As we're on the topic of RBN's zombies trying to connect to their old netblocks, and botnets being used to host and send out phishing content, what looks like entirely isolated incidents in the present, is what has actually being going on on RBN's network during the summer of 2007. A picture is worth a thousand speculations, yes it is. As you can see in the attached historical screenshot of a web based botnet C&C, the Russian Business Network's old infrastructure has also been involved into delivering phishing pages to malware infected hosts, whose requests to the legitimate sites were getting forwarded to RBN's old netblock. The process is too simple, thereby lowering the entry barriers into phishing activities due to its modularity. Basically, the botnet master can easily configure to which fake phishing site the infected population would be redirected to, if they are to visit the original one with no more than three clicks. And so, for the purpose of historical preservation of CYBERINT data given the quality of the identical screenshot obtained through OSINT techniques -
RBN URLs used in the phishing redirects :
81.95.149.226/scm/us/wels/index.html
81.95.149.226/scm/uk/lloydstsb/personal/index.html
81.95.149.226/scm/cyprus/persmain.html
81.95.149.226/scm/au/westpac/index.html
81.95.149.226/scm/au/commonwealth/
81.95.149.226/scm/au/warwickcreditunion/index.html
81.95.149.226/scm/uk/lloydstsb/business/index.html
81.95.149.226/scm/uk/halifax.php
81.95.149.226/scm/uk/rbsdigital/index.html
81.95.149.226/scm/uk/co-operative/index.html
81.95.149.226/scm/uk/cahoot.php
Known malware to have been connecting to 81.95.149.226 :
Trojan-PSW.Win32.LdPinch.bno, Trojan-Downloader.Win32.Small.emg, Trojan.Nuklus, where the malware detected under different names by multiple vendors is the only one that ever made a request to 81.95.149.226, which in a combination with the fact that the screenshot is made out of Nuklus production speaks for itself.
Some facts are better known later, than never.
No comments:
Post a Comment