In the last quarter of 2007, under the public pressure put on the Russian Business Network's malicious practices, the RBN started faking the removal of malicious domains from its network by placing fake account suspended notices, but continuing the malware and exploit serving campaigns on them. And since I constantly monitor RBN activity, in particular their relationship with the New Media Malware Gang and Storm Worm, a relationship that I've in fact established several times before, a recently assessed malicious domain further expands their underground ecosystem. Let the data speak for itself :
dev.aero4.cn/adpack/index.php (195.5.116.244) once deobfuscated loads dev.aero4.cn/adpack/load.php :
Detection rate : 11/32 (34.38%)
File size: 6656 bytes
MD5: 5eb0ee32613d8a611b6dc848050f3871
SHA1: 55c0448645a8ed2e14e6826fae25f8f9c868be30
It gets even more interesting as the downloader attempts to download the following :
88.255.94.250/s2/200.exe
88.255.94.250/s2/m.exe
88.255.94.250/s2/d.exe
88.255.94.250/s2/un.php
And as I've already pointed out in a previous post, 88.255.94.250 is the New Media Malware Gang. Moreover, next to m.exe and d.exe with an over 50% detection rates, 200.exe is impressively detected by one anti virus vendor only :
Detection rate : 1/32 (3.13%)
File size: 33280 bytes
MD5: 9bf9265df5dea81135355d161f3522be
SHA1: 44cdcaf5e8791e10506e3343d73a2993511fa91f
Further continuing this assessment, firewalllab.cn (203.117.111.106) also responds to aero4.cn, and is hosted at AS4657 STARHUBINTERNET AS Starhub Internet Pte Ltd 31, Kaki Bukit Rd 3 SINGAPORE (previously known as CyberWay Pte Ltd). Even more interesting is the fact that 203.117.111.106 is also responding to known New Media Malware Gang domains :
businesswr.cn
fileuploader.cn
firewalllab.cn
otmoroski.cn
otmoroski.info
security4u.cn
tdds.ru
traffshop.ru
x-victory.ru
Furthermore, 203.117.111.106 seems to have made an appearance at otrix.ru, where in between the obfuscation an IFRAME loads to 58.65.233.97/forum.php, where two more get loaded 4qobj63z.tarog.us/tds/in.cgi?14; 4qobj63z.tarog.us/tds/in.cgi?15. Deja vu, again, again and again - 4qobj63z.tarog.us was among the domains used in the malware embedded attack again the French government's site related to Lybia, and there I made the connection with the New Media Malware Gang for yet another time.
There's indeed a connection between the RBN, Storm Worm and the The New Media malware gang. The malware gang is either a customer of the RBN, partners with the RBN sharing know-how in exchange for infrastructure on behalf of the RBN, or RBN's actual operational department. Piece by piece and an ugly puzzle picture appears thanks to everyone monitoring the RBN that is still 100% operational.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Tuesday, January 15, 2008
RBN's Fake Account Suspended Notices
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment