Russian Business Network (RBN)

RBN - Partners Official Sponsors of ICANN?

noreply@blogger.com (HostExploit) — Tue, 13 May 2008 07:59:00 +0000

Russian Business Network (RBN); what if they were out to own the Internet by owning the DNS? The Internet totally relies on DNS (Domain Name System) so obviously this must be the stuff that Hollywood movies are made of, but this nightmare scenario is more real than any of us would like to believe.

This article draws a few of the ingredients together, it is important to stress this is not to discredit ICANN, but to show just how RBN and their associates are applying themselves to the weakness of DNS allocation and exploiting ICANN’s vulnerability via influence, commercial sponsorship and registrar development.

Firstly, RBN’s normal chaos creation, shown within the important and recent security research paper “Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority” by David Dagon, Niels Provos, et. al.; “291,528 hosts on the Internet performing either incorrect or malicious DNS service. With DNS resolution behavior so trivially changed, numerous malware instances in the wild, we urge the security community to consider the corruption of the (DNS) resolution path as an important problem.” [ref 1]

Connect this to the newer RBN technique to now ‘auto-generate’ 1,000’s of new malware and rogue domain registrations via duped or controlled registrars, e.g. Tucows (Ca), EstDomains, and shielded by PrivacyProtect - which now can outrun most security bloggers, security companies, black listing or rogue domain listings. [ref 2]

So, who runs or has the responsibility for DNS and keeping it safe? - ICANN (Internet Corporation for Assigned Names and Numbers) mostly self elected and privately operated as ICANNwatch.org describes “avoiding governmental accountability mechanisms, but ICANN also lacks much of the accountability normally found in corporations and in nonprofits.” [ref 3]

The facts – who?

LogicBoxes and Skenzo host a "Taj Mahal Sojourn" for guests at the 31st ICANN Meet in Delhi, India - “The elite list of attendees included the likes of Enom and Tucows head honchos, Paul Stahura and Eliott Noss respectively. Trey Harvin - CEO dotMobi, Jonathan Nevett - Network Solutions, Alexa Raad CEO PIR, Tim Cole - Chief Registrar Liaison at ICANN, Craig Schwartz - Chief gTLD Registry Liaison at ICANN, Tina Dam - Director, IDN Program ICANN, Dave Wodelet, Wendy Seltzer, Thomas Narten – ICANN Board members” [ref 4]

Directi, LogicBoxes and Skenzo - controls / manages / owns ‘PrivacyProtect’ – a domain privacy service which shields cybercrime, and does so by design. It currently shields 759,172 domains. [fig 2]

“LogicBoxes currently powers the infrastructure and software of over 50 ICANN Accredited Domain Registrars including EST Domains” [ref 5] LogicBoxes online corporate profile – EstDomains, which is associated with Atrivo aka Intercage. It is estimated Estdomains provide Atrivo with 40% to 60% of its revenue.

Directi, LogicBoxes and Skenzo associated with – Everyones Internet (US) and The Planet (US), rack space etc., for opticaljungle / orderbox-dns. Coincidentally both are within the top 10 of hosts in the world with infected web sites = 6,000 . [ref 6]

Bhavin Turakhia - CEO and Chairman of The Directi Group “Directi to continue growing at triple digit growth rates year after year, technical advisor to the local CyberCrime Investigation Cell, Bhavin was also former chairman for the Global ICANN Accredited Registrars Constituency for two consecutive terms. He has been the youngest elected chair for this post in the history of ICANN” - [ref 7] [ref 8]

The facts (just a few notable examples) – what?

Historical Aug 07 - Bank of India iFrame hack - X-TRAFFIC.BIZ – RBN, ICANN Registrar: ESTDOMAINS [ref 9]

Ongoing – RBN retail - Loads.cc - ICANN Registrar = DIRECTI – Registrant = PrivacyProtect.org [ref 10] [ref 11] [ref 12]

Ongoing - RBN retail payment systems isoftpay – Current; ICANN Registrar: ESTDOMAINS Registrant: PrivacyProtect.org [ref 13]

Current - Robotraff: A Hacker's Go-To For Clicks – Brian Krebs Washington Post - robotraff.com; ICANN Registrar = DIRECTI – Registrant = PrivacyProtect.org [ref14]

Newer rogue / fake sample – malwarebell; The filename MALWAREBELL.EXE was first seen on Apr 14 2008 in CANADA, BELGIUM on Apr 15 2008, SPAIN on Apr 23 2008, GERMANY on Apr 23 2008; ICANN Registrar = Estdomains; Registrant = PrivacyProtect.org [ref 15]

Brand New - Mass File Injection Attack from Russia with Zlob - “If you do a Google search for these URLs, you get about 400,000 sites" - The key domain = xprmn4u.info ("HaCKeD By BeLa & BodyguarD" = 90,000 hits on Google); ICANN registrar for = Estdomains; Registrant = PrivacyProtect.org [ref 16]

Fig 2 - PrivacyProtect - map

Conclusions

“But if someone broke — or worse, subverted — the fundamental way in which we find web sites, we wouldn’t trust URLs any more. Own the DNS and you own the Internet.” [ref 17]

The background research and this summary article has been around four months in the making within the community. It should be emphasized there is considerably more ‘who’ and ‘what’ which will be presented in full later.

