Russian Business Network aka "Flyman"

Scrub · #1 12-29-07, 07:50 PM

We Know Our Botnet Master
Is Part of The Russian Business Network (RBN)

From Wikipedia, the free encyclopedia
The Russian Business Network (commonly abbreviated as RBN) is a Russian Internet Service Provider based in St. Petersburg which is notorious for its hosting of illegal and dubious businesses, including; child pornography, phishing and malware distribution sites.

Activities
The RBN has been described as "the baddest of the bad". It offers web hosting services and internet access to all kinds of criminal and immoral activities, with individual activities earning up to $150m in one year. Businesses that take active stands against such attacks are sometimes targeted by denial of service attacks originating in the RBN network.[2] RBN sells its services to these operations for $600 per month.[1]

The business is difficult to trace. It is not a registered company, and its domains are registered to anonymous addresses. Its owners are known only by nicknames. It does not advertise, and trades only in untraceable electronic transactions.[2]

There is one increasingly known activity of the RBN which is an exploit delivery method by applying fake anti-spyware and anti-malware for the purpose of PC hijacking and personal identity (ID) theft.[1] According to McAfee’s SiteAdvisor, MalwareAlarm is a dangerous fake anti-spyware software and is an updated version of Malware Wiper. They tested 279 “bad” downloads from this one site.[2] The methodology is to entice the user to use a “free download” to test for spyware or malware on their PC, MalwareAlarm then displays a warning message of problems on the PC to persuade the unwary web site visitor to purchase the paid version. Along with MalwareAlarm, numerous other rogue software are linked to and hosted by the RBN.[3]

According to Spamhaus RBN is “Among the world's worst spammer, child-pornography, malware, phishing and cybercrime hosting networks. Provides "bulletproof hosting", but is probably involved in the crime too”.[4] RBN was the subject of an article in the Washington Post on October 13, 2007, where Symantec and other security firms claim RBN provides hosting for many illegal activities, including identity theft and phishing. The article quotes a spokesman for Kaspersky Labs that the owners of RBN might not have directly violated the law as they primarily provide hosting services; their customers are apparently the ones violating laws.

Scrub · #2 12-29-07, 07:56 PM

Quote:

Scrub,

I think you're being hit by a bit more Sophisticated DDOS than just a GET flood.

Sincerely,

Your Hosting Company

To review a summary of your work order, click the following link:

Quote:

Scrub,

I'll let you know as soon as I have an update. You seem to have some fairly Sophisticated Attackers.

Thanks,

To review a summary of your work order, click the following link:

Scrub · #3 12-29-07, 08:23 PM

Quote:

Brian Krebs of the Washington Post have written a series of articles that details the activities of this group. One need to understand how powerful and dangerous this group is.

Shadowy Russian Firm Seen as Conduit for Cybercrime

Mapping the Russian Business Network

WashingtonPost.com - Security FIX

Scrub · #4 12-29-07, 08:46 PM

A Walk On The Dark Side
Aug 30th 2007
From Economist.com

ACCORDING to VeriSign, one of the world’s largest internet security companies, RBN, an internet company based in Russia’s second city, St Petersburg, is “the baddest of the bad”. In a report seen by The Economist, VeriSign’s investigators unpick an extraordinary story of blatant cybercrime that implies high-level political backing.

In one sense, RBN (Russian Business Network) does not exist. It has no legal identity; it is not registered as a company; its senior figures are anonymous, known only by their nicknames. Its web sites are registered at anonymous addresses with dummy e-mails. It does not advertise for customers. Those who want to use its services contact it via internet messaging services and pay with anonymous electronic cash.

But the menace it poses certainly exists. “RBN is a for-hire service catering to large-scale criminal operations,” says the report. It hosts cybercriminals, ranging from spammers to phishers, bot-herders and all manner of other fraudsters and wrongdoers from the venal to the vicious. Just one big scam, called Rock Phish (where gullible internet users were tricked into entering personal financial information such as bank account details) made $150m last year, VeriSign estimates.

Plenty of other internet companies sail close to the wind—hosting unregulated online gambling for example. But according to a VeriSign investigator, “the difference is that RBN is solely criminal”. The pricing depends on the level of complaints. A discreet organisation pays little; one that attracts a lot of unwelcome attention, forcing RBN to take expensive countermeasures, has to pay more.

Despite the attention it is receiving from Western law enforcement agencies, RBN is not on the run. Its users are becoming more sophisticated, moving for example from simple phishing (using fake e-mails) to malware known as “trojans” that sit inside a victim’s computer collecting passwords and other sensitive information and sending them to their criminal masters.

A favourite trick is to by-pass the security settings of a victim's browser by means of an extra piece of content injected into a legitimate website. An unwary user enters his password or account number into what looks like the usual box on his log-in page, and within minutes a programme such as Corpse’s Nuclear Grabber, OrderGun and Haxdoor has passed it to a criminal who can empty his bank account. When VeriSign managed to hack into the RBN computer running the scam, it found accumulated data representing 30,000 such infections. “Every major trojan in the last year links to RBN” says a VeriSign sleuth.

RBN even fights back. In October 2006, the National Bank of Australia took active measures against Rock Phish, both directly and via a national anti-phishing group to which the bank’s security director belonged. RBN-based cybercriminals replied by crashing the bank’s home-page for three days.

What can be done? VeriSign has tracked down the physical location of RBN’s servers. But Western law enforcement officers have so far tried in vain to get their Russian counterparts to pursue the investigation vigorously. “RBN feel they are strongly politically protected. They pay a huge amount of people. They know they are being watched. They cover their tracks,” says VeriSign. The head of RBN goes under the internet alias “Flyman”; his uncle is thought to be a senior St Petersburg politician. Repeated e-mails to RBN’s purported contact addresses asking for comment have gone unanswered.

