RBN Updates: [Site Block Lists-Apr 9]

All Security related news can be posted here, and unrelated news can be posted here as well.

Moderators: Admin Team, Moderators

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Sun Nov 18, 2007 10:32 pm

RBN – PC Hijacking via Banner-Ads on Major Web Portals

Sunday, November 18, 2007
The Russian Business Network (RBN) in one of its boldest PC hijacking exploits used conventional banner-ads to redirect web visitors to “fake” anti-spyware sites, this is a new attack vector but uses known RBN server routes and exploits. Malware based ads have been spotted on various legitimate websites, ranging from baseball's MLB.com, NHL.com, Canada.com and The Economist. Acting as a conventional Flash file, the exploit is via DoubleClick's DART program, DoubleClick acknowledges the malware, and says it has implemented a new security-monitoring system that has thus far captured and disabled a hundred ads.
0-= Detailed analysis w\screen shots @ RBN Exploit Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Tue Nov 20, 2007 10:18 am

RBN Likely Responsible For Monster.com Hack

By Gregg Keizer

November 20, 2007 — Computerworld — Monster.com took a portion of its Web site offline Monday as researchers reported that it had been compromised by an IFrame attack and was being used to infect visitors with a multi-exploit attack kit.

The IP address of the exploit site is assigned to a server in Australia that is part of the "myrdns.com" domain. That domain, in turn, is registered to a Hong Kong Internet service provider called HostFresh Internet. Both HostFresh and myrdns.com have been linked to RBN activities, including the long-running IFrame Cash scheme, in which RBN pays small site owners a commission for injecting IFrame exploits on other sites.

According to an anonymous blogger who tracks the RBN, other myrdsn.com/HostFresh IP addresses were involved in the Bank of India hack in August.

nwz CIO
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Thu Nov 22, 2007 10:16 am

A reader over at SANS has an analysis of the RBN gang available as a .pdf here

It's long but I'm betting pretty informative.
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Tue Nov 27, 2007 5:30 pm

I See Alive IFRAMEs Everywhere - Part Two

Tuesday, November 27, 2007

The never ending IFRAME-ing of relatively popular or niche domains whose popularity is attracting loyal and well segmented audience, never ends. Which leads us to part two of this series uncovering such domains and tracing back the malicious campaign to the very end of it. Some of these are still IFRAME-ed, others cleaned the IFRAMEs despite Google's warning indicating they're still harmful, the point is that all of these are connected.

Affected sites :
  • Epilepsie France - epilepsie-france.org
  • Iran Art News - iranartnews.com
  • The Media Women Forum - yfmf.org
  • Le Bowling en France - bowling-france.fr
  • The Hong Kong Physiotherapists Union - hkpu.org
  • The Wireless LAN Community - wlan.org
  • The First HELLENIC Linux Distribution - zeuslinux.gr
The entire campaign is orbiting around pornopervoi.com, which was last responding to 81.177.3.225, an IP that's also known to be hosting a fake bank.

Who's behind this malware embedded attack? It's the ongoing consolidation between defacers, malware authors, and blackhat SEO-ers using the infamous infrastructure of the RBN.

0-= More Details @ DDanchev Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Wed Nov 28, 2007 3:23 pm

RBN – Google Search Exploits
Wednesday, November 28, 2007

The Russian Business Network (RBN) has been busy again with a significant amount of loaded web search results which lead to malware sites as reported by Sunbelt.

The good news first is being able to precisely pin point the exploiters back to newer RBN core retail centers as previously exposed in this blog on Nov 8th 07 – i.e. iFramecash, myrdns, hostfresh, and AS 27595 i.e. Atrivo, Intercage, Inhoster. Also as reported this is the same end route as the Bank of India hack, fake anti-spywares and fake codecs.

