Showing posts with label rbnexploit. Show all posts
Showing posts with label rbnexploit. Show all posts

RBN – Real Host, Latvia and the Zeus Botnet

RBN (Russian Business Network) via Real Host Ltd. is a fairly blatant cybercrime and bullet proof hosting hub. Inhabiting AS8206 Junik based in Riga, Latvia, and is high on any watch list. (ref1 & ref2)

As Dynamoo points out “A real sewer” (ref3), moreover this has all the hallmarks and operational elements of the apparently fragmented RBN, either as a resurgence or a clone of the RBN’s business model.

Fig 1 – Front page of installing cc – Zeus botnet rental & loading


Of more current interest, this is the base for distributing the new and as yet un-patched “Zero day Flash/PDF exploit” (ref 4), Zero day MS e.g. Directshow - MS09-028, and a core center for the Zeus botnet C&C (command and control) the # 1 botnet in the US with an estimated 3.6 million PCs infected.


Also known but updated usage of RBN methodologies:

# Rock Phish - which originally introduced the Zeus (aka WSNPOEM) Trojan.

# ZeuEsta (a mix of the ZeuS crimeware and the El Fiesta Exploit Kit). However, since April 17 2009 ZeuEsta in combination with SPack Exploit Kit (ref 5)


Fig 2 – iSell.cc - Stolen: Bank logins, credit cards, PayPal Sales and IDs – On Real Host





Fortunately in more recent times there are several good sources within the Open SEC community of up-to-date information as to malware domains, spam centers, botnets, to select a few:
  • Spamhaus – SBL75831 – lists the net block for Phishing and Malware hosting. (Ref 6.)
  • Fire - shows up to 9 complete malware servers over recent times. (Ref 7.)
  • MalwareURL – shows currently 199 domains hosting amongst other badness; 18 trojans, 25 redirects to exploits and rogue anti-virus, 6 Botnet C&C (command and control) (Ref 8.)
  • Google’s Safe Browsing - shows for AS8206 Junik in the last 90 days; 12 sites providing malicious software for drive by downloads, 102 sites acting as intermediaries for the infection of 11,810 other web sites. Finally it found 161 websites hosting malware that infected 20,681 other web sites.
  • Google’s Safe Browsing - as an example for just one of the domains – 71.speed.info – 32 scripting exploits

The Results of Investigation and Reporting the Issues


Fig 3 – Real Host Routing – as of 073109






Fig 4 – Real Host Routing – as of 080309

Money Mule sites - the Barwells Group and NewskyAG reveals the following:

BarwellsGroup
"During the trial period (1 month), you will be paid 2,000 USD per month while working on average 3 hours per day, Monday-Friday, plus 5 commissions from every transactions or task received and processed. The salary will be sent in the form of wire transfer directly to your account. After the trial period your base pay salary will go up to 3,500USD per month, plus 5 commissions."
Clearly this is a money mule recruitment program. Sounds pretty good for 3 hours work per day!

NewskyAG
Not only does this domain operate a money mule scam, it also ran a Zeus C&C server. What is scary is that people actually fall prey to this scheme as shown by this quote from yahoo answers:
In summary Real Host from within Junik serves;
  • exploits including un patched (or soon to be patched) 0days
  • Payloads to drop on victim PCs including: fake codecs, banking trojans, spambots, fake antivirus, down loaders and even a Mac trojan
  • phishing sites,
  • money mule recruitment sites;
  • Zeus botnet Command and Control servers
  • Distributing licensed software (Warez),
  • Illegal porn content

Added to which is a center for the RBN cybercrime business model;
  • botnet rental,
  • botnet loading,
  • phishing
  • iFrame exploit affiliate,
  • warez
  • credit card trading forums,
  • openly selling credit card, PayPal accounts and bank logins, over 10,000 “newly harvested”
So who is Real Host Ltd.?
To start with the net block is leased from Junik by Alex Spiridonov, Abay Street 2a, Almaty, Kazakhstan. However, here are just a few other tell tale signs:
  • Many of the domains are ex-Estdomains.
  • All of the websites are in Russian or for the trading arm Russian / English.
  • Older entities which many had thought were dead and gone are here; Barwells Group, Newsky, Web-Alfa, and good old Botnet.Su
All of these were operational elements of RBN (Russian Business Network). So this may not be a reincarnation of the RBN but are clearly Russian organized cyber criminals, in the same vein and at least headed by someone from the old RBN school.

