Network News

X My Profile
View More Activity

Mapping the Russian Business Network

Today's Washington Post carries my story about the the Russian Business Network, an entity based in St. Petersburg that provides Web hosting services that cater exclusively to cyber criminals. From the story:

"The Russian Business Network sells Web site hosting to people engaged in criminal activity, the security experts say. Groups operating through the company's computers are thought to be responsible for about half of last year's incidents of 'phishing' -- ID-theft scams in which cybercrooks use e-mail to lure people into entering personal and financial data at fake commerce and banking sites."

I thought it might be useful to name the companies that provide RBN's direct upstream Internet connectivity, as well as a few major Internet providers that provide services to RBN, including Tiscali.uk, SBT Telecom, Aki Mon Telecom and Nevacon LTD. The graph at the right is not an exhaustive look at all of the companies providing networking services to RBN, and it does not imply that the network providers listed are aware of or condone any illegal activity by RBN or RBN's customers.

It is tough to find a serious cyber-crime attack over the past two to three years that did not involve RBN Internet addresses to some degree. Going back as far as 2004 -- when RBN was known variously as "TooCoin Software" and "ValueDot" -- the network has offered an affiliate program called "iFramecash," wherein Web site administrators are paid a small sum for each visitor they silently refer to RBN's network. The visitor's machine is then peppered with Trojan horse programs that try to install password-stealing programs. In the past year-and-a-half or so, the main affiliates of that program simply started hacking into legitimate Web sites and placing the redirect code there.

In late 2005, security experts saw evidence that hacker gangs were taking advantage of a previously unknown security flaw in Microsoft's Internet Explorer browser to install keystroke-logging software on computers when users visited one of thousands of legitimate Web sites that had been hacked. In that attack, a large number of the sites set up by criminals to receive the keylogged data or serve up the exploit code resided on RBN's network.

Fast-forward to the fall of 2006, and security experts saw RBN sites implicated in an attack against HostGator, a large Web hosting provider in Florida. The attackers in that case had broken into thousands of Web sites using an undocumented security hole in "Cpanel," the software HostGator and hundreds of other hosting firms rely upon to host their sites.

Around that same time, RBN servers were heavily involved in exploiting yet another undocumented IE security hole to compromise an untold number of Web sites and Windows computers.

In May 2007, Security Fix reported that a large percentage of the sites belonging to IPOWER Inc., one of the Web's biggest inexpensive Web site hosting firms, had been hijacked with code that silently redirected visitors to malicious RBN sites.

Nearly every major advancement in computer viruses or worms over the past two years has emanated from or sent stolen consumer data back to servers at RBN, including such notable pieces of malware as Gozi, Grab, Haxdoor, Metaphisher, Mpack, Ordergun, Pinch, Rustock, Snatch, Torpig, and URsnif. The price for these malware products often includes software support, and usually some virus writers guarantee that the custom version created for the buyer will evade detection by anti-virus products for some period of time.

I spoke last week with James McQuaid, who works as an information technology specialist in Michigan. McQuaid said he's been blocking RBN and nearly all of its partner networks from reaching his home network for some time now. McQuaid, who helps run the American Red Cross's IT networks, said the people behind RBN have taken notice that some network providers have chosen to block traffic originating from the St. Petersburg provider. McQuaid said he's recently seen attackers on RBN hiding the source and destination of their traffic by routing it through compromised home computers in the United States and in Europe as a way to evade blocking filters like the one McQuaid deployed.

"What we're seeing now is RBN and some Chinese hacker groups are taking over machines in the U.S. and hosting malware or launching attacks from those machines, mainly because they realize their IP space is increasingly being blocked by the rest of the world," McQuaid said. "That's because it's a lot less common for ISPs and corporate networks to block IP space from residential networks."

This was the case with the recent attack against the Bank of India, in which attackers compromised the bank's Web site using Mpack, a veritable Swiss Army knife of Web browser exploits. When Microsoft Windows users visit an Mpack-infected site with a browser or Windows installation that is not updated with the latest security patches, Mpack uses those flaws to silently install password-stealing software on visitors' machines. In the attack on the Bank of India's site, the data was relayed through intermediary machines on its way back to servers controlled by RBN, according to several sources who tracked the attack.

