Network News

X My Profile
View More Activity

Taking on the Russian Business Network

The text below was originally included as part of the story The Washington Post ran today on the Russian Business Network. The content below was cut for space reasons, but I thought the anecdote was interesting and timely enough to include here in the blog.

It deals with a security administrator at a mid-sized U.S. based Internet service provider who decided to block RBN from reaching his customers. John declined to use his full name for a stated fear of physical and/or digital reprisals by RBN's clients against him and his employer.

John decided to completely block RBN from traversing his network in June, roughly a year after noticing a huge uptick in the number of his customers infected by computer worms, viruses and information-stealing programs that through one route or another fed stolen data back to networks hosted on RBN.

"We played Whak-a-Mole with RBN for about a year, until I got tired of shutting down or cleaning up customers who were compromised after visiting one of these Russian addresses," John said.

In most cases, John's users were being compromised by one of two malicious computer programs whose authors have rented significant Web server space on RBN. The most prevalent invader was the "Storm worm" -- an e-mail borne contagion that criminals have used to enlist infected machines in all manner of cyber crimes, from hosting online scam Web sites to blasting out spam.

Estimates of the number of computers running Microsoft Windows that are currently infected with Storm range from 1 million to 10 million globally, depending on which anti-virus company is doing the estimating. Most infected machines corralled by criminals into "botnets" are used to anonymously relay junk e-mail, or to serve as a conduit for routing stolen financial data back to organized criminals.

Another invader John had to contend with was the result of customer infections from "Mpack," a virus creation tool that is sold on RBN sites for anywhere for $500 to $1,000, a price that includes personal tech support from the software developers. Mpack is a toolkit designed to create unique infectious programs that exploit known software security holes in several different kinds of Internet browsers.

Attackers typically stitch malicious programs created with Mpack into the fabric of legitimate Web sites that they have hacked. When a visitor arrives at such site with a Web browser that is not equipped with the latest software security updates, the site silently installs a password-stealing program on the visitors computer. The victim's stolen data is then regularly forwarded on to a "drop site" pre-arranged by the attackers -- in the case of the Mpack authors, a set of Web servers residing on RBN.

The latest victim of this attack was among the largest financial institutions in India. In late August, the Web site of the Bank of India was compromised by an Mpack-created virus, which forwarded purloined financial data to drop sites at RBN's network, Trend Micro's Paul Ferguson said.

Suddenly, late this summer, the respective authors of Storm and Mpack began attacking each other for control over infected computers. The flare up resulted from the fact that each group had begun instructing their armies of infected machines to uninstall preexisting installations of the other's software.

The two hacker groups were hitting each other's networks with so-called "distributed denial-of-service attacks," which involve forcing thousands of infected machines to heave so much bogus Internet traffic at an online target that it becomes unreachable. Normally, criminals use such attacks to extort money from commercial Web sites that often find it more expedient to pay a ransom demand than to lose potential sales from legitimate visitors.

It was at the height of this turf war between the warring virus writing factions that John decided to bar RBN traffic from traversing his company's network. Many of his customers' machines had been used as foot soldiers in that attack, which had chewed up huge amounts of Internet bandwidth in a very short amount of time. As a result, John's company was forced to pay upstream Internet providers handsome surcharges for the excess bandwidth consumed in the attacks.

But within a few months of blocking RBN, John said, his employer had more than made up for the DDoS expenditure, mainly by spending far fewer hours supporting customers with virus infected machines, or taking down online scam sites or spam-spewing PCs.

"Our instances of spam and infected machines dropped exponentially," he said. Prior to the RBN blockade, John's employer was receiving between 30 to 40 alerts each week from other ISPs complaining about phishing sites hosted by machines on his company's network. In the past two weeks, John has received a total of just three complaints of phishing sites on his network.

By Brian Krebs  |  October 13, 2007; 12:01 AM ET
Categories:  Fraud , From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Changes Tune on IE7 Vulnerability
Next: Mapping the Russian Business Network


A very informative article - something we could all learn from. Thankyou.

Posted by: IainB | October 14, 2007 1:08 AM | Report abuse

how about telling us the ip rangee of this rbn network so we can block it to>

Posted by: Ben Greenfield | October 14, 2007 7:22 AM | Report abuse

What IP ranges did he vlock?