We feel even the most casual reader will be concerned, as this affects every user of the internet. We as a group want to further stress we are believers of an open and unrestricted internet however, if this trend of a parallel DNS system being developed with an unofficial DNS architecture that will fake all records, this will be a real mess, resulting in a groundswell of Internet users who rightly request governmental action in some form to assume some form of control.

We hope many readers as a minimum many will contact ICANN [ref 18] to at least determine what they are going to do about Estdomains, PrivacyProtect and anonymous domain registrants – right now! This also begs the question of the commercial approach of ICANN apparently supporting unfettered registrar development and who it allows in sponsorship or election. If ICANN does not rapidly clean up its own act to encourage the view that the DNS is safe in their hands, realistically several Internets will evolve, “Good, Bad, and the Ugly”

As for Directi and co., there will undoubtedly be arguments of; we are unaware, not responsible, we only manage, or a very small minority……. From their logged and monitored action we do not believe them. Even so, with their claimed expertise and if they were unaware of the role of EstDomains or PrivacyProtect, thus RBN, then should they be trusted within or in any form of association with ICANN?

Special thanks, to name but a few:
Jim McQuaid, Debbie Rosman, David Bizeul, EmergingThreats.net malwaredomains.com, open source security community, Robtex, CyberDefCon, et.al.

References:

[ref 1] Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority

[ref 2] Top 25 Exploit Hosts

[ref 3] ICANN for Beginners

[ref 4] LogicBoxes and Skenzo host a "Taj Mahal Sojourn" for ICANN

[ref 5] LogicBoxes online corporate profile

[ref 6] The Planet and Everyones Internet

[ref 7] Directi CEO

[ref 8] CyberCell Mumbai India

[ref 9] Bank of India Hack Aug 07

[ref 10] RBN Retail

[ref 11] Loads cc

[ref 12] One-Stop Shopping for Hackers

[ref 13] RBN payment systems

[ref 14] Robotraff – Brian Krebs

[ref 15] Rogue - Malwarebell

[ref 16] Mass File Injection Attack from Russia with Zlob – ISC.sans

[ref 17] Alistair Croll '10 Ways the Internet (As We Know It) Will Die'

[ref 18] Contact ICANN

Coming soon - RBN - Automated Mass Malware Domain Registration

RBN – Extortion and Denial of Service (DDOS) Attacks

noreply@blogger.com (HostExploit) — Tue, 19 Feb 2008 12:02:00 +0000

The Russian Business Network (RBN) has long been known for its bulletproof hosting and its control of botnets such as Storm. Apart from the obvious example of an RBN “hired gun” Distributed Denial of Service (DDos) attack on Estonia in May 2007 many have attempted to comprehend and link the RBN’s usage for botnets. Within this article we shed light via several documented examples extorting potential clients into the use of their “specialized” hosting services by the use of DDos, and a further example of RBN’s ecommerce.

For those who wish to understand how a DDos attack works via a botnet see figure 1.

Figure 2 shows the evolution of DDos over recent years based upon purpose and size currently at 17+ Gbps (gigabytes per second) and potentially 7,000 such attacks daily - courtesy of Prolexic technologies (click on the figs to see full size and see links below).

The business model RBN uses is quite simple and effective; its affiliates and resellers comb various niche market forums and discussion areas for webmasters using or discussing protective web services i.e. DDos prevention. Carry out a DDos attack on the website and then provide a third party sales approach to the webmaster to “encourage” a sign up for their DDos prevention services. The cost of this hosting service is $2,000 per month.

These niche markets for the RBN are usually within the Internet market sectors of pornography, and specialized grey areas, e. g. online pharmaceuticals, and HYIP (High Yield Investment Programs). This blog is not commenting on the legitimate purpose or otherwise of these web sites, the RBN is successful as most of these webmasters are not about to publically complain. However it does appear that legitimate hosting services offering a level of DDos prevention are vulnerable to the RBN’s monopolistic efforts, to capture and control this high income business. It further appears many such recruits are then encouraged to mitigate the costs by becoming resellers themselves of the hosting and other RBN services. It should be added that some of these resellers are unaware, or are happy to be ignorant; they are actually part of the RBN reseller community.

For sample details we can start at a HYIP forum “Talkgold” this is a fascinating knock-about discussion on RBN DDos extortion (see link below) and provides some useful clues for RBN exposure.

However, the clearest evidence can be seen within another forum “HotHYIPs” as we can see in figure 3 the details of RBN DDos reselling, figure 4 shows an example of grateful affiliates with a US based affiliate openly stating “Paid very fast. A very good return from a ddos attack.”

