Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 10/23/07

Tuesday, October 23, 2007

Over 100 Malwares Hosted on a Single RBN IP

The never ending Russian Business Network's saga on whether or not they host malware on behalf of their customers enters in an entirely new phrase with the discovery of over 100 malwares hosted on a single IP - 81.95.149.51/ms where the directory listing indicates that the earliest binary was uploaded on 19-Sep-2006 and the most recent one on the 28-May-2007. If only was the directory listing denied we would only be speculating on such a development, and as it's obvious that it isn't sooner or later they'll simple rename the directory as they apparently did in the past from 81.95.149.51/ms21 to 81.95.149.51/ms51 and to the current state.

Meanwhile, there's an active mass mailing campaign going on in the time of blogging, that's exploiting the recent mailto PDF vulnerability. Guess where does the PDF file's payload point to? The Russian Bussiness Network, again, again and again.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

RBN's Fake Security Software

In need of a good example of coordinated CYBERINT so that enough data is gathered before the domains stop responding or get transfered to a network not belonging to the Russian Business Network? Try this one. Yesterday, the RBN monitoring blog picked up the fake anti virus and spyware applications I covered in a previous post, and came up with a great table of 20 fake anti virus and anti spyware applications hosted at the RBN.

Dancho Danchev

Ain't That Ugly?

During the weekend I stumbled upon a herbal enlargement domains farm hosted on a single IP (210.52.223.26) on their way to start the spam campaign. Earlier this month, in exactly the same fashion I assessed a Rock Phish domains farm you may also be interested in taking a look at. Scammy, scammy.

Dancho Danchev

Introducing Jiglu - Tags That Think

With the idea to make this blog easier to read and much more interactive at the same time, I'm happy to let you know that I've just tested an incredibly well performing service called Jiglu :

"a super-smart engine that pieces your site together, intelligently tagging and linking your web content"

Here's the tag cloud, and these the topic categories for easier navigation. The service is very handy when browsing the archive of a specific month, or the main index itself, in fact, it's bringing new perspectives to every post. Enjoy!

Dancho Danchev