Further manual investigation led to the following information on domains supplied by Real Hosts:

IP Domain Purpose
213.182.197.229 yourgoogleanalytics.us Money Mule Recruiting
213.182.197.229 barwellsgroup.cn Money Mule Recruiting
213.182.197.249 Vikd3jj-3.com Malware
213.182.197.251 2k90.cn Malware
213.182.197.13 Mac-videos.com Mac Trojan
213.182.197.236 71speed.info Banking Trojan - Silent Banker
213.182.197.8 bestxvids.info Zlob
213.182.197.249 traffic-searches.cn Botnet C&C
213.182.197.237 1gigabayt.com Zeus C&C
213.182.197.14 iframepartners.com iframe sellers
213.182.197.228 Chlenopopik.com Zeus C&C
213.182.197.14 Megavipsite.cn Malware
213.182.197.20 Traffcount.cn Malware
213.182.197.229 Newskyag.com Money Mule Recruiting & Zeus C&C
213.182.197.235 Traffic-exchange.ru Part of iframe redirection service
213.182.197.10 vlkontacte.ru Russian Social Network Phish
213.182.197.251 Botnet.su Zeus C&C

The Botnet.su & related installs.cc domains, the attackers clearly aren't trying to hide their motives on this one! This domain was previously used by the RBN along with NewskyAG and others. Zeus is of the most common threats being hosted from Real Host's network.


Labels: , , , , ,

RBN - McColo R.I.P.

RBN (Russian Business Network) in the USA takes another hit, and another victory in the war against Internet badness.

‘Alas poor McColo I knew them well’ - so does anyone on the planet who receives email / spam.

McColo was host to the world’s major spam botnets (an estimated 50% of spam worldwide), malware, rogue PC security products, cybercrime affiliate payment systems, and child pornography.

The study published by HostExploit.com was based on tracking and documenting the ongoing cyber criminal activity of McColo and others. Get the report here. HostExploit Report


As a result of the first HostExploit Cyber Crime USA report which focused on Atrivo / Intercage and subsequent community actions, there was a quantitative drop of 10% of spam and malware worldwide. While temporary, it does clearly demonstrate that with a concerted and consistent effort by concerned commercial Internet network operators, a safer Internet can ensue.


Following Hurricane Electric's awareness of the report's content, at approximately 4:30pm EST 11/11/08 Hurricane Electric pulled the plug. Just to check on this see the chart from SpamCop below. Yes a huge drop in spam as just one example!




Of course not over yet -

fraudcrew.com on IP 64.62.171.193 = 193.64-62-171.reverse.mccolo.com =
net 64.62.128.0/18 =
AS6939 HURRICANE Electric. Our favorite ‘CoolWebSearch hijackers’ are still online.



Also as we see on the CIDR report AS26780 MCCOLO - McColo Corporation is still peered by AS3549 GBLX Global Crossing Ltd.


However, we can assume Hurricane Electric will get around to this 64.62.128.0/18 net block and GBLX is also acting in unison.

Again this is an excellent example of a growing community effort, involving a wide cross section of anti-spammers, malware and botnet researchers, journalists, and Internet network operators. When considering the ongoing war for the heart and soul of the Internet; “Not the end not the beginning of the end, but the end of the beginning”?

Labels: , , , , , ,

RBN - Farewell to EstDomains

In the wake of the demise of Atrivo we now see the demise of EstDomains by an emboldened ICANN.



Many have shown Estdomains et. al., as a source of domain registration badness and used by cyber criminals for many years. As recently described within the HostExploit.com report “Atrivo - Cyber Crime USA” Sunbelt Software , Spamhaus, to name a few, and followed up by The Washington Post by Brian Krebs “A Superlative Scam and Spam Site Registrar”



Ironically EstDomains has been trying to fight back with press releases such as “EstDomains, Inc Takes Next Step in Combating Spam and Malware” with them stating; “Once again EstDomains, Inc would like to address the interactive community and ask for co-operation to make the Internet clear and safe.”