The prime sales link for the RBN hosting is via NEAVE LIMITED a UK registered company, but the actual core serving is ELTEL based in St. Petersburg RU, one of the core replacement servers for the RBN post Nov 08, with AS-peers: 30 and 67,584 IP addresses. This is listed within Spamhaus (see link below) “Botnet criminal Indian & .ru/.ua spammer host: NEAVE LIMITED” as of Jan 12th 08.

Eltel: IP range 81.9.8.0 - 81.9.8.255 AS20597, example site hosting; goldenpiginvest.com /.net – the canadianmeds.com – pharmacy-viagra.net

Already some of the notable blacklisted domains listed within the Spamhaus lasso have moved to other RBN utilized AS servers, also using the RBN’s recent blocking avoidance mechanism “*.badsite.com” for sub domains for example:

rxpharmacy-support.com - ns3.cnmsn.com - 204.13.67.108 - 204.13.64.0/21 AKANOC Solutions Inc - AS 33314 (US)

*.thecanadianmeds.com - 79.135.160.0/19 Sistemnet Telecom - AS9121 TTNet (Turkey)

officialmedicines.com - 79.135.165.0-79.135.166.255 AS9121 TTNet (Turkey)

psxshop.com - 66.197.0.0/17 - AS29748 Carpathia Hosting

To further add and demonstrate RBN connectivity “goldenpiginvest.net” links directly to data storage on Level3 Communications; box(dot)net, - see figure 5 - a service that provides the ability to collaborate and share files online. This was shown in an earlier RBN blog article concerning 365fastcash and the RBN’s Panama based servers (see link below). No doubt Level 3 will be able to (again) inform US authorities of the content of these data files, and terminate such services.

Figure 6 – IP diagram for *.thecanadianmeds.com

Links:

Prolexic technologies - DDos information - figures 1 & 2

RBN DDos extortion Talkgold forum discussion

HotHYIPS forum RBN reseller advertising and remarks

Spamhaus botnet lasso - NEAVE LIMITED / Eltel, St. Petersburg RU

Level3 Communications; box(dot)net; goldenpiginvest.net & 365fastcash common linkages

RBN – Out with the New and in with the Old – Mebroot

noreply@blogger.com (HostExploit) — Wed, 23 Jan 2008 15:27:00 +0000

The Russian Business Network (RBN) is using one of their usual deceptive approaches of confusing by the use of old domains and recycling exploit techniques, this is the case with Mebroot. There has rightly been a great deal of press (see links below) concerning Mebroot as identified by Symantec on Jan 8th 08. This is a rootkit exploit that overwrites part of a computer's hard drive called the Master Boot Record (MBR). This is still deadly and a difficult exploit with is its ability, once established and undetected it confound most anti-virus software, the purpose is to hijack the user’s PC which will then redirect to download other exploits to steal banking information and ID theft. Good news is there are some straight forward detection and removal tools e.g. GMER – also see on their website a great write up of how a rootkit actually works.

So what is new? Well the exploit sites are now using a fast-flux P2P botnet and the exploit is polymorphic i.e. the ability to alter its form and mutate. But this approach is the same old stuff by a different name, it is: Torpig, Anserin, Gromozon, etc……even using some of the old domains for distribution. So where does the “new” exploit names come from, unfortunately us. Our constant reductionist approach to BadWare is utilized by RBN to confound and we play right into their hands, every time we rename their stuff it makes it easier for them to blend into the confusion. The old is forgotten or not reported and they reuse the old stuff all over again, when we all start using a commonly accepted holistic linguistic approach to the problem, we may win this war.

For details a “small” sample, especially for our Italian Gromozon readers:

This particular example callsolutions(dot)biz is on one of our old friends Pilosoft AS26627, with a bunch of RBN’s “very young” erotic sites sharing the name server – a(dot)ns(dot)joker(dot)com.

As a comparative link, and no RBN blog article would be complete without mention of the RBN’s US division – kopythian(dot)com - Atrivo AS27595; AKA Inhoster, Intercage, and pecb(dot)cc at Atrivo’s Cernal AS36445.

Also just so no-one could say we are picking on Atrivo or where is the RBN link? See the following “joining up the dots” of a very small sample out of 100’s of exploit domains on the same Atrivo name server managedns1.estboxes.com:

2007postcards(dot)com (Storm),
malwareburn(dot)com (rogue anti-virus),
procodec(dot)com (fake codec),
virusheal(dot)com (rogue anti-virus),
xxl-cash(dot)com (RBN payment site) –
plus a cryptic graphic for our readers from the RBN so they know this is not guesswork.

IP figures:

Gmer - anti-rootkit download

Gmer - how a rootkit works

Symantec - Mebroot article

BBC - Mebroot

RBN – 365fastcash, Panama, and 1488 RU

noreply@blogger.com (HostExploit) — Mon, 07 Jan 2008 18:36:00 +0000

As regular readers know the Russian Business Network (RBN) originally utilized an extensive virtual base in Panama (Nevacon), we can now report they are back. The new hive centers on AS26426 Optynex Telecom Sa, Calle 53, Piso 18, Panama City, Panama) Phone: 210-9900 and cybercastco.com name servers (special thanks to Jim McQuaid and Snort expertise).

