RBN (Russian Business Network) - A User's Guide

99 views
Skip to first unread message

Jart

unread,
Sep 28, 2007, 2:10:32 PM9/28/07
to stopbadware
I hope all have seen the article below, thanks to Verisign / iDefense
(version from Economist) - at last a major has started to "do
something" about these guys, at least inform. To all webmasters here,
by any estimate the RBN are responsible for maybe 60% of exploits to
"your" website. The more "we" all inform anyone we can get to the
better.

Also for added info go to:

http://rbnexploit.blogspot.com

http://en.wikipedia.org/wiki/Russian_Business_Network


ACCORDING to VeriSign, one of the world's largest internet security
companies, RBN, an internet company based in Russia's second city, St
Petersburg, is "the baddest of the bad". In a report seen by The
Economist, VeriSign's investigators unpick an extraordinary story of
blatant cybercrime that implies high-level political backing.


In one sense, RBN (Russian Business Network) does not exist. It has no
legal identity; it is not registered as a company; its senior figures
are anonymous, known only by their nicknames. Its web sites are
registered at anonymous addresses with dummy e-mails. It does not
advertise for customers. Those who want to use its services contact it
via internet messaging services and pay with anonymous electronic
cash.


But the menace it poses certainly exists. "RBN is a for-hire service
catering to large-scale criminal operations," says the report. It
hosts cybercriminals, ranging from spammers to phishers, bot-herders
and all manner of other fraudsters and wrongdoers from the venal to
the vicious. Just one big scam, called Rock Phish (where gullible
internet users were tricked into entering personal financial
information such as bank account details) made $150m last year,
VeriSign estimates.

Despite the attention it is receiving from Western law enforcement
agencies, RBN is not on the run. Its users are becoming more
sophisticated, moving for example from simple phishing (using fake e-
mails) to malware known as "Trojans" that sit inside a victim's
computer collecting passwords and other sensitive information and
sending them to their criminal masters.


A favorite trick is to by-pass the security settings of a victim's
browser by means of an extra piece of content injected into a
legitimate website. An unwary user enters his password or account
number into what looks like the usual box on his log-in page, and
within minutes a program such as Corpse's Nuclear Grabber, OrderGun
and Haxdoor has passed it to a criminal who can empty his bank
account. When VeriSign managed to hack into the RBN computer running
the scam, it found accumulated data representing 30,000 such
infections. "Every major Trojan in the last year links to RBN" says a
VeriSign sleuth.


RBN even fights back. In October 2006, the National Bank of Australia
took active measures against Rock Phish, both directly and via a
national anti-phishing group to which the bank's security director
belonged. RBN-based cybercriminals replied by crashing the bank's home-
page for three days.


What can be done? VeriSign has tracked down the physical location of
RBN's servers. But Western law enforcement officers have so far tried
in vain to get their Russian counterparts to pursue the investigation
vigorously. "RBN feel they are strongly politically protected. They
pay a huge amount of people. They know they are being watched. They
cover their tracks," says VeriSign. The head of RBN goes under the
internet alias "Flyman". Repeated e-mails to RBN's purported contact
addresses asking for comment have gone unanswered.

Jart

unread,
Oct 2, 2007, 10:02:34 AM10/2/07
to stopbadware
Russian Business Network (RBN) - iFrame Cash and Layered Technologies;
StopBadWare makes the difference!

According to a recent news article in net-security.org Todd Abrams,
the CEO of Layered Technologies had released a statement in which he
stated that the company's support database was a target of malicious
activity on the evening of September 19th 2007. The incident may have
involved the illegal downloading of information such as names,
addresses, phone numbers, email addresses and server login details for
up to 6,000 clients.

In an earleir post in StopBadWare there was a copy of the email to
Layered Technologies abuse team, concerning their dedicated hosting of
one of the Russian Business Network's (RBN) key "commercial" web
enterprises ref: iFrame Injection Source? . Although there was never a
reply to any email, but possibly with the added assistance of our
bigger friends, they or the RBN obviously took action. This is seen by
the change; on September 9th 2007 the change from 72.36.199.58 (USA-
Layered Technologies Hosting) to 81.95.153.245 (Russian Federation -
Aki Mon Telecom hosting - AKA "RBN"). For those who like the specific
details see http://rbnexploit.blogspot.com.