By Brian Krebs  |  October 13, 2007; 12:02 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Taking on the Russian Business Network
Next: Schwarzenegger Vetoes Retail Data Security Bill

Comments

For the past 8-months or so I have been dealing w/a Telephone style SCAM..actually my Bank does call me on the telephone..they will announce many things in that process..this Telephone CALL seems to suggest "Credit Card Services"/only...and the Game begins...I have been hanging up on them for months regarding things as very suspicious...Basically..they attempt too have me HIT-a Button on my PHONE-keypad....this will bring up more detailed information that isn't ever given in the Phoe Call..the article by Brian Krebbs does seem to justify in my mind that things are getting "way out of hand"...Suggesting that that the KEYSTROKE can be STOLEN seems a bit way out of line w/Crime...I would think that Cyber-crime would attempt to ERASE the Keystroke to complete the Co-conspirator in Cyber/Crime..attacking a Banking Institution at its cash draw and then allowing the Co-conspirator to levy a complaint for payment of the LOSS-of-FUNDS.

Posted by: ct47DB | October 13, 2007 10:39 AM | Report abuse

> McQuaid said he's been blocking
> RBN and nearly all of its partner
> networks from reaching his home
> network for some time now.

To do likewise, how does one obtain, and keep up-to-date with, the probably ever-changing list of domains or subnets to block?

Posted by: amturnip | October 13, 2007 10:47 AM | Report abuse

The comments on the article referenced in this blog include this:
taskforceken wrote:
If your ISP doesn't already block them, you can add these criminals to your firewall rules.

I.P. address block for Russian Business Network:
81.95.144.0/20 #SBL43489
(81.95.144.0 - 81.95.159.255)

And the address blocks for its equally corrupt cousins at Intercage, Inhoster, and Nevacon:

85.255.112.0/20 #SBL36702
(85.255.112.0 - 85.255.127.255)

69.50.160.0/19
(69.50.160.0 - 69.50.191.255)

194.146.204.0/22 #SBL51152
(194.146.204.0 - 194.146.207.255)

These ip addresses should be included in either the article or the blog posting above, but that would imply that the Post actually cares about its readers. The truth is the Post apparently only cares about exploiting controversy to make money, not about helping its readers protect themselves. Thanks definitely go to Post reader "taskforceken" for providing the vital information the reporter couldn't find room for in either his article or his blog. Thanks for not much... I bet you blocked these ip addresses on your computer a while ago, Krebs. Why would you deny your readers that opportunity?

Posted by: Patrick Huss | October 13, 2007 11:57 AM | Report abuse

@Patrick Huss -- Did you happen to look at the graphic that ran with this blog post? The IP addresses of the RBN are included there.

Posted by: Bk | October 13, 2007 12:01 PM | Report abuse

Thanks Patrick.

Posted by: PJ | October 13, 2007 4:47 PM | Report abuse

Other than the Ford Challenge, I see no graphic.

Posted by: Patrick Huss | October 13, 2007 4:49 PM | Report abuse

@ Patrick Huss

Graphic shows up for me:

http://blog.washingtonpost.com/securityfix/rbn.html

Posted by: -JP | October 13, 2007 6:23 PM | Report abuse

Great exposure, also see more maps and connections at rbnexploit.blogspot.com

It is important to note some of the RBN's key operations are operating from within US based hosting. iFrame Cash; RBNs web site hacking service for affiliates = Layered Technologies (fortunately now been outed), and 76service ; personal ID theft trading = Noc4Hosts, with connected operations within Global Net Access (GNAX), The Planet. This is their real "bullet proof" hosting. I bet they are / were within iPower as well.

The enemy is inside the gates, you only need a stolen credit card, no checks on what your web site actually does - it is easy for the RBN to access / hack into 1 million plus US hosted web sites - from inside the servers!

Posted by: Jart | October 14, 2007 6:20 AM | Report abuse

I have a blog agaist this russian gang
U can see the blacklist in my blog.
maipiugromozon.blogspot.com
Sorry but it's in italian. These guys love to attack my country. It's very make money with dialers.

Posted by: maverick | October 14, 2007 8:37 AM | Report abuse

What? The only recourse against these criminals is to "out" them by naming them and their support networks in an article? I agree information is a powerful ally, but, geez, how about enforcement? What are international law enforcement bodies like Interpol doing here? Hello?