There are numerous domains but to select a sample of domains, in this article we can focus on two, 365fastcash(dot)com and Jidov(dot)net. It is also pleasing to show these are already encompassed within RBN Snort Rules on EmergingThreats.net (bleeding-rbn-BLOCK.rules)

365fastcash has been delivering a truly blended threat by using an automated telephone dialing system to ask people for the last 4 digits of their social security number. This was flooding switchboards at a well known US charitable organization a few days ago, and was obviously the first of many.

Interestingly there are two sub-domains “back1.365fastcash” and “bavk1.365fastcash” both are similar structures to earlier reported 76service and 76team. The difference on this occasion the likely personal ID data storage is on direct links from the sub-domains to Level3 Communications; box(dot)net, a service that provides the ability to collaborate and share files online. No doubt Level 3 will be able to inform US authorities of the content of these data files, and terminate such services. Further IP and SSL details below.

Jidov(dot)net provides an interesting political twist for the RBN as this is the safe hosting location for 1488(dot)ru. To those who are not aware 1488 RU is the supposedly banned, violent, and very well financed Russian Nazi group. The 14 represents the 14-word slogan: "We must secure the existence of our people and a future for White children” and 88 represents eighth letter of the alphabet, with HH standing for Heil Hitler. The question now arises does this represent the source of the RBN’s political views or just an expensive bullet proof (was) hosting.

Forum Intro:

(RU) Друзья, мы рады сообщить Вам, что теперь сайт 1488.ru доступен из доменной зоны Jidov.net . Развитие проекта идет полным ходом. Благодарим Вас за внимание к нашему ресурсу. Скоро мы сможем предложить Вам регистрацию доменов третьего уровня в наших доменных зонах (Ваш ник.1488.ru и Ваш ник.jidov.net). Так же, мы готовы предложить вам размещение банеров на страницах нашего ресурса.

(EN) Friends, we are glad to report to you that now the site to 1488.ru is accessible from the domain zone Jidov.net. The development of design occurs full speed. We thank you for the attention to our resource. Soon we will be able to propose to you registration it is pre-barter the third level in our domain zones (your nik.1488..ru and your it nik..jidov.net). So, we are prepared to propose to you the arrangement of banners for the pages of our resource.

Further details: 365Fastcash - 200.115.173.215 - Registrar: KEY-SYSTEMS GMBH, Whois Server: whois.rrpproxy.net Name Server: NS1.CYBERCASTCO.COM, NS2.CYBERCASTCO.COM: 06-dec-2007

SSL Information for 200.115.173.215


SSLv2	Yes	Cipher Spec: SSL2_RC4_128_WITH_MD5 [010080] Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 [030080] Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 [0700c0] Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 [060040] Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 [020080] Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 [040080] Connection ID: 26ad291530a4cc910e9c066877bda0f0
SSLv3	Yes	Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (256 bit) [000039]
TLS 1.0	Yes	Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (256 bit) [000039]

JIDOV(dot)NET - 200.115.171.200 Registrar: ESTDOMAINS; Name Servers: NS1.CYBERCASTCO.COM, NS2.CYBERCASTCO.COM, 11-nov-2007

SSL Information for 200.115.171.200


SSLv2	Yes	Cipher Spec: SSL2_RC4_128_WITH_MD5 [010080] Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 [030080] Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 [0700c0] Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 [060040] Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 [020080] Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 [040080] Connection ID: 85feb66767c2560349e7409f2b25118f
SSLv3	Yes	Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (256 bit) [000039]
TLS 1.0	Yes	Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (256 bit) [000039]

RBN - Storm Botnet, the Changing Chessboard

noreply@blogger.com (HostExploit) — Sun, 06 Jan 2008 02:27:00 +0000

In a follow up to the earlier Russian Business Network (RBN) "New and Improved Storm Botnet for 2008" the chessboard changes yet again. In this game of chess our opponents started over Christmas with a full frontal attack, but have already now switched to a flanking moves. Perhaps on this occasion the community may be able to slow down the advance to force a draw or maybe even win this particular game of chess?

The key is to understand and combat the Storm 2008's innovative elements and attempt to quantify progress of the game. With the aid of early analysis by Thorsten Holz / The German Honeynet Project and based on limited initial data we have attempted to produce a predictive trend analysis of the Storm Botnet to rebuild and reach 1 million PCs. This is shown in figure 1, given current analysis shows a growth from say 10,000 on Dec-22 to 30/40,000 by Jan-03, on a conservative analysis Storm should reach 1 million by Mid Feb 08.

So at least a we now have a potential game progress definition; for the RBN it would be a disappointment if they did not easily clear this target, for the community the aim is to limit the target. Game on?

To play this game we all better know the rules of deception, on a current assessment of progress against the innovative Storm elements:

# First the good news so far 2,147 fake and or infected Blogspots have been detected and are flagged by Google as shown in the StopBadWare clearing house.

# Further good news on checking most of the Storm attack domains (see list below) are either SBL or XBL listed on Spamhaus et. al.