The bad news is, as predicted and one of the probable reasons for dropping their RBnetwork IP ranges , the RBN is increasingly using botnet based fast-flux techniques (see Wikipedia) to hide the initial delivery sites behind an ever-changing network of compromised hosts i.e. "double-flux" nodes within the network registering and de-registering their addresses as part of the DNS SOA (start of authority) record list for the DNS (domain name server). This provides an additional layer of redundancy and survivability within the malware network as seen in the case of the fake codecs.

0-= More @ RBN Exploit Blog w\Analysis & Screen Shots
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Fri Dec 07, 2007 4:35 pm

A Diverse Portfolio of Fake Security Software

The recently exposed RBN's fake security software was literally just the tip of the iceberg in this ongoing practice of distributing spyware and malware under the shadow of software that's positioned as anti-spyware and anti-malware one. The domain farm of fake security software which I'll assess in this post is worth discussing due to the size of its portfolio, how they've spread the scammy ecosystem on different networks, as well as the directory structure they take advantage of, one whose predictability makes it faily easy to efficiency obtain all the fake applications. This particular case is also a great example of the typical for a Rock Phish kit efficiency vs quality trade off, namely, all the binaries dispersed through the different domains are actually hosted on a single IP, and are identical.
0-= Detailed ANalysis w\screen shots @ DDanchev Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

The hunt for Russia's web criminal

Postby TeMerc » Fri Dec 14, 2007 9:54 am

December 13, 2007
Peter Warren

A CURIOUS game of cat and mouse is being played out on the internet, as high-tech hunters close in on a group of cyber criminals known as the Russian Business Network (RBN). The chase started when the RBN - a Russian ISP alleged to be behind much of today's web crime - slipped its internet moorings in St Petersburg and made for servers in China.

But the RBN's attempts to hide there behind a hastily formed Italian front company failed. After setting up in its new home, the sites run by the RBN - which specialises in identity theft, denial of service, phishing, computer extortion and child pornography - soon vanished from the web. Since then sightings have been few. Does that mean the RBN has gone? And does it matter?

According to experts from Team Cymru, a research group specialising in internet crime, the Russian company is linked to about 60% of all cyber crime. But recently the RBN started to attract unwelcome attention from bloggers and the US media, forcing it to try to vanish from view.

There is almost a side industry tracking RBN - such as the blog at rbnexploit.blogspot.com, which details sites used by the RBN and its exploits.

nwz Sidney Morning Herald
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Wed Dec 19, 2007 11:11 pm

RBN – $$$ - the retail payment systems

Wednesday, December 19, 2007

In an extension to analysis of the Russian Business Network (RBN) this is the first element of a series on RBN payment systems.

This article focuses on just one of the several payment systems for its “fakes” retail division i.e. isoftpay.com, this has been reported before namely the Sunbelt Blog (see links on footer) Oct 3rd 06 in the report on the rogue software, also more recently reported within 2-spyware on Dec 10th 07.

In exploring this node of the RBN’s organization it raises several areas of interest; the location(s) of internet operation, SSL and transactional base. Briefly by way of an introduction to later more in depth analysis malware revenue models, analysis solely of isoftpay does provide a starting point for some generalized assumptions of RBN retail revenue.

0-= Analysis w\screenshots @ RBN Exploit Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Sat Jan 05, 2008 9:00 pm

RBN - Storm Botnet, the Changing Chessboard
In a follow up to the earlier Russian Business Network (RBN) "New and Improved Storm Botnet for 2008" the chessboard changes yet again. In this game of chess our opponents started over Christmas with a full frontal attack, but have already now switched to a flanking moves. Perhaps on this occasion the community may be able to slow down the advance to force a draw or maybe even win this particular game of chess?