Companies can simply block access to any site registered at an RBN IP address. But that will not help most victims, such as those who receive infected e-mails. VeriSign says only strong political pressure on Russia will make the criminal justice system there deal with this glaring example of cyber-illegality.

Economist.com

Scrub · #5 12-29-07, 09:13 PM

Is this the end of the Russian Business Network?
Dan Kaplan Nov 9 2007 10:02

Is this the end of the Russian Business Network?A shadowy Russia-based internet service provider, which security researchers said is responsible for hosting two out of every three malicious web attacks, has been forced to close its doors.

SC Magazine

Scrub · #6 12-30-07, 07:56 PM

2007.08.08: Uncovering Online Fraud Rings:
The Russian Business Network

The Russian Business Network (RBN) developed into its current incarnation as "the baddest of the bad" Internet service provider (ISP) in June 2006. Before then, much of the malicious code currently hosted on RBN servers was located on the IP block of another St. Petersburg ISP, the now-defunct ValueDot. Like ValueDot before it, but unlike many ISPs that host predominately legitimate items, RBN is entirely illegal. VeriSign iDefense research identified phishing, malicious code, botnet command-and-control (C&C), and denial of service (DoS) attacks on every single server owned and operated by RBN.

Versign I-Defense Security

ScamBuster · #7 12-31-07, 02:01 PM

Everything You Want To Know About
Russian Business Network

RBN – New and Improved Storm Botnet for 2008

Obviously the Russian Business Network (RBN) is working overtime during the Christmas and New Year holiday, no doubt planning for many in the ISP security and anti-spam arena to be on skeleton staff.

Many will now have already seen reports of the Storm Botnet outbreak which started on December 24th “MerryChristmasDude” with good write up at ComputerWorld and for technical details at ISC Sans or HolisticInfoSec (links on footer). This picture is changing rapidly and by December 26th there were new web sites “Uhavepostcard” , “HappyCards2008” and no doubt more to come over the next few days.

Three of the key web sites have the following registrant information, all registered via “ANO REGIONAL NETWORK INFORMATION CENTER DBA RU (Russia)” in chronological order:
Domain Name: MERRYCHRISTMASDUDE.COM - Creation Date: Nov 27 2007
Domain Name: UHAVEPOSTCARD.COM - Creation Date: Dec 23 2007
Domain Name: HAPPYCARDS2008.COM - Creation Date: Dec 26 2007

The key objective for the RBN is to rebuild the Storm Botnet which is shown in various reports over the last few months, from a few million enslaved PCs to more recently a few 100,000’s. One can only further guess as to what the RBN’s main goal is to use a rebuilt Storm Botnet for, e.g. earlier DDOS (Denial of Service attack) on Estonia.

There are some interesting elements concerning which make this attack innovative:

# Although much of that detected is conventional spam, however there is also a large amount of spam which is getting through many anti-spam defenses due to the use of “fake” BlogSpot (Blogger) links for example on a small sample;

hxxp://dantipXXXX.blogspot.com/?soapwerzpordeecaspewtkk153trajspeak hxxp://isakovkapitonXXXX.blogspot.com/?harkwerzpordeecaspewtkk153trajfloor

The common part of the suffix is “pewtkk153traj” which redirects to Geocities web sites and then a further redirect to the Storm exploit domains.

# Although most have identified as the Zhelatin Storm email worm or variant, it is also as the more recent fake codec downloads, dependent upon where the unfortunate user has come from. This now shows a “polymorphic” format, i.e. the virus or exploit has the ability to alter its signature in an attempt to combat anti-virus tools.

# The fast-flux technique used to avoid detection in this case is actually “double-flux” characterized by multiple nodes within the network registering and de-registering their addresses (see sample maps below taken within one hour periods and show the fast-flux DNS changes). It is also safe to say this newer Storm Network has now also has improved defense mechanisms, if examined too closely.

85.255.119.202

ScamBuster · #8 09-07-08, 10:31 AM

Report calls out Atrivo (Intercage) and affiliates
Posted by Maxim Weinstein Thu, 28 Aug 2008 19:12:42 GMT

Jart Armin, StopBadware.org community volunteer and intrepid security researcher, released a report today that concludes that Intercage and Atrivo, a California-based family of companies that operate web hosting, domain registration, and other online services, are a hub of badware activity:

Atrivo is a major hub of cyber crime based within the USA, and has been known as such within the Internet
community for many years. Within this study we provide detailed evidence not only for public and community
awareness but also to provide evidence for action.

..............

Atrivo’s reach in the cyber crime community and the Internet as a whole runs deep. From their partners in crime, to
the domain registration and hosting services it has to be remembered this is deliberately misleading to avoid
detection.
Some of the companies included in the report have built a reputation in the security community as being havens for this type of activity, and Jart’s extensive research raises questions about the degree to which these companies are aware of, and turn a blind eye to, badware activity on their systems.

The author and his collaborators also produced a video demonstrating how an Internet user can have his computer exploited via the systems and methods they describe in the report.

Note: StopBadware.org contributed data (based on our analysis of data received from Google and supplemented with information from Team Cymru) to Mr. Armin, as we support community-based research into badware trends. We did not vet, and do not have any official position on, the report’s conclusions.

WashingotonPost.com - Report Slams U.S. Host as Major Source of Badware - Security Fix
stopBADware.org

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: