Thursday, October 18, 2007

The Russian Business Network

In case you haven't come across it before, here's an informative blog whose objective is to track events related to the Russian Business Network (RBN) and expose its nodes in between :

"Everything you wanted to know about the RBN and related enterprises - AKA ; Russian Business Network, RBNnetwork, RBusinessNetwork; the Internet Community's favorite - exploiters, phishers, hacks, spammers, etc."

Under the pressure put by the "wisdom of crowds" collective intelligence capabilities in analyzing pieces of the puzzle who make up the big picture in respect to the Russian Business Network, a representative of the RBN speaks out for the first time :

"We can't understand on which basis these organizations have such an opinion about our company," Tim Jaret of the Russian Business Network says in an e-mail interview. "We can say that this is subjective opinion based on these organizations' guesswork." Jaret's e-mail signature identifies him as working in RBN's abuse department. Security researchers and anti-spam groups say the St. Petersburg-based RBN caters to the worst of the internet's scammers, renting them servers used for phishing and malware attacks, all the while enjoying the protection of Russian government officials. A report by VeriSign called the business "entirely illegal."

What is the RBN at the bottom line? A diversified set of IP blocks located at different parts of world, who periodically appear within the deobfuscated javascipts of the sites who got IFRAME-ed and were found to serve malware by exploiting outdated browser vulnerabilities. What's more interesting to me than the "yet another popular site which got IFRAME-ed by the RBN's network" is the success of the popular malware exploitating kits using outdated and already patched vulnerabilities. What use are patches when no one is applying them, and aren't unpatched vulnerabilities just as effective as zero day ones? Yes, they are.

Issues to consider :

- the RBN offers bullet proof hosting upon signing some sort of contract, where they may easily forward the responsibility to the hoster of the malware, phishing and spamming, namely, on a contract basis those hosting such content violate their TOS agreement, now whether or not the RBN will remove them in a self-regulation manner or wait for an abuse letter to come, then delay it for couple of weeks while the campaign is still active is entirely different topic

- during the first couple of hours of the Bank of India hack, once vendors and researchers started assessing the site, the RBN IP that was used as redirector removed the javascript obfuscation and forwarded every visitor to My point is that, unless real-time CYBERINT is collected by trusted parties, it would be very hard to come up with historical evidence on some of their malicious activities

- despite being a consolidated organization offering bullet proof hosting, they're still not fast-fluxing any of their services on a large scale, an indication of a botnet behind the fast-flux, and while they're just a couple of netblocks to filter, it could get more ugly and harder to trace back. So let's "appreciate" the RBN's laziness for the time being

- the RBN is the tip of the iceberg whose clients' successes in the form of embedding RBN IPs on the most recent malware cases led to the inevitable wisdom of crowds effect. What about the hundreds of thousands other not so well known malware serving netblocks?

What were some of the most recent cases where RBN IPs were used to serve malware? The Massive Embedded Web Attack in Italy used to orbit around RBN IPs, various other exploits serving domains and the fake were using RBN IPs, Bank of India's IFRAME and several MPack control panels were pointing to RBN's network too, and also the most recent malware attack. It gets even more interesting.

Here are for instance some of the fake anti-virus and anti-spyware applications hosted at the Russian Business Network in the time of blogging. The applications are cute, little, tiny 35kb adwares : - active - Adware.Spysheriff - active - active - 403 forbidden - Adware.Spysheriff - active - expired - VirusBurst - Application.Antivermins.B / Virus.Win32.Spycrush.B - Adware.Spysheriff

The enemy you know is better than the enemy you don't know, but on a large scale I fear the enemy I don't know, namely the hundreds of thousands script kiddies now empowered with open source and localized malware kits. Here are two more related blog posts on the RBN as well.