The key is to understand and combat the Storm 2008's innovative elements and attempt to quantify progress of the game. With the aid of early analysis by Thorsten Holz / The German Honeynet Project and based on limited initial data we have attempted to produce a predictive trend analysis of the Storm Botnet to rebuild and reach 1 million PCs. This is shown in figure 1, given current analysis shows a growth from say 10,000 on Dec-22 to 30/40,000 by Jan-03, on a conservative analysis Storm should reach 1 million by Mid Feb 08.
Image
0-= More Detailed Analysis w\screenshots @ RBN Exploit Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Mon Jan 07, 2008 1:06 pm

RBN – 365fastcash, Panama, and 1488 RU

Monday, January 7, 2008

As regular readers know the Russian Business Network (RBN) originally utilized an extensive virtual base in Panama (Nevacon), we can now report they are back. The new hive centers on AS26426 Optynex Telecom Sa, Calle 53, Piso 18, Panama City, Panama) Phone: 210-9900 and cybercastco.com name servers (special thanks to Jim McQuaid and Snort expertise).

There are numerous domains but to select a sample of domains, in this article we can focus on two, 365fastcash(dot)com and Jidov(dot)net. It is also pleasing to show these are already encompassed within RBN Snort Rules on EmergingThreats.net

Jidov(dot)net provides an interesting political twist for the RBN as this is the safe hosting location for 1488(dot)ru. To those who are not aware 1488 RU is the supposedly banned, violent, and very well financed Russian Nazi group. The 14 represents the 14-word slogan: "We must secure the existence of our people and a future for White children” and 88 represents eighth letter of the alphabet, with HH standing for Heil Hitler. The question now arises does this represent the source of the RBN’s political views or just an expensive bullet proof (was) hosting.

0-= More Detailed Analysis w\screen shots @ RBN Exploit Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Sat Jan 12, 2008 12:43 am

An Inside Look at the Russian Business Network

JANUARY 11, 2008
By Kelly Jackson Higgins
Senior Editor, Dark Reading

A new white paper published by the nonprofit botnet-tracker Shadowserver Foundation sheds some light on one segment of activity on the Russian Business Network (RBN).

Shadowserver released its findings on malware associated with the so-called AS40989 group of interconnected IP networks on the RBN. Shadowserver gathered nearly 3,000 sample pieces of malware -- including Gozi, Goldun, Hupigon, Nurech, Nuklus, Pinch, Sinowal, Tibs, Xorpix, as well as dialers, downloaders, worms, adware, page hijackers, and proxies -- that communicated with the AS40989 network via HTTP connections.

nwz Dark Reading
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Mon Jan 14, 2008 6:43 pm

Massive RealPlayer Exploit Embedded Attack

Monday, January 07, 2008

What happened with the recent RealPlayer massive embedded malware attack? Two of the main hosts are now, and the third one ucmal.com/0.js is strangely loading an iframe to ISC's blog in between the following 61.188.39.218/pingback.txt which was returning the following message during the last couple of hours "You're welcome for being saved from near infection".

As I'm sure others too like to analyze post incident response behavior of the malicious parties, in respect to this particular attack, during the weekend they took advantage of what's now a patent of the Russian Business Network, namely to serve a fake 404 error message but continue the campaign. However, in RBN's case, only the indexes were serving the fake account suspended messages, but the campaign was still active on the rest of the internal pages. In the RealPlayer's campaign case, the 404 error messages themselves were embedded with the same IFRAMEs as well, in order to make it look like there's an error, at least in front of the eyes of the average Internet user.

0-= More @ DDanchev Blog w\Links
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Tue Jan 15, 2008 6:41 pm

RBN's Fake Account Suspended Notices

Tuesday, January 15, 2008

In the last quarter of 2007, under the public pressure put on the Russian Business Network's malicious practices, the RBN started faking the removal of malicious domains from its network by placing fake account suspended notices, but continuing the malware and exploit serving campaigns on them. And since I constantly monitor RBN activity, in particular their relationship with the New Media Malware Gang and Storm Worm, a relationship that I've in fact established several times before, a recently assessed malicious domain further expands their underground ecosystem.