# Some confusion in the ranks as assumptions are made as to locations or even selective attacks. As described elsewhere the botnet control panel(s) are now much more sophisticated, with the ability to decide which geographic region and areas to attack. Interestingly if the PC still subject to earlier infection there will be no further re-infection. # As noted the polymorphic nature is clearly present to confuse i.e. the virus or exploits have the ability to alter its signature in an attempt to combat anti-virus tools.

# Most worrying is the constant stream of domains and the "fast-flux" technique used to avoid detection as mentioned in this case is actually “double-flux” characterized by multiple nodes within the network registering and de-registering their addresses. This implies as fast as IPs are block listed, it would seem "Snort" which is capable of performing packet logging and real-time traffic analysis on IP networks, may at last demonstrate its earlier promise.

# Finally it is fairly safe to predict there will be further attacks on the search engines and via social engineering i.e. Face Book, etc.

The current Storm attack domains and related fakes (also ref links below: Malwaredomains, Emerging Threats, honeywall blog, and US Cert) although of limited number to begin with are now:
10000xing(dot)cn - 222360(dot)com - adslooks(dot)info - bnably(dot)com - eqcorn(dot)com - familypostcards2008(dot)com - freshcards2008(dot)com -happy2008toyou(dot)com - happysantacards(dot)com - hellosanta2008(dot)com - hohoho2008(dot)com - kqfloat(dot)com - ltbrew(dot)com - mymetavids(dot)com - obebos(dot)cn - parentscards(dot)com - postcards-2008(dot)com - ptowl(dot)com - qavoter(dot)com - santapcards(dot)com - santawishes2008(dot)com - siski(dot)cn - snbane(dot)com - snlilac(dot)com - tibeam(dot)com - tushove(dot)com - wxtaste(dot)com - yxbegan(dot)com

The specific Storm exploits have overlapped with fake anti-malware and fake codecs which are polymorphic in their nature: ArcadeWorld(dot)exe - ArcadeWorldGame(dot)exe - ClickHere(dot)exe - codecnice1126(dot)dmg - codecnice1126(dot)exe - codecultra1123(dot)dmg - codecultra1123(dot)exe - ecard(dot)exe - fck2008(dot)exe - Flash_Postcard(dot)exe - FlashPostcard(dot)exe - Full Story(dot)exe - FullClip(dot)exe - FullNews(dot)exe - FullVideo(dot)exe - GreetingCard(dot)exe - GreetingPostcard(dot)exe - happy_2008(dot)exe - happy2008(dot)exe - Install_video_3913230(dot)exe - MoreHere(dot)exe - NflStatTracker(dot)exe - Postcard(dot)exe - Read_More(dot)exe - ReadMore(dot)exe - sony(dot)exe - stripshow(dot)exe - Video(dot)exe - VideoAccessCodecInstall(dot)exe - virusranger(dot)exe - vrsvc(dot)exe

Storm Growth analysis - German HoneyNet
Malwaredomains
Emerging Threats
US Cert

RBN – New and Improved Storm Botnet for 2008

noreply@blogger.com (HostExploit) — Thu, 27 Dec 2007 05:35:00 +0000

Obviously the Russian Business Network (RBN) is working overtime during the Christmas and New Year holiday, no doubt planning for many in the ISP security and anti-spam arena to be on skeleton staff.

Many will now have already seen reports of the Storm Botnet outbreak which started on December 24th “MerryChristmasDude” with good write up at ComputerWorld and for technical details at ISC Sans or HolisticInfoSec (links on footer). This picture is changing rapidly and by December 26th there were new web sites “Uhavepostcard” , “HappyCards2008” and no doubt more to come over the next few days.

Three of the key web sites have the following registrant information, all registered via “ANO REGIONAL NETWORK INFORMATION CENTER DBA RU (Russia)” in chronological order:
Domain Name: MERRYCHRISTMASDUDE.COM - Creation Date: Nov 27 2007
Domain Name: UHAVEPOSTCARD.COM - Creation Date: Dec 23 2007
Domain Name: HAPPYCARDS2008.COM - Creation Date: Dec 26 2007

The key objective for the RBN is to rebuild the Storm Botnet which is shown in various reports over the last few months, from a few million enslaved PCs to more recently a few 100,000’s. One can only further guess as to what the RBN’s main goal is to use a rebuilt Storm Botnet for, e.g. earlier DDOS (Denial of Service attack) on Estonia.

There are some interesting elements concerning which make this attack innovative:

# Although much of that detected is conventional spam, however there is also a large amount of spam which is getting through many anti-spam defenses due to the use of “fake” BlogSpot (Blogger) links for example on a small sample;

hxxp://dantipXXXX.blogspot.com/?soapwerzpordeecaspewtkk153trajspeak hxxp://isakovkapitonXXXX.blogspot.com/?harkwerzpordeecaspewtkk153trajfloor

The common part of the suffix is “pewtkk153traj” which redirects to Geocities web sites and then a further redirect to the Storm exploit domains.

