Mapping the Russian Business Network
Today's Washington Post carries my story about the the Russian Business Network, an entity based in St. Petersburg that provides Web hosting services that cater exclusively to cyber criminals. From the story:
"The Russian Business Network sells Web site hosting to people engaged in criminal activity, the security experts say. Groups operating through the company's computers are thought to be responsible for about half of last year's incidents of 'phishing' -- ID-theft scams in which cybercrooks use e-mail to lure people into entering personal and financial data at fake commerce and banking sites."
I thought it might be useful to name the companies that provide RBN's direct upstream Internet connectivity, as well as a few major Internet providers that provide services to RBN, including Tiscali.uk, SBT Telecom, Aki Mon Telecom and Nevacon LTD. The graph at the right is not an exhaustive look at all of the companies providing networking services to RBN, and it does not imply that the network providers listed are aware of or condone any illegal activity by RBN or RBN's customers.
It is tough to find a serious cyber-crime attack over the past two to three years that did not involve RBN Internet addresses to some degree. Going back as far as 2004 -- when RBN was known variously as "TooCoin Software" and "ValueDot" -- the network has offered an affiliate program called "iFramecash," wherein Web site administrators are paid a small sum for each visitor they silently refer to RBN's network. The visitor's machine is then peppered with Trojan horse programs that try to install password-stealing programs. In the past year-and-a-half or so, the main affiliates of that program simply started hacking into legitimate Web sites and placing the redirect code there.
In late 2005, security experts saw evidence that hacker gangs were taking advantage of a previously unknown security flaw in Microsoft's Internet Explorer browser to install keystroke-logging software on computers when users visited one of thousands of legitimate Web sites that had been hacked. In that attack, a large number of the sites set up by criminals to receive the keylogged data or serve up the exploit code resided on RBN's network.
Fast-forward to the fall of 2006, and security experts saw RBN sites implicated in an attack against HostGator, a large Web hosting provider in Florida. The attackers in that case had broken into thousands of Web sites using an undocumented security hole in "Cpanel," the software HostGator and hundreds of other hosting firms rely upon to host their sites.
Around that same time, RBN servers were heavily involved in exploiting yet another undocumented IE security hole to compromise an untold number of Web sites and Windows computers.
In May 2007, Security Fix reported that a large percentage of the sites belonging to IPOWER Inc., one of the Web's biggest inexpensive Web site hosting firms, had been hijacked with code that silently redirected visitors to malicious RBN sites.
Nearly every major advancement in computer viruses or worms over the past two years has emanated from or sent stolen consumer data back to servers at RBN, including such notable pieces of malware as Gozi, Grab, Haxdoor, Metaphisher, Mpack, Ordergun, Pinch, Rustock, Snatch, Torpig, and URsnif. The price for these malware products often includes software support, and usually some virus writers guarantee that the custom version created for the buyer will evade detection by anti-virus products for some period of time.
I spoke last week with James McQuaid, who works as an information technology specialist in Michigan. McQuaid said he's been blocking RBN and nearly all of its partner networks from reaching his home network for some time now. McQuaid, who helps run the American Red Cross's IT networks, said the people behind RBN have taken notice that some network providers have chosen to block traffic originating from the St. Petersburg provider. McQuaid said he's recently seen attackers on RBN hiding the source and destination of their traffic by routing it through compromised home computers in the United States and in Europe as a way to evade blocking filters like the one McQuaid deployed.
"What we're seeing now is RBN and some Chinese hacker groups are taking over machines in the U.S. and hosting malware or launching attacks from those machines, mainly because they realize their IP space is increasingly being blocked by the rest of the world," McQuaid said. "That's because it's a lot less common for ISPs and corporate networks to block IP space from residential networks."
This was the case with the recent attack against the Bank of India, in which attackers compromised the bank's Web site using Mpack, a veritable Swiss Army knife of Web browser exploits. When Microsoft Windows users visit an Mpack-infected site with a browser or Windows installation that is not updated with the latest security patches, Mpack uses those flaws to silently install password-stealing software on visitors' machines. In the attack on the Bank of India's site, the data was relayed through intermediary machines on its way back to servers controlled by RBN, according to several sources who tracked the attack.
Posted by: ct47DB | October 13, 2007 10:39 AM | Report abuse
Posted by: amturnip | October 13, 2007 10:47 AM | Report abuse
Posted by: Patrick Huss | October 13, 2007 11:57 AM | Report abuse
Posted by: Bk | October 13, 2007 12:01 PM | Report abuse
Posted by: PJ | October 13, 2007 4:47 PM | Report abuse
Posted by: Patrick Huss | October 13, 2007 4:49 PM | Report abuse
Posted by: -JP | October 13, 2007 6:23 PM | Report abuse
Posted by: Jart | October 14, 2007 6:20 AM | Report abuse
Posted by: maverick | October 14, 2007 8:37 AM | Report abuse
Posted by: Pete from Arlington | October 15, 2007 11:15 AM | Report abuse
Posted by: TripleII | October 15, 2007 5:56 PM | Report abuse
Posted by: Roberto | October 16, 2007 6:56 AM | Report abuse
Posted by: Ð¢Ñ‘Ñ‚Ñ Ð”ÑƒÑÑ | October 16, 2007 10:58 AM | Report abuse
Posted by: Morozov | October 16, 2007 11:33 AM | Report abuse
Posted by: Placebo | October 17, 2007 5:28 AM | Report abuse
Posted by: Anonymous | October 17, 2007 4:43 PM | Report abuse
Posted by: James McQuaid | October 31, 2007 8:36 PM | Report abuse
Posted by: nathan | November 1, 2007 3:10 PM | Report abuse
Posted by: James McQuaid | November 6, 2007 6:46 AM | Report abuse
Posted by: James McQuaid | November 6, 2007 7:05 AM | Report abuse
Posted by: James McQuaid | November 6, 2007 8:34 AM | Report abuse
Posted by: J. Warren | November 7, 2007 9:40 PM | Report abuse
Posted by: Bk | November 7, 2007 10:52 PM | Report abuse
Posted by: kp | November 8, 2007 1:09 PM | Report abuse
Posted by: Finndweller | November 29, 2007 11:00 AM | Report abuse
Posted by: Sabroson | November 30, 2007 9:01 PM | Report abuse
The comments to this entry are closed.