Some sites\files contained in the above post:
  • dev.aero4.cn/adpack/index.php (195.5.116.244)
  • 88.255.94.250/s2/200.exe
  • 88.255.94.250/s2/m.exe
  • 88.255.94.250/s2/d.exe
  • 88.255.94.250/s2/un.php
  • firewalllab.cn
  • 203.117.111.106
    • businesswr.cn
    • fileuploader.cn
    • firewalllab.cn
    • otmoroski.cn
    • otmoroski.info
    • security4u.cn
    • tdds.ru
    • traffshop.ru
    • x-victory.ru
  • 58.65.233.97
  • 4qobj63z.tarog.us
0-= Continued Analysis w\ Links @ DDanchev Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Wed Jan 23, 2008 9:32 am

RBN – Out with the New and in with the Old – Mebroot
The Russian Business Network (RBN) is using one of their usual deceptive approaches of confusing by the use of old domains and recycling exploit techniques, this is the case with Mebroot. There has rightly been a great deal of press (see links below) concerning Mebroot as identified by Symantec on Jan 8th 08. This is a rootkit exploit that overwrites part of a computer's hard drive called the Master Boot Record (MBR). This is still deadly and a difficult exploit with is its ability, once established and undetected it confound most anti-virus software, the purpose is to hijack the user’s PC which will then redirect to download other exploits to steal banking information and ID theft. Good news is there are some straight forward detection and removal tools e.g. GMER – also see on their website a great write up of how a rootkit actually works.

So what is new? Well the exploit sites are now using a fast-flux P2P botnet and the exploit is polymorphic i.e. the ability to alter its form and mutate. But this approach is the same old stuff by a different name, it is: Torpig, Anserin, Gromozon, etc……even using some of the old domains for distribution. So where does the “new” exploit names come from, unfortunately us. Our constant reductionist approach to BadWare is utilized by RBN to confound and we play right into their hands, every time we rename their stuff it makes it easier for them to blend into the confusion. The old is forgotten or not reported and they reuse the old stuff all over again, when we all start using a commonly accepted holistic linguistic approach to the problem, we may win this war.
0-= More Analysis @ RBN Exploit Blog w\screen shots
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Russian Business Network Updates: [1-23]

Postby TeMerc » Wed Feb 13, 2008 4:31 pm

Statistics from a Malware Embedded Attack
Wednesday, February 13, 2008

It's all a matter of perspective. For instance, it's one thing to do unethical pen-testing on the RBN's infrastructure, and entirely another to ethically peek at the statistics for a sample malware embedded attack on of the hosts of a group that's sharing infrastructure with the RBN, namely UkrTeleGroup Ltd as well as Atrivo. For yet another time they didn't bother taking care of their directory permissions. Knowing the number of unique visits that were redirected to the malware embedded host, the browsers and OSs they were using in a combination with confirming the malware kit used could result in a rather accurate number of infected hosts per a campaign - an OSINT technique that given enough such stats are obtained an properly analyzed we'd easily come to a quantitative conclusion on a malware infected hosts per campaign/malware group in question.

Image

0-= More @ Ddanchev
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Russian Business Network Updates: [2-13]

Postby TeMerc » Tue Feb 19, 2008 7:39 am

RBN – Extortion and Denial of Service (DDOS) Attacks
Tuesday, February 19, 2008

The Russian Business Network (RBN) has long been known for its bulletproof hosting and its control of botnets such as Storm. Apart from the obvious example of an RBN “hired gun” Distributed Denial of Service (DDos) attack on Estonia in May 2007 many have attempted to comprehend and link the RBN’s usage for botnets. Within this article we shed light via several documented examples extorting potential clients into the use of their “specialized” hosting services by the use of DDos, and a further example of RBN’s ecommerce.

The business model RBN uses is quite simple and effective; its affiliates and resellers comb various niche market forums and discussion areas for webmasters using or discussing protective web services i.e. DDos prevention. Carry out a DDos attack on the website and then provide a third party sales approach to the webmaster to “encourage” a sign up for their DDos prevention services. The cost of this hosting service is $2,000 per month.

