[At-Large] Russian Business Network moves to China

Sun Nov 11 10:24:37 EST 2007

I read the similar story on London Times.
Interesting, yes..

izumi

2007/11/10, Brendler, Beau <Brenbe at consumer.org>:
> http://blog.wired.com/sterling/2007/11/russian-busines.html
>
> The notorious Russian gang has shut down its St. Petersburg IP
> addresses, moving to China and elsewhere to evade network IP blocks.
>
> The notorious Russian Business Network ((("the baddest of the bad")))
> has suddenly picked up from its St. Petersburg digs and diversified,
> spreading its unwholesome activity to new chunks of IP addresses, with
> RBN-like activity almost immediately appearing on newly registered
> blocks of Chinese and Taiwanese IP addresses, according to security
> company Trend Micro. (((Great locale for a proxy Estonian webwar attack
> -- "The CHINESE are launching cybarmageddon!")))
>
> The Internet presence for the RBN-a Russian ISP that's infamous for
> hosting shady and criminal businesses-blinked off at about 7 p.m. PST on
> Nov. 6, security researchers at Trend Micro reported the following day.
>
> The RBN's IP addresses can no longer be reached, since the routing for
> them no longer exists as of Nov. 8.
>
> In a posting, Trend Micro's Feike Hacquebord conjectured that the RBN's
> upstream providers may have yanked Internet connectivity services
> temporarily or even permanently.
>
> For a few moments, Trend Micro researchers imagined the Internet had
> become, even fleetingly, a tad safer. That hope didn't last long,
> however.
>
> Paul Ferguson, a network architect for the company, told eWEEK that
> Trend Micro has noticed RBN-like activity on blocks of IP addresses that
> were registered in China and other locations shortly before the RBN
> closed down the routes to its St. Petersburg addresses.
>
> Although it's hard to put a finger on who's behind the activity, it's
> "strikingly similar" to what the RBN was doing, Ferguson said, including
> malware proxying for drive-by downloads. Calling cards for the RBN, for
> example, have included the MPack and Icepack exploits: malware hosted at
> third-party locations that serve up sophisticated binary Trojan
> downloaders. These downloaders are top-notch professional badware that
> determine what operating system their prey is running, on what browser,
> as well as what vulnerabilities are available for exploit. They have
> long been associated with the RBN, and now Trend Micro is detecting
> their use at the new Chinese IP digs.
>
> Trend Micro was tipped off by a path that seems to lead back to the RBN
> and that has been laid in various sites that have had their HTML
> compromised. The path leads to domains with the recently registered
> Chinese IP addresses. Some of those domain registries have overlapping
> IP addresses on the back end, with the same name servers and similar
> functionality, all bearing the fingerprints of the RBN, Ferguson said.
>
> Trend Micro believes that increasing publicity about the criminal gang
> is the rationale behind the move-to "fly a little lower under the radar,
> just to be a little sneakier," Ferguson said.
>
> Not that Russian authorities have been particularly energetic about
> shutting the RBN down, publicity or no. The RBN is a highly segmented,
> loosely affiliated criminal organization that specializes in virtually
> every aspect of online crime, with specialized work being handed out
> piecemeal to guns for hire, whether it's money laundering, money mule
> activity, child porn site hosting, search engine optimization for
> raising page rankings, bulletproof hosting, credit card information
> theft or raiding of bank accounts. Ferguson has tracked RBN foot
> soldiers worldwide, to locations such as the West Coast of the United
> States and to southern India....
>