It is reasonable to assume this attack on Layered Technologies was
part of the RBN's normal procedure to wreak revenge upon those who try
to rid themselves of the RBN's grip. This was just as they did to
National Bank of Australia, the Bank of India, and many others.

Hopefully more web hosts will examine who they have as customers in
the first place, rather than the value of the credit card?

badware...@gmail.com

unread,
Oct 4, 2007, 11:29:43 AM10/4/07
to stopbadware
Every single webmaster should fight against this crap, you already
know you can count on me to fight them, my site was hacked and I won't
let it happen again!! NO!! NEVER!! they earn money by the worst way of
doing it, just injecting their malware around... they won't get a cent
out of my purse...

don't forget to post the list of "baddies" every one should ban for
life from their sites! i'll do it straight away...you're info is
always quite useful!

Jart

unread,
Oct 12, 2007, 4:10:30 AM10/12/07
to stopbadware
Fellow webmasters it appears another story unfolds concerning the RBN
and US based hosting . All should read and includes a video of the
recent and fascinating reports within CIO written by By Scott Berinato
in conjunction with SecureWorks researcher Don Jackson was focused on
the technical analysis of form-grabbing software, via access to
76service (dot)com. Subscribers to 76 service could log in, pull down
the latest drops, i.e. data deposits from the Gozi-infected machines
they subscribed to sent to the servers, like the 3.3 GB one Jackson
had found containing more than 10,000 online credentials (ID theft)
taken from 5,200 PCs.

76service (dot) com (66.232.122.239) and related, reveals a detailed
hosting history and CBL / SBL blacklisting, but apparently is still
currently hosted by "coolservecorp (dot) net" i.e. Noc4hosts Inc, with
their servers stated as being in Lykes Building, Tampa, FL, USA.

Even more concerning is the fact that there are reports of website
hacking, iFrame exploits and hijacking at these hosts, not quite
reported yet on the scale of the recent iPower (10,000+ sites
exploited) problem but significant and growing. However the potential
"internal" target for the RBN here is staggering, if correlating the
potentially "infectable" IP domains from AS29802, AS3595, and AS29802
is a total of 1,296,640 IP addresses.

Any reasonable conclusion again asks the question; are the RBN's
"bullet proof" servers operating with apparent impunity from within
large low cost shared and dedicated hosting services within the US at
coolservecorp / Noc4Hosts, The Planet or similar?

See , http://rbnexploit.blogspot.com/2007/10/rbn-76service-gozi-hangup-team-and-us.html
for the full story.

Jart


On Oct 4, 4:29 pm, "badwareaven...@gmail.com"

Jart

unread,
Oct 24, 2007, 6:14:43 PM10/24/07
to stopbadware
In a continuation of the discovery of the Russian Business Network's
(RBN) "Retail Division" (see http://rbnexploit.blogspot.com) one of
the most important exploit delivery methods is the fake; anti-spyware
and anti-malware for PC hijacking and personal ID theft. The blog
article shows "The RBN's Top 20 - fakes" this detailed research was
inspired by co-operation with another independent RBN researcher's
blog http://ddanchev.blogspot.com/2007/10/russian-business-network.html
.

For example, MalwareAlarm is dangerous fake anti-spyware software and
it is an update version of Malware Wiper. MalwareAlarm is stealth
based malware, according to McAfee's Site Advisor (http://
www.siteadvisor.com/sites/malwarealarm.com) they tested 279 "bad"
downloads. The methodology is to get the user to use a "free download"
to test their PC, MalwareAlarm then displays a warning message to
purchase the paid version of MalwareAlarm, and of course the damage is
done with the initial action. The user then "pays" $$$ to the RBN for
more PC hijacking, ID theft exploits and ensures the PC user is
enslaved!

If any think this must be a limited number of PC users being tricked
into visiting these fake sites, think again. MalwareAlarm's web site
has an Alexa rating of 8,201 about the same as jellyfish.com, an
auction site recently acquired by Microsoft. As a sample according to
Alexa (and their figures are pretty accurate) 40% of all visitors are
from USA, and that 40% alone equals 2 million visitors + per month.

The good news, at least this discovery and being able to provide
advice to the community, does show that even a few activist netizens
can make a difference, maybe even help STOP?

Jart

> See , http://rbnexploit.blogspot.com/2007/10/rbn-76service-gozi-hangup-team...

Reply all
Reply to author
Forward
0 new messages