0-= Continued Analysis @ RBN Exploit Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Russian Business Network Updates: [2-26]

Postby TeMerc » Tue Feb 26, 2008 10:02 am

Geolocating Malicious ISPs
Monday, February 18, 2008
Here are some of the ISPs knowingly or unknowingly providing infrastructure to the RBN and the New Media Malware Gang, a customer of the RBN or RBN's actual operational department. To clarify even further, these are what can be defined as malicious ecosystems that actually interact with each other quite often.
  • Ukrtelegroup Ltd
    IP Range - 85.255.112.0 - 85.255.127.255
    UkrTeleGroup Ltd.
    Mechnikova 58/5
    65029 Odessa
    UKRAINE
    phone: +380487311011
    fax-no: +380487502499
  • Turkey Abdallah Internet Hizmetleri
    TurkTelekom
    IP Range - 88.255.0.0/16 - 88.255.0.0/17
  • Hong Kong Hostfresh
    IP Range - 58.65.232.0 - 58.65.239.255
    Hong Kong Hostfresh
    No. 500, Post Office,
    Tuen Mun, N.T,
    Hong Kong
    phone: +852-35979788
    fax-no: +852-24522539
These are not just some of the major malware hosting and C&C providers, their infrastructure is also appearing on each and every high-profile malware embedded attack assessment that I conduct. And since all of these are malicious, the question is which one is the most malicious one? Let's say certain netblocks at TurkTelecom are competing with certain netblocks at UkrTeleGroup Ltd, however, the emphasis shouldn't be on the volukme of malicious activities, but mostly regarding the ones related to the RBN, and the majority of high-profile malware embedded attacks during 2007, and early 2008.
0-= DDanchev Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Russian Business Network Updates: [2-26]

Postby TeMerc » Wed Feb 27, 2008 3:58 pm

RBN Phishing Tactics
Wednesday, February 27, 2008
As we're on the topic of RBN's zombies trying to connect to their old netblocks, and botnets being used to host and send out phishing content, what looks like entirely isolated incidents in the present, is what has actually being going on on RBN's network during the summer of 2007. A picture is worth a thousand speculations, yes it is.

RBN URLs used in the phishing redirects:
  • 81.95.149.226/scm/us/wels/index.html
  • 81.95.149.226/scm/uk/lloydstsb/personal/index.html
  • 81.95.149.226/scm/cyprus/persmain.html
  • 81.95.149.226/scm/au/westpac/index.html
  • 81.95.149.226/scm/au/commonwealth/
  • 81.95.149.226/scm/au/warwickcreditunion/index.html
  • 81.95.149.226/scm/uk/lloydstsb/business/index.html
  • 81.95.149.226/scm/uk/halifax.php
  • 81.95.149.226/scm/uk/rbsdigital/index.html
  • 81.95.149.226/scm/uk/co-operative/index.html
  • 81.95.149.226/scm/uk/cahoot.php

Known malware to have been connecting to 81.95.149.226:
  • Trojan-PSW.Win32.LdPinch.bno
  • Trojan-Downloader.Win32.Small.emg
  • Trojan.Nuklus
where the malware detected under different names by multiple vendors is the only one that ever made a request to 81.95.149.226.

0-= More @ DDanchev Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Russian Business Network Updates: [Mar 1]

Postby TeMerc » Sat Mar 01, 2008 3:41 pm

New Whitepaper: RBN "Rizing"
Russian Business Network (RBN)
In the last few months, there has been a significant amount of press coverage given to insidious cyber activity associated with the segment of the Internet known as the “Russian Business Network,” or RBN. Previous studies have suggested that the RBN has ties to nearly every area of cybercrime, including: phishing, malware, DDOS activity, pornography, botnets, and anonymization.

