Monday, November 26, 2007

Exposing the Russian Business Network

It was about time someone comes up with an in-depth study summarizing all of the Russian Business Network's activities, as for me personally, 2007 is the year when bloggers demonstrated what wisdom of the crowds really means, by putting each and every piece of the puzzle to come up with the complete picture, one the whole world benefits from. A highly recommened account into the RBN's activities courtesy of David Bizeul's "Russian Business Network study" :

"It’s interesting to observe that many recent cyber crime troubles are relating to Russia. This observation is obviously a simple shortening. Indeed nothing seems to link to Russia at first sight, it’s a nasty country for sending spam but many are worst, Russia is only the 8th top spam country. We need to dig deeper to identify that cyber crime is originating mostly from Russian dark zones. In a digital world, those dark zones exist where the Internet becomes invisible and it’s used for collecting phishing sites credentials, for distributing drive by download exploits, for collecting malware stolen data, etc. It’s a considerable black market as it has been revealed in this paper. A lot of information can be available over the web on Russian malicious activities and precisely on the way RBN (Russian Business Network) plays a major role in these cases."

What contributed to such a well coordinated exposure of the RBN during the last two quarters at the bottom line? It's not just security researchers exchanging info behind the curtains, but mostly due to RBN's customers confidence in RBN's ability to remain online. And while remaining online has never been a problem for the RBN, until recently when DIY IP blocking rulesets were available for the world to use, they undermined their abilities to remain undetected. In fact, I was about start a contest asking anyone who can come up with a IP with a clean reputation within the RBN's main netblock right before it dissapeared, and would have been suprised if someone managed to find one.

The RBN doesn't just makes mistakes when its customers embedd malware hosting and live exploit URLs on each and every malware and high-profile attack during the year, it simply doesn't care in covering its tracks and so doesn't their customers as well. RBN's second biggest mistake for receiving so much attention is their laziness which comes in the form of over 100 pieces of malware hosted on a single IP, without actually bothering to take care of their directory listing permissions, allowing my neatly crafred OSINT gathering techniques to come up with yet proof of a common belief into their practice of laziness. Moreover, the KISS strategy that I often relate to the successful malicious economies of scale that malware authors achieve due to DIY malware kits using outdated exploits compared to bothering to purchase zero day ones, didn't work for the RBN. Remember that each and every of the several Storm Worm related IPs that I covered once were returning fake suspended account notices in a typical KISS strategy, while the live exploit URLs and the actual binaries were still active within the domains.

This isn't exactly what you would expect from what's turning into a case study on conversational marketing, or perhaps how conversational marketing provokes the wisdom of crowds effect to materialize, so that the entire community benefits from each and everyone's contribution - in this case exposing the RBN.

How would the RBN change its practices in the upcoming future given all the publicity it received as of recently? They will simply stop benefing from the easy of management of their old centralized infrastructure, and will segment the network into smaller pieces, but while still providing services to their old customers, they're easy to traceback, and to sum up this post in one sentence - the Russian Business Network is alive, and is providing the same services to the same customers, including malware and live exploits hosting URLs under several different netblocks.

It's also great to note that David's been keeping track of my research into the RBN's activities. Go through the study and find out more about the RBN practices.

Related posts:
Go to Sleep, Go to Sleep my Little RBN
Detecting and Blocking the Russian Business Network
RBN's Fake Security Software
Over 100 Malwares Hosted on a Single RBN IP
The Russian Business Network