# Although most have identified as the Zhelatin Storm email worm or variant, it is also as the more recent fake codec downloads, dependent upon where the unfortunate user has come from. This now shows a “polymorphic” format, i.e. the virus or exploit has the ability to alter its signature in an attempt to combat anti-virus tools.

# The fast-flux technique used to avoid detection in this case is actually “double-flux” characterized by multiple nodes within the network registering and de-registering their addresses (see sample maps below taken within one hour periods and show the fast-flux DNS changes). It is also safe to say this newer Storm Network has now also has improved defense mechanisms, if examined too closely.

Computerworld - Storm Worm Christmas
Computerworld - Storm New Year
ISC Sans - Anticipated Storm
HolisticInfoSec

RBN – $$$ - the retail payment systems

noreply@blogger.com (HostExploit) — Thu, 20 Dec 2007 03:14:00 +0000

In an extension to analysis of the Russian Business Network (RBN) this is the first element of a series on RBN payment systems.

This article focuses on just one of the several payment systems for its “fakes” retail division i.e. isoftpay.com, this has been reported before namely the Sunbelt Blog (see links on footer) Oct 3rd 06 in the report on the rogue software, also more recently reported within 2-spyware on Dec 10th 07.

In exploring this node of the RBN’s organization it raises several areas of interest; the location(s) of internet operation, SSL and transactional base. Briefly by way of an introduction to later more in depth analysis malware revenue models, analysis solely of isoftpay does provide a starting point for some generalized assumptions of RBN retail revenue. Therefore as mentioned within earlier articles here on fakes and current analysis:

(a) Isoftpay serves as the payment point for such fakes as Bravesentry, and others.

(b) Secure. Isoftpay.com over the last 30 days (mid Nov – Mid Dec) received 187,750 direct unique visitors from the US.

(c) This tends to demonstrate approximately 25% of the unique visitors to those rogue software web sites go back to the payment site. As directed by the exploits downloaded from the “free” trial of the fake anti-spyware.

(d) On a reasonable assumption a high proportion of those directly visiting the secure payment area after downloading the exploit to make the purchase, say 75%, this would provide gross revenue of say $4 million per month from solely US visitors.

(e) As US visitors represent 17 – 40% of the world wide audience for such sites one can assume gross revenue as being in the region of $10 million / month, $120 million per annum.

A significant component is the SSL (Secure Sockets Layer) and certification the figure below shows the current certificate for Isoftpay.

The certificate appears legitimate unfortunately we have not as yet ascertained from Equifax or Geotrust whether it is a forgery, and if not, they should be able to inform us who the purchaser was.

Also of interest is the payment transactions and as site takes Visa and MasterCard, and further enquiries are outstanding as to who the revenues collected are paid to.

Finally as several victims have contacted the authors of this blog, and any transaction is fraudulent. No doubt Equifax, Geotrust, Visa and MasterCard will act swiftly to prevent further fraudulent transactions and ensure victims at least gain a return of their payments?

From the perspective of the RBN’s nodes of operation originally as noted by Sunbelt the IP address in Oct 06 was 69.50.168.101 - AS27595 ATRIVO. The figure below shows the current (Dec 19th 07) and a comparison with locations on Oct 28th 07, the actual only difference is the addition of name server (ns3.isoftpay.com) served from AS4837 CNC Group China. The other servers are some of the RBN’s usual suspects AS9930 TTnet Malaysia, AS4657 StarHub Singapore, and it goes without saying AS27595 Atrivo AKA Intercage, Inhoster, etc.

Below is shown in figures two IP and AS maps of the Isoftpay and related domains

References: Sunbelt 10/06 2-Spyware.com 21/07

RBN – The Russian Business Network, Now and Then

noreply@blogger.com (HostExploit) — Thu, 06 Dec 2007 01:28:00 +0000

Observing the Russian Business Network (RBN) this blog is pleased to introduce readers to a highly informative 70 page study of RBN by David Bizeul which you can download in PDF format in English (see links on article footer).

Figure 1 – RBN Offices
12 Levashovskiy Prospect.
197110 Saint-Petersburg, - Russia

The study provides extensive information and analysis on the background of the RBN; from its probable physical locations (see figure 1 for the RBN offices), Russian cybercrime, and one of the study’s conclusions is very telling, this blog wholeheartedly agrees with and also add international law enforcement.

“There are some countermeasures available but none makes sense for the home user or even companies. Only ISPs, IXPs and Internet regulators can help in mitigating the risks originating from RBN and other malicious groups.”

As with most investigation of RBN, including this blog, we are confined to retrospective analysis, however David’s RBN study is very important, as it provides a definitive image of the RBN just before they reorganized. This is crucial for authors of this blog and other researchers as it provides a comparative base for current analysis and RBN activity. For example within a very early article on this blog we described the Internet serving locations of a number of exploit and Rock phish, landing web sites. This can be seen in Figure 2 (click to enlarge) with the previous and current servers for these domains.

Interestingly AS36420 for the 75.125.89.178 IP address resolves to Everyones-Internet3 – for this and to show connection, this is the same route as shown on Castlecops for Lloyds TSB, Rock Phish (banking ID phishing).