In November 2007, media reporting indicated that a large portion of the RBN “went dark.” Since that time, the Shadowserver Foundation has been more closely analyzing outlying networks implicated as being associated with RBN. One of these suspected outliers is AS9121, known as TurkTelekom. SecurityZone.org reported in early December 2007 that while not everything in TurkTelekom appears to be malicious, there are some ranges that are “particularly bad” and analysis of Shadowserver Foundation data agrees. Several subranges quickly stand out as being deeply involved in malicious cyber activity: 88.255.90.0/24 and 88.255.94.0/24. IP registration indicates these ranges are listed under the name “ABDALLAH INTERNET HIZMETLERI” (AIH).

Abdallah Internet Hizmetleri (AIH)
In one of the most thorough RBN studies to date, David Bizeul reported that AIH ranges 88.255.90.0/24 and 88.255.94.0/24 - are among the “most used network ranges used by RBN affiliates’ domain names.” The purpose of this paper is to take a deeper look at these two class C ranges of AIH based out of Rize, Turkey, available information from the Internet, and statistics collected by the Shadowserver Foundation to provide further insight into the scope and depth of the RBN.
0-= PDF Link @Shadowserver.org

Source: Sunbelt blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Russian Business Network Updates: [Mar 1]

Postby TeMerc » Wed Mar 05, 2008 9:15 am

Rogue RBN Software Pushed Through Blackhat SEO

Wednesday, March 05, 2008
This yet another example of the KISS strategy uncovering another huge IFRAME campaign, again taking advantage of locally cached pages generated upon searching for a particular word, and the IFRAME itself. In the previous example for instance, we had an second ongoing IFRAME campaign with just 4 pages injected with 89.149.243.201, however, what Keep it Simple Stupid really means in this case is that the next IP in their netblock 89.149.243.202 is currently getting injected at many other sites as well.

In the previous example for instance, we had an second ongoing IFRAME campaign with just 4 pages injected with 89.149.243.201, however, what Keep it Simple Stupid really means in this case is that the next IP in their netblock 89.149.243.202 is currently getting injected at many other sites as well.
0-= More @ DDanchev Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Russian Business Network Updates: [Mar 10]

Postby TeMerc » Mon Mar 10, 2008 1:03 pm

Wired.com and History.com Getting RBN-ed
Monday, March 10, 2008

Monitoring last week's IFRAME injection attack at high page rank-ed sites, reveals a simple truth, that persistent simplicity seems to work. The attack is still ongoing, this time successfully injecting a multitude of new domains into Wired Magazine, and History.com's search engines, which are again caching anything submitted, particularly not validated input to have the malicious parties in the face of the RBN introducing a new malware, in between the pharmaceutical scams that they serve on the basis of an affiliation model. So, after "CNET stops IFRAME site attacks - who's next?" in terms of high-profile sites, that is Wired.com and History.com

Key summary points :
  • The same malicious parties behind the CNET and TorrentReactor's IFRAME injection are also the ones behind Wired.com and History.com's abuse of input validation
  • The IFRAME injection entirely relies on the lack of input validation within their search engines, making executable code possible to submit and therefore automatically execute upon accessing the cached page with a popular search query
  • Many other domains have been introduced within the IFRAMEs, a complete list of which you can find in this post, several directly hosted within RBN's network
  • The main domain serving the heavily obfuscated VBS malware is located within the Russian Business Network's known netblocks
  • Given the high page ranks of the current and the previous targets, it is evident that the malicious parties are prioritizing based on the possibility to abuse input validation on high page rank-ed sites, presumably in an automated fashion
  • Keep it Simple Stupid works, as since they cannot find a way to embedd the IFRAME at these hosts, a clear indicating of the fact that they've breached them, they figured out a way to inject the IFRAMEs and again take advantage of the high page ranks to attract traffic by gaining on popular key words, or any kind of key words that they want to
0-= Much More Detailed Analysis w\new IP ranges & Sites


0-= Related iFrame Thread @ TIC
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Russian Business Network Updates: [Mar 10]