Posted by: Pete from Arlington | October 15, 2007 11:15 AM | Report abuse

So, why can't all the ISPs simply blacklist the RBN network domain. Literally, a void in the internet where nothing sent from inside has a path to the RBN and anything originating from the RBN is piped to the equivalent of /dev/null.

It would take Time Warner, Verizon, Quest, etc about an hour to make the RBN a don't care. Why won't they just do it?

Posted by: TripleII | October 15, 2007 5:56 PM | Report abuse

Brian, can i translate this post for an italian site? Putting your name of course

Posted by: Roberto | October 16, 2007 6:56 AM | Report abuse

О ужас ! Ща обосрусь от страха =))))

Posted by: Тётя Дуся | October 16, 2007 10:58 AM | Report abuse

Some experts say that RBN use torjan torpig . Some news about it ?

Posted by: Morozov | October 16, 2007 11:33 AM | Report abuse

>To do likewise, how does one obtain,
>and keep up-to-date with, the probably
>ever-changing list of domains or
>subnets to block?

The Spamhaus Don't Route Or Peer List:
http://www.spamhaus.org/drop/

Posted by: Placebo | October 17, 2007 5:28 AM | Report abuse

it's got to make you wonder who's hands are in that cookie jar, if they are willing to pass that information on, but unwilling to share preemptive information with the general public.

Posted by: Anonymous | October 17, 2007 4:43 PM | Report abuse

BleedingThreats.net is now providing Snort intrusion prevention signatures to block/detect the RBN and their associates at: http://docs.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork
These consist of IP addresses which you can use in your firewalls.

In addition, I am posting RBN related research in the Snort Configuration Samples Project at: http://docs.bleedingthreats.net/bin/view/Main/SnortConfSamples

Thank you,

James McQuaid

Posted by: James McQuaid | October 31, 2007 8:36 PM | Report abuse

This is crap for projects!

Posted by: nathan | November 1, 2007 3:10 PM | Report abuse

Spamhaus is reporting on new RBN networks in China:

http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7829

Thank you,

James McQuaid

Posted by: James McQuaid | November 6, 2007 6:46 AM | Report abuse

Spamhaus has a new posting on RBN networks in China utilizing RIPE ASN's and IP blocks:
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7829

Posted by: James McQuaid | November 6, 2007 7:05 AM | Report abuse

Spamhaus is reporting on RBN networks in China somehow qualifying for RIPE ASN's and IP blocks. Note "The Russians Go Chinese": http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7829

Posted by: James McQuaid | November 6, 2007 8:34 AM | Report abuse

FYI...

http://preview.tinyurl.com/23bgxp
November 07, 2007 (Computerworld) - "The Russian Business Network (RBN), a notorious hacker and malware hosting organization that operates out of St. Petersburg, Russia, has gone off the air, security researchers said today. According to a pair of Trend Micro Inc. researchers, RBN went dark around 10 p.m. EST Tuesday... By relinquishing control of the IP blocks it had been allocated, RBN essentially cut ties to the Internet and made it impossible for its domains -- which number in the thousands -- to access the Web or for users to reach those domains. "Where once there might have been 22 feasible paths for data to take to their IP blocks, now there are none," Ferguson said. He speculated that RBN is simply shifting to new digs... The Spamhaus Project antispam group has posted information that indicates RBN may have already laid claim to IP blocks located in China, Shanghai in particular..."

.

Posted by: J. Warren | November 7, 2007 9:40 PM | Report abuse

@James -- Thanks for the heads up. I published a post about that at least three hours before the publication of the piece you mentioned.

See:

http://blog.washingtonpost.com/securityfix/2007/11/russian_business_network_down.html

Posted by: Bk | November 7, 2007 10:52 PM | Report abuse

Interesting stuff here. My spam was reduced over 95% immediately after RBN was taken off the air. Thanks

Posted by: kp | November 8, 2007 1:09 PM | Report abuse

Er.
Verisign has the physical server location.
So, bit of 'counter-terrorism' here? Blow the bloody place up. That'll cost 'em.

Posted by: Finndweller | November 29, 2007 11:00 AM | Report abuse

I am sick of Russia and China spam.. therefore I am blocking ALL ips from those countries...

You should block all IPs starting with these if you do not care about Russia and China:

193.
194.
195.
212.
213.
217.
62.64.
62.76.
202.
203.
210.
211.

Posted by: Sabroson | November 30, 2007 9:01 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company