The name servers shown for all in Figure 2, are our good friends, i.e. AS 27595 i.e. Atrivo, Intercage, Inhoster, Estdomains. With even more interest is the same name-server also hosts the following “fakes”.

e.g. - antispygolden.com, hitvirus.com, malwareburn.com, procodec.com, videohook.com, virusheal.com

These are purely a sample for this server, below are shown in Figures 3 and 4 the IP mapping as samples.

We hope this provides further examples of the RBN’s current well being, also to add we are pleased to announce in collaboration with David Bizeul we will provide an update for this RBN study, within the next few weeks.

Figure 3. Name Server Map example

Figure 4 - IP Map example

References and downloads:

David Bizeul - RBN Study here or here - Castlecops Rock Phish - Original RBN IP blog article

RBN – Google Search Exploits

noreply@blogger.com (HostExploit) — Wed, 28 Nov 2007 20:51:00 +0000

The Russian Business Network (RBN) has been busy again with a significant amount of loaded web search results which lead to malware sites as reported by Sunbelt.

The good news first is being able to precisely pin point the exploiters back to newer RBN core retail centers as previously exposed in this blog on Nov 8th 07 – i.e. iFramecash, myrdns, hostfresh, and AS 27595 i.e. Atrivo, Intercage, Inhoster. Also as reported this is the same end route as the Bank of India hack, fake anti-spywares and fake codecs.

The bad news is, as predicted and one of the probable reasons for dropping their RBnetwork IP ranges , the RBN is increasingly using botnet based fast-flux techniques (see Wikipedia) to hide the initial delivery sites behind an ever-changing network of compromised hosts i.e. "double-flux" nodes within the network registering and de-registering their addresses as part of the DNS SOA (start of authority) record list for the DNS (domain name server). This provides an additional layer of redundancy and survivability within the malware network as seen in the case of the fake codecs.

This particular web search exploit for the unfortunate end user can be shown as:

From investigation into the actual Trojan downloads this shows the use of the newer undistributed till now edition of MPack which includes a host of exploits including the scam.Iwin, keyloggers, DNS changers, etc. Despite the difficulty of tracking botnet fast-flux usage by detailed investigation of the specific domain name servers the details are as follows, with this information Google and other search engines should easily eliminate such a threat, and hopefully provides law enforcement with further evidence:

1 – The web search “fake” sites.

All researched in this exploit all these fake web search sites emanate from 2dayhost.com an apparent botnet based at AS8001 Net Access Corporation 1719 Route 10 Suite 318 Parsippany, NJ 07054. In the following sample of the domains and name servers involved at this stage: feidqaadppta.cn - igekqzeabkwz.cn - luewusxrijke.cn - zhvmizyycuzz.cn All were registered very recently on Nov 25th 2007 under Name Server: ns1.erik-kartman2.com and Name Server: ns2.erik-kartman2.com – also based at 2dayhost.com / AS8001 Net Access Corporation (please note despite the .cn the domains and registrant have nothing to do with China).

Figure2 – Fake search site map

2 – Victim Reception sites.

As mentioned earlier the “usual suspects” of iFramecash, myrdns, hostfresh, and AS 27595 i.e. Atrivo, Intercage, Inhoster, are responsible. The following 3 figures show the relationship (click on the pic to see full size):

Figure 3. Victim reception A

Figure 4. Victim reception B

Figure 5. Victim reception C

RBN – Fake Codecs

noreply@blogger.com (HostExploit) — Wed, 21 Nov 2007 11:10:00 +0000

With the ongoing tracking of “fake” software websites related to the Russian Business Network (RBN) and their associates it is important to note the growth of the fake codec websites. A codec is a small program that's allows an operating system or a program to properly play audio or video in a particular format, e.g. MP3, WAV, Xvid, MPEG, Indeo and Cinepak.

Figure 1. Sample “fake” codec site - Gamecodec.com

This article is cumulative snapshot report based upon current and historical community reporting from; Zlob Watch (peki.blogspot), Sunbelt, and the excellent earlier work of Jahewi's Fake Codec Information (unfortunately last updated Jan 20th 07). The key issues are:

Currently shown here (see fig. 2 below) 53 active, with the 60 earlier reported mostly dormant domains (see fig. 3 below) provides for a total of at least 113 “fake” codec web sites operational over an 18 month period. It would appear many of the active domains alternate on a regular basis from being non resolvable (apparently offline) to online.

The prime exploits from these sites are (a) Zlob - shows fake error messages and silently installs fake anti-spyware products. (b) DNSChanger silently adds rogue DNS name servers to your PC or Mac. These name servers will resolve non-existing domains (typo-squatting) to IP addresses associated with the authors to generate revenue and could potentially re-routes traffic from legitimate web sites to other suspicious web sites. Ref peki.blogspot

Note: We should clarify that the Mac fake codecs are only for the DNS changing trojans and that not all the sites listed will spawn Mac stuff.