Postby TeMerc » Tue Mar 11, 2008 6:27 pm

The New Media Malware Gang - Part Four
Wednesday, March 12, 2008

Sometimes patterns are just meant to be, and so is the process of diving into the semantics of RBN's ex/current customers base, in this case the New Media Malware Gang. The latest pack of this group specific live exploit URLs :
  • bentham-mps.org/mansoor/cgi/index.php (205.234.186.26)
  • 5fera.cn/adp/index.php (72.233.60.90)
  • ls-al.biz/1/index.php (78.109.22.245)
  • iwrx.com/images/index.php (74.53.174.34)
  • pizda.cc/in.htm (78.109.19.226)
  • ugl.vrlab.org/www/index.php (91.123.28.32)
  • eastcourier.com/reff/index.php (91.195.124.20)
  • thelobanoff.com/myshop/test/index.php (64.191.78.229)
  • 203.117.170.40/~whyme/my/index.php
  • 195.93.218.25/us/index.php
  • 195.93.218.25/kam/index.php
  • 85.255.116.206/ax5/index.php
0-= Links to Parts 1-3 @ DDanchev blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Russian Business Network Updates: [Mar 11]

Postby TeMerc » Wed Mar 12, 2008 8:25 am

More High Profile Sites IFRAME Injected
Wednesday, March 12, 2008
The ongoing monitoring of this campaign reveals that the group is continuing to expand the campaign, introducing over a hundred new bogus .info domains acting as traffic redirection points to the campaigns hardcoded within the secondary redirection point, in this case radt.info where a new malware variant of Zlob is attempting to install though an ActiveX object. These are the high profile sites targeted by the same group within the past 48 hours, with number of locally cached and IFRAME injected pages within their search engines.

This sample of the newly introduced .info domains reside on the same netblock as the previous ones - 75.125.181.0/255 a KISS strategy making it easier to respond to this incident. Best of all, they further expand the campaign since they're injected in plain text, next to javascript obfuscated, this time embedded malware :
  • hickey.info
  • kbst.info
  • sezejc.info
  • mloqrd.info
  • mqghrd.info
  • ymrxwd.info
  • fsqpsm.info
  • haxkwd.info
  • aagpcw.info
  • zdksgj.info
  • cgjttz.info
  • hkedny.info
  • kbsxet.info
  • wapdjw.info
  • kbsxet.info
  • tdwham.info
  • mqghrd.info
  • dhqjdz.info
  • bhrsaa.info
  • jramae.info
  • wmtwes.info
  • tacpmh.info
  • qwhhxq.info
  • gmjett.info
  • hkedny.info
  • rerkqz.info
  • bhrsaa.info
  • txmwxb.info
  • psyckr.info
  • jramae.info
  • nhwdrh.info
  • cqqxkh.info
  • stysqf.info
  • tgzyqz.info
  • kbsxet.info
  • cgjttz.info
  • tazbhk.info
  • kbsxet.info
Each of the these is loading a secondary domain, which is then taking us to two more before finally reaching the Zlob variant. In this case it's radt.info (75.125.208.243) with several campaigns currently up and running, pointing to the same fake codec.

All of which ultimately redirect to :
porn-popular.com (64.28.185.78) where the Zlob variant in the face of a fake codec, is downloaded from democodec.com/download/ democodec1292.exe (64.28.184.168) via an Active X object.

