Tuesday, October 23, 2007

Over 100 Malwares Hosted on a Single RBN IP

The never ending Russian Business Network's saga on whether or not they host malware on behalf of their customers enters in an entirely new phrase with the discovery of over 100 malwares hosted on a single IP - 81.95.149.51/ms where the directory listing indicates that the earliest binary was uploaded on 19-Sep-2006 and the most recent one on the 28-May-2007. If only was the directory listing denied we would only be speculating on such a development, and as it's obvious that it isn't sooner or later they'll simple rename the directory as they apparently did in the past from 81.95.149.51/ms21 to 81.95.149.51/ms51 and to the current state.

Meanwhile, there's an active mass mailing campaign going on in the time of blogging, that's exploiting the recent mailto PDF vulnerability. Guess where does the PDF file's payload point to? The Russian Bussiness Network, again, again and again.