These exploits are designed for Mac and Windows users; with the attack vector similar to the “fake” anti-spywares however the technique is varied by constantly emerging new domains but mostly to a singular web landing page interface.

Most importantly all 113 domains are or were registered with Estdomains, similarly all of the active 53 domains in fig. 2 are hosted by AS27595 by Atrivo; AKA – Intercage, Inhoster, Cernal, etc. Also added should be AS 36445 a newer Autonomous Server apparently used by Cernal. For blocking purposes the following IP ranges should be incorporated:

64.28.176.0/20 AS27595 INTERCAGE
85.255.118.0/20 AS27595 INTERCAGE
85.255.112.0/20 AS36445 CERNEL

Figure 4 - Sample IP Map - Zerocodec

RBN – PC Hijacking via Banner-Ads on Major Web Portals

noreply@blogger.com (HostExploit) — Mon, 19 Nov 2007 02:47:00 +0000

The Russian Business Network (RBN) in one of its boldest PC hijacking exploits used conventional banner-ads to redirect web visitors to “fake” anti-spyware sites, this is a new attack vector but uses known RBN server routes and exploits. Malware based ads have been spotted on various legitimate websites, ranging from baseball's MLB.com, NHL.com, Canada.com and The Economist. Acting as a conventional Flash file, the exploit is via DoubleClick's DART program, DoubleClick acknowledges the malware, and says it has implemented a new security-monitoring system that has thus far captured and disabled a hundred ads.

How the exploit works, servers and locations (confirm Explabs):

Example for mlb.com ... mlb.com – to - ad.doubleclick.net - to - newbieadguide.com - to - fixthemnow.com - this calls to safetydownload.com for the “fake” download

Example for nhl.com ... nhl.com – to - 2mdn.net -to - ad.doubleclick.net – to - adtraff.com – to -blessedads.com and prevedmarketing.com - to - malware-scan.com, for the “fake” download.

Figure 3 – Secure Hosting Bahamas

As shown above the key servers involved in particular Secure Hosting based in The Bahamas has been utilized on other occasions by RBN. It should also be noted the four specific exploit servers and their AS (Autonomous Server) are:

AS15146 Cable Bahamas Ltd. (also AS26855 INTERNET BAHAMAS) - SECUREHOST.COM - IP range involved - 190.15.72.0/21

AS29131 RAPIDSWITCH Ltd - London UK - IP range involved - 87.117.192.0/18

AS33510 SETUPAHOST - Toronto Canada - IP range involved - 66.244.254.0/24

AS41947 WEBALTA / Internet Search Company - Moscow Russia - IP range involved - 77.91.224.0/21

Each of these servers houses many other questionable and other exploit based domains within the same specific IP as those specific domains utilized within this PC hijack exploit, figure 4 – shows those domains which include 23 domains as “fake” anti-spyware or rogue software based upon the same RBN exploits as “Winfixer”, “SpySheriff”, etc.

This important exposure is thanks to excellent CYBERINT work within the community, references:

Explabs - Wired.com - Sunbelt

RBN – Russian Business Network - Faking its demise

noreply@blogger.com (HostExploit) — Thu, 15 Nov 2007 13:34:00 +0000

Although it is true the Russian Business Network (RBN) as AS40989 RBN AS RBusiness Network has relinquished its IP addresses (not the related ‘peers’), this blog has never shown this as the core centre of RBN activity or particularly relevant to its commercial activity. To simply test the hypothesis of the demise of the RBN as in recent headlines in the press using phrases as “Mother of all cybercrime vanishes from the web”, or “RBN goes Poof” is to simple review one of the RBN’s major money earning retail activity.

HYPOTHESIS = Logically RBNs fake anti-spyware or rogue software should show major changes in serving and hosting over the last week or so, if the demise of the RBN is correct. Fortunately based on limited CYBERINT earlier we were able to show 57 well known ‘fakes’ and 34 of the top 40 being RBN related, below can be seen the specifics.

RESULT = With the exception of the loss of replacement of AS40989 secondary name servers there has been little or no change to the core IP addresses.

(a) For example; Antivirgear shows a current Alexa Trend/Rank: #5,473 (out of an estimated 60 million web sites) improved over the last month. 397,296 U.S. visitors per month which is 10.7% of its traffic thus visitors worldwide = 3.7 million, this is just one of many ‘fake’ web sites.

(b) It does assist in highlighting the role of Intercage AS 27595 (AKA; Atrivo (US), Inhoster - xbox.dedi.inhoster.com - Ukraine, and Estdomains) as a fundamental part of the RBN from 2004 (see .

For the results Figure 1 shows an overview of the RBN’s / Atrivo share of the ‘fakes’ market. For completeness (click on the images to enlarge);

Figure 2 - shows the complete list of the 57 ‘fakes’ in alphabetical order.

Figure 3 - shows the complete list of the 57 ‘fakes’ ranked to specific hosts / servers.

N.B. – It should be noted the 6 ‘fakes’ listed as offline, this are currently dormant, historically this has happened before and such domains often come back to use.