However, even more relevant to the demise of EstDomains was the later Brian Krebs post “A Sordid History and a Storied CEO” relating to the EstDomains CEO Vladimir Tsastsin

As of today ICANN has issued a formal and we assume irrevocable, notice of termination – see fig 2 below:




The formal letter of termination is available for download from ICANN <here> is based on court records from Estonia.




Of course what will be interesting is what happens to the approximately 281,000 domain names under EstDomains’ management. All registrations sponsored by EstDomains will be transferred to an ICANN-Accredited Registrar in accordance with ICANN’s “De-accredited Registrar Transition Procedure”. ICANN goes on to say “It is ICANN's goal to protect registrants’ from unnecessary harm and we look forward to amicably resolving any domain name transition issues that may arise from this termination.”



Hopefully this does demonstrate an emboldened ICANN which has recently become besieged on security issues, is listening to the community. Perhaps we could persuade ICANN to allow the Internet security community to provide solid advice which of these domains is abusive before any transfer is made?

Labels: , , , , , ,

RBN: Atrivo Goes Dark

Not the end, not the beginning of the end, but perhaps the end of the beginning.

As from today the Internet is a little safer, as Atrivo goes dark.


It is pleasing to report the last remaining peer routing Atrivo (AS 27595 Atrivo/ Intercage), ‘Pacific Internet Exchange’ (PIE) see Spamhaus ref below, was withdrawn at 2:35am EST Sunday Sept 21st 2008.





This is an excellent example of community effort involving a wide cross section of anti-spammers, malware and botnet researchers, journalists, and Internet network operators.


Although this is good news we should not relax too much, some of the bad stuff has migrated elsewhere, similar to the self re-distribution of AS40989 RBN Network last year. However, we look forward to the forthcoming ‘Atrivo – Cyber Crime USA’ report version 2.0 from HostExploit which may cast some light on this re-distribution and other bad actors.


Magnanimous in victory we should give the last word to the vanquished as Emil Kacperski long time spokesman and apologist for Atrivo / Intercage said,

“I just put my fate into companies I shouldn't have.”


For the record the CIDR report - RIP



Refs:

Spamhaus - PIE - Lasso

Atrivo: Cyber Crime USA Report - Hostexploit.com

Cidr Report - Atrivo / Intercage

Labels: , , , ,

RBN - Atrivo: Cyber Crime USA

In a new study entitled "Atrivo - Cyber Crime USA", the authors have extensively tracked and documented ongoing cyber criminal activity from within the Internet servers controlled by the California-based Atrivo, and other associated entities. Atrivo is one of the Internet's Autonomous Systems and controls a large number of IP addresses, which web sites must use to reach consumers.

Produced by cyber crime researcher Jart Armin, in association with Matt Jonkman and James McQuaid, the first of its kind Open Source Security study set out to quantify and continuously track cyber crime using numerous methods of measurement. It focuses specifically on the notorious Atrivo, which has been seen by many over several years as a main conduit for financial scams, identity theft, spam and malware. This study although fully self contained is the first of a series of reports, on a monthly basis there will be a follow up to report on the community response, the efforts of the cyber criminals to evade exposure, listings to assist in blocking the risks to Internet users, and hopefully efforts to stop them.


In addition to original quantitative research conducted by Armin, Jonkman and McQuaid, the study draws upon the findings of other research efforts, including StopBadware, EmergingThreats, Knujon, Sunbelt, CastleCops, Spamhaus, and many others. What emerges is a picture of a front for ruthless cyber criminals, who have specifically targeted consumers in the United States and elsewhere. The study provides hard data regarding specific current activity within Atrivo, explains how consumers are targeted, describes Atrivo's virtual network structure, organizational modeling, and cites Atrivo's collusive failure to respond to abuse complaints from 2004 to the present. The study includes three dimensional charts, diagrams, and a YouTube video which make it easy to grasp the statistics or processes discussed.




Document available for download from hostexploit.com


Video of the Exploitation of a PC User - YouTube

Labels: , , , , , , , , , , ,

RBN –Georgia Cyberwarfare – Continuation..

On Friday August 15th and over the weekend another dimension has emerged on tracking RBN (Russian Business Network) server ranges. This concerns a new spam campaign which mocks Georgia's President, purporting to come from the BBC and spreads a new virus. This is very well described by UAB (University of Alabama) Spam Data Mine and on Gary Warner’s blog (see refs below).




