Saturday, November 03, 2007

Detecting and Blocking the Russian Business Network

Bleeding Edge Threats recently announced the release of some very handy RBN blocking/detecting rulesets :

"Call these hosts what you like, we see a large amount of hostile activity from these nets, and get little to no abuse response for takedown, Do what you will with this information."

Remember RBN's fake anti virus and anti spyware software? The list is getting bigger with another 20 additions again hosted on RBN IPs exposed by the RBNExploit blog.

Meanwhile you may be also be interested in how does an abuse request get handled at the RBN? Deceptively of course. Each and every domain or IP that has been somehow reported malicious to them, not once but numerous times by different organizations starts serving a fake account suspended message like the following malicious domains hosted at the RBN do :

"This Account Has Been Suspended For Violation Of Hosting Terms And Conditions. Please contact the billing/support department as soon as possible"

- superengine.cn (81.95.149.181) - fake account suspended message, no malicious script at front page but within the domain

- eliteproject.cn (81.95.149.124) - fake account suspended message, no malicious script at front page but within the domain

- space-sms.info (200.115.174.248) - fake account suspended, loads the malicious takenames.cn

- lem0n.info - (200.115.174.248) fake account suspended message, obfuscated javascript to bl0cker.info

- worldtraff.cn (200.115.174.248) - fake account suspended message, loads bl0cker.info and takenames.cn

- takenames.cn (58.65.239.66) - fake of eValid web testing solution, interacting with all of these domains

Dots, dots, dots, 58.65.239.66 or takenames.cn for the time being, used to resolve to goodtraff.biz in the past, another RBN operation we know from the Bank of India hack, where the second RBN IP was used in the most recent Possibility Media's Malware Fiasco as well.