Posted by: Steve | October 14, 2007 8:24 AM | Report abuse

Posted by: anon | October 14, 2007 8:39 AM | Report abuse

This is the problem when you have a confluence of 3rd-world law and 1st-world telecom. Chalk it up to constructive engagement where for whatever reason we treat poor dangerous chaotic countries as though they were real, and permit telecom interconnects.

Most Chinese companies are forced to lease a server on US or EU soil because most Chinese IP addresses are filtered. I had to unblock some Chinese IP address ranges, but not, for example, China Telecom.

The problem with Russia is that there is basically no effective government. It's like Nigeria but with better phones. If we block the entire range it will put some pressure on their thugs (former intelligence officers now running the government) to at least cut down on annoyances like this.

Posted by: russianspleasedontkillme | October 14, 2007 9:02 AM | Report abuse

The benefits of blocking the RBN network are overstated or short-lived. Attack modes from spam are via compromised victim PCs or web browsers via legitimate but hacked web sites, not directly from the RBN.

At most blocking is just a small inconvenience to RBN - causing them to use some of their millions of bot hosts as a proxy to go where they need to go.

Posted by: Moike | October 15, 2007 8:19 AM | Report abuse

@Moike --

Your comment is misinformed.

Blocking trouble networks removes command and control from compromised PC's, as well as interrupts drive-by downloads by cross-site scripting (XSS) - the most common attack today. And its not as easy as you might think to proxy through a bot - especially if you're trying to remain undetected.

Blocking is more than an inconvenience. It costs the attacker money. If you want to shrivel the RBN, hit their customers where they live.

Posted by: Anonymous | October 15, 2007 10:26 AM | Report abuse

I believe that blocking is a good thing; the more organizations that block RBN, the greater the inconvenience to RBN.

Proxying is as simple as a software setting. And what better way to remain undetected than by relaying through one or more proxies when trying to hide your "real IP address"? Especially if those proxies are in different countries? The only cost is a delay caused by the extra relaying.

Posted by: Moike | October 15, 2007 2:42 PM | Report abuse

hey - if it helps at all...
What would you suggest for all the people at home?
edit hosts file? Can you use wildcards? can you reroute addresses?

for the home wifi router types, can you filter? How would you do?

Why not make this info useful and helpful for everyone?

Posted by: question | October 15, 2007 3:08 PM | Report abuse

"RussiansPleaseDontKillMe" is right.
I really don't see why ISPs shouldn't just cut off all Russian Internet access after what they did to Estonia last May. Do a cost/benefit analysis...what is the benefit of having internet connectivity to Russia? We know what the risks are.

Posted by: BlockThemALL | October 17, 2007 1:21 PM | Report abuse

Today the NYTimes ran a related article and it finally completed the question that had been forming in the 'back' of my mind: Together, don't Microsoft, Google, Sun Systems, MacAfee, Symantec, et al have the combined resources to launch an attack on these gangsters and smash their strategy in order to limit the damage they do?* These corps (pun intended) make billions of dollars. Together they could make the internet safer for all the 'little people' at the other end of the (network) line. Just a thought!!

*It's impractical to aim to eliminate these folk, but Sun Tzu said that in order to defeat an enemy a general should attack the enemy's strategy. To bracket these folks would be good. Bracketing is simple.

Posted by: Fred A | October 21, 2007 10:04 AM | Report abuse

Well if you block this RBN network make sure you block it both ways! So inbound AND outbound...

Posted by: bitman | October 24, 2007 10:17 AM | Report abuse

While my hosting company will not block IPs the software they use on the server lets me do it in a way that does not bounce email. I block China, N. Korea, Russia, Mexico, Panama, Argentina and Brasil... combined on 6 domains and 6 email addresses this auto deletes around 1400 emails sent to me personally. So far I have engineered a good set of filters to make sure that no good email is tossed.

I thought it was bad at 400 spam a week, I have 3 clowns that are relentless the same products spamed over 10 time each, every day of the year. There should be a LAW with TEETH.

Posted by: NBPro | November 12, 2007 4:22 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company