- 81.95.144.0/22 = Withdrawn

- 81.95.148.0/22 = Withdrawn

- 81.95.154.0/24 = Withdrawn

- 81.95.155.0/24 = Withdrawn

However, as shown here and elsewhere the recent RBN based PDF exploit utilized 81.95.146.130 and 81.95.147.107, further many of the RBN “fake” anti-spyware and anti-malware websites use 81.95.145.186 as one of the many Internet “name servers”. Therefore one can only conclude

- 81.95.145.0/22 = Still active

- 81.95.146.0/22 = Still active

- 81.95.147.0/22 = Still active

Historically there have been many welcome reports of the demise of the RBN and their acolytes stretching back to 2004. Without any political bias it is reminiscent of being told the war in Iraq, is over circa 2003. To maintain a focused watch on the RBN as an organically growing organization is one of the main reasons a few of us created this blog in 2007.

This blog can only repeat the RBN as an organization uses many; guises, name servers, routes, stooges, etc., to operate under the radar and confuse. The excellent recent publicity through the many blogs, e-zines, and newspapers currently must only assist in gaining the necessary attention required. If only for the current 4 million plus and growing Internet users who will visit the RBN fake sites this month, and the many more who will suffer due to iFrame injections, Mpack and more. It is appropriate for a cynical view of any RBN related actions, and even more importantly maintain our vigilance.

There will be a detailed follow up article which will show a current example of the RBN and the "apparent" use of Chinese web space.

RBN - More of the RBN's fake anti-spyware and anti-malware tools (2 of 3).

As requested this article (2 of 3) continues from the Russian Business Network (RBN’s) Top 20 “fake” or “rogue software” series concerning the RBN’s Retail Division. The first article provided details of 20 such products focused on the delivery method and the need for dynamic CYBERINT (cyber intelligence) to encompass the multiplicity of other mirrored hosts and servers. This article provides further exposure of 21 to 40, but to extend the theme to a historical awareness of these ongoing and active threats. The third article will focus on the question, “Are these entire 40 fake products all RBN?” – The brief answer here is a quantifiable - yes!

A further example in this 21 – 40 group is AntiVirGear,again the same user exploit mode is used is stealth based malware, and according to McAfee’s Site Advisor provides a host of bad downloads for the unsuspecting user. AntiVirGear makes a fairly recent entrance to this scene, and appears within spyware forums and other security sources e.g. Symantec (September 13, 2007), but AntiVirGear is not new. The exploit variety here is based upon the Trojan Zlob or variant, well known in earlier names such as spysherriff, antispyware-gold, etc., with recorded sightings form 2004 and 2005.

The further batch 21 – to – 40 is shown here in Table 4.

Again many are alive and well and doing good business for the RBN despite most of the core IP addresses are blacklisted. However when compared with the 1^st article again there is the common thread of interrelated hosts or mirror servers, see Table 5.

The tables in the 1^st article and the tables here, and RBN related information helps to provide two important observations:

(a) The most important $$$ earning or key activities e.g. Malwarealarm, AntiVirGear, within the “fakes” category, but also as shown with the current PDF and Gozi attack are directly served with AS 40989 = RBNetwork (RBN).

(b) 36 out of 40 of the RBN fakes are hosted or mirrored via AS 27596 = Intercage

Intercage (US) AKA; Inhoster (xbox.dedi.inhoster.com - Ukraine), Atrivo (US), (Note: interestingly Broadwing Communications a backbone internet operation now owned by Level 3 Communications, Inc - NASDAQ: LVLT- appears to be the core mail carrier and mirrored hosting for AS 27596 - level of responsibility?). Intercage has a history relating to the RBN “fakes” as noted back as early as 2005 / 2006 for example Spyware Warrior forum. In February 2006 there was an online debate where ZDnet questioned ISC Sans suggestion to drop the blocking of all of Intercage, their arguement being there were “some” legitimate customers there.

There are two conclusions that could be made from this:

1. It has been suggested to the authors of this blog, it will not be until some of the victims of these fakes and RBN begin and successfully pursue legal actions against such server enterprises the legitimate ones will ensure they consider a level of due diligence in accepting or continuing to be the vehicle for such illegal activities.

2. Clearly IP blocking in a fast, responsive and comprehensive “OpenDNS” CYBERINT format as a method for ISPs and users is long overdue. There is a big difference between say iPower when they are careless victims themselves in getting 10,000 web sites hacked, and such an obvious case as Intercage - AKA RBN.

Finally as a reminder that this is a “now” problem and large scale see a sample in Table 6 from 21- 40, this would show about 3-4 million users as visitors worldwide to the 40 sites, per month “NOW”.