The spam loads malware from various locations which in turn actually causes the virus to be delivered from a single location; the IP address: 79.135.167.49. The name of the malware is "name.avi.exe", and at the moment, only FOUR out of 36 anti-virus products detect it.
Why RBN or rather as in the title of this blog ‘RBN and Related Enterprises’? We have commented on before within the blog (see ref below) - 79.135.160.0/19 Sistemnet Telecom - AS9121 TTNet (Turkey) associated with AbdAllah_Internet - cybercrime hosting - thecanadianmeds.com etc., see Spamhaus’ many Rokso listings (refs below)




This provides a further element associated with Georgia and Mikheil Saakashvili with an ongoing attempt of character assassination. Similar to the linking of the President to Nazi images, as Lenta.ru displayed with one of this blog’s images.






RBN or Cyberwar or not? - Nomenclature

Given this opportunity there has been a great deal of discussion within the community, after the event, as to RBN (Russian Business Network) or not RBN, Cyberwar or Hacktivists, Russian or not………..


Without denigrating this important topic but “What walks like a duck, sounds like a duck, looks like a duck = maybe it’s a ______? (Fill in the blank)”


The cyber attacks against Georgia which first originated from IP space in TTnet Turkish Telekom (as this latest spam incident) were known RBN, and the subsequent server actions, botnet methodology, and tools used were also known RBN: there is no question about the facts, and there is no compelling reason to doubt the implications.


From a popular idiom the movie “The Usual Suspects” used the phrase regarding the arch criminal Keyser Soze – “The greatest trick the Devil ever pulled was to make us believe he does not exist.” This was and still is the RBN’s greatest skill; to avoid detection, use deception and cause most onlookers to consider other suspects, i.e. in this case hacktivists who are easily labeled unsophisticated, uncontrollable, and should be ignored as simpleton fanatics.


This provides a convenient transition to one sided CYBERWAR against Georgia by Russia. Do we really expect Russia, or for that matter any state aggressor to openly announce what methods of warfare they are using. For example there is no specific information from Russian government sources about Russian army actions still underway within Georgia despite the ceasefire. Nor do they inform us the 22nd Guards ObrSpN ‘Spetsnaz’ of Rostov Oblast, may have been operating within Abkhazia, and South Ossetia, dressed in the uniforms of the local militia since mid July 2008, if such an action was the case. Why would we expect them to announce CYBERWAR techniques also being used?


Two good sources of information may assist making a reasonable judgment:

Firstly the political, as Russian State Duma and member of the Security Committee Deputy Nikolai Kuryanovich stated in 2006 within a formal Russian parliamentary letter of appreciation to hackers who had taken down several Israeli web sites:

"In the very near future many conflicts will not take place on the open field of battle, but rather in spaces on the Internet, fought with the aid of information soldiers, that is hackers. This means that a small force of hackers is stronger than the multi-thousand force of the current armed forces." – Prediction or intent?


For the strategic a few days ago;
“Cyber-attacks are part of the information war, making your enemy shut up is a potent weapon of modern warfare.” As mentioned by Alexander Denezhkin, editor of the Russian journal - Cybersecurity.ru


Finally a reasonable conclusion associated with the nomenclature is to consider the absurdity of treating the cyber criminal and national cyber security problems as a separate matter. Consider if any country had such a successful and existing Internet ‘black ops’ entity as the RBN within its borders, is it not logical that it would utilize or capitalize on such skills?


Perhaps what many find unpalatable is the example from the history of the 20th century where there were similar apologists and we ignored developments in strategy and warfare such as the Blitzkrieg, at a huge later cost. This could be an early example of Russia’s hegemony or controlling its neighbors via an emerging “Cyber Iron Curtain”



Jart Armin - RBNexploit.com



Refs:

UAB Spam Data Mine

UAB Blog

CanadianMeds - Sistemnet - TTnet

Spamhaus (a)

Spamhaus (b)





Labels: , , , , , , , ,

RBN – Extortion and Denial of Service (DDOS) Attacks

The Russian Business Network (RBN) has long been known for its bulletproof hosting and its control of botnets such as Storm. Apart from the obvious example of an RBN “hired gun” Distributed Denial of Service (DDos) attack on Estonia in May 2007 many have attempted to comprehend and link the RBN’s usage for botnets. Within this article we shed light via several documented examples extorting potential clients into the use of their “specialized” hosting services by the use of DDos, and a further example of RBN’s ecommerce.



For those who wish to understand how a DDos attack works via a botnet see figure 1.


Figure 2 shows the evolution of DDos over recent years based upon purpose and size currently at 17+ Gbps (gigabytes per second) and potentially 7,000 such attacks daily - courtesy of Prolexic technologies (click on the figs to see full size and see links below).




The business model RBN uses is quite simple and effective; its affiliates and resellers comb various niche market forums and discussion areas for webmasters using or discussing protective web services i.e. DDos prevention. Carry out a DDos attack on the website and then provide a third party sales approach to the webmaster to “encourage” a sign up for their DDos prevention services. The cost of this hosting service is $2,000 per month.



These niche markets for the RBN are usually within the Internet market sectors of pornography, and specialized grey areas, e. g. online pharmaceuticals, and HYIP (High Yield Investment Programs). This blog is not commenting on the legitimate purpose or otherwise of these web sites, the RBN is successful as most of these webmasters are not about to publically complain. However it does appear that legitimate hosting services offering a level of DDos prevention are vulnerable to the RBN’s monopolistic efforts, to capture and control this high income business. It further appears many such recruits are then encouraged to mitigate the costs by becoming resellers themselves of the hosting and other RBN services. It should be added that some of these resellers are unaware, or are happy to be ignorant; they are actually part of the RBN reseller community.



For sample details we can start at a HYIP forum “Talkgold” this is a fascinating knock-about discussion on RBN DDos extortion (see link below) and provides some useful clues for RBN exposure.



However, the clearest evidence can be seen within another forum “HotHYIPs” as we can see in figure 3 the details of RBN DDos reselling, figure 4 shows an example of grateful affiliates with a US based affiliate openly stating “Paid very fast. A very good return from a ddos attack.”



The prime sales link for the RBN hosting is via NEAVE LIMITED a UK registered company, but the actual core serving is ELTEL based in St. Petersburg RU, one of the core replacement servers for the RBN post Nov 08, with AS-peers: 30 and 67,584 IP addresses. This is listed within Spamhaus (see link below) “Botnet criminal Indian & .ru/.ua spammer host: NEAVE LIMITED” as of Jan 12th 08.



Eltel: IP range 81.9.8.0 - 81.9.8.255 AS20597, example site hosting; goldenpiginvest.com /.net – the canadianmeds.com – pharmacy-viagra.net



Already some of the notable blacklisted domains listed within the Spamhaus lasso have moved to other RBN utilized AS servers, also using the RBN’s recent blocking avoidance mechanism “*.badsite.com” for sub domains for example:



rxpharmacy-support.com - ns3.cnmsn.com - 204.13.67.108 - 204.13.64.0/21 AKANOC Solutions Inc - AS 33314 (US)



*.thecanadianmeds.com - 79.135.160.0/19 Sistemnet Telecom - AS9121 TTNet (Turkey)



officialmedicines.com - 79.135.165.0-79.135.166.255 AS9121 TTNet (Turkey)



psxshop.com - 66.197.0.0/17 - AS29748 Carpathia Hosting




To further add and demonstrate RBN connectivity “goldenpiginvest.net” links directly to data storage on Level3 Communications; box(dot)net, - see figure 5 - a service that provides the ability to collaborate and share files online. This was shown in an earlier RBN blog article concerning 365fastcash and the RBN’s Panama based servers (see link below). No doubt Level 3 will be able to (again) inform US authorities of the content of these data files, and terminate such services.






Figure 6 – IP diagram for *.thecanadianmeds.com






Links:

Prolexic technologies - DDos information - figures 1 & 2


RBN DDos extortion Talkgold forum discussion


HotHYIPS forum RBN reseller advertising and remarks


Spamhaus botnet lasso - NEAVE LIMITED / Eltel, St. Petersburg RU


Level3 Communications; box(dot)net; goldenpiginvest.net & 365fastcash common linkages

Labels: , , , , , , , ,

Subscribe to: Posts (Atom)