To sum up - it's a mess that I'll continue trying to structure, and it's a single group exploiting input validation capability within the sites' search engines we're talking about. With this segmented targeting of sites with high page ranks, and their persistance, is already positioning hundreds of thousands of keywords within the top search results, with the targeted sites are acting as the redirectors to the malware locations.
0-= More Analysis @ DDanchev Blog

0-= Related iFrame Thread @ TIC
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Russian Business Network Updates: [Apr 15]

Postby TeMerc » Tue Apr 15, 2008 8:05 am

Malware and Exploits Serving Girls
Tuesday, April 15, 2008
Descriptive domains such as beautiful-and-lonely-girl dot com, amateur homepage looking sites, a modest photo archive of different girls, apparently amateur malware spreaders think that spamming these links to as many people as possible would entice them into visting the

It all started with Lonely Polina, than came lonely Ms. Polinka, and now we have Victoria. And despite that Polina and Polinka are both connected in terms of the malware served, and the natural RBN connection in face of HostFresh, as well as the site template used, Victoria is an exception. Some details on the recently spammed campaign:

voena.net (199.237.229.158) is also responding to prettyblondywoman.com, where the exploit (WebViewFolderIcon setSlice) and the malware (Trojan-Spy.Win32.Goldun) are served from voena.net/incoming.php and voena.net/get.php, both with a high detection rate 27/32 (84.38%).
0-= More @ DDanchev Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Russian Business Network Updates: [May 13]

Postby TeMerc » Tue May 13, 2008 9:24 am

RBN - Partners Official Sponsors of ICANN?
Russian Business Network (RBN); what if they were out to own the Internet by owning the DNS? The Internet totally relies on DNS (Domain Name System) so obviously this must be the stuff that Hollywood movies are made of, but this nightmare scenario is more real than any of us would like to believe.

This article draws a few of the ingredients together, it is important to stress this is not to discredit ICANN, but to show just how RBN and their associates are applying themselves to the weakness of DNS allocation and exploiting ICANN’s vulnerability via influence, commercial sponsorship and registrar development.

Firstly, RBN’s normal chaos creation, shown within the important and recent security research paper “Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority” by David Dagon, Niels Provos, et. al.; “291,528 hosts on the Internet performing either incorrect or malicious DNS service. With DNS resolution behavior so trivially changed, numerous malware instances in the wild, we urge the security community to consider the corruption of the (DNS) resolution path as an important problem.” [ref 1]

Connect this to the newer RBN technique to now ‘auto-generate’ 1,000’s of new malware and rogue domain registrations via duped or controlled registrars, e.g. Tucows (Ca), EstDomains, and shielded by PrivacyProtect - which now can outrun most security bloggers, security companies, black listing or rogue domain listings. [ref 2]

So, who runs or has the responsibility for DNS and keeping it safe? - ICANN (Internet Corporation for Assigned Names and Numbers) mostly self elected and privately operated as ICANNwatch.org describes “avoiding governmental accountability mechanisms, but ICANN also lacks much of the accountability normally found in corporations and in nonprofits.” [ref 3]
0-= Continued @ RBN Exploit Blog w\Links & Screen Shots
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Russian Business Network Updates: [May 13]

Postby TeMerc » Wed Jun 25, 2008 10:58 am

RBN: Fake Porn Sites Serving Malware
Wednesday, June 25, 2008
Ah, that RBN with its centralization mentality for the sake of ease of management and 99.999% uptime. In this very latest example of using malicious doorways redirecting to fake porn sites, consisting of over twenty different domains serving the usual Zlob malware variants, we have a decent abuse of a template for a porn site.

The easy of management of such domain farms and the availability of templates for high trafficked topic segments such as celebrities and pornography, continue contributing to the increasing number of Zlob variants served through fake codecs. Moreover, once set up, the malicious infrastructure starts attracting now just generic search traffic, but also traffic coming from affiliates with whom revenue is shared on the basis of the number of people that downloaded the codec.

In this campaign, the malicious doorway that expands the entire ecosystem is located at search-top.com/in.cgi?5&parameter=drs (66.96.85.113). A redirector that appears to have been operating since 2006, according to this forum posting.

What follows on-the-fly, are all the fake porn sites whose legitimately looking videos attempt to download a Zlob malware variant from a single location - vipcodec.net. Here are all the fake porn sites, and the associated campaigns in this redirection :
    watchnenjoy .com/index.php?id=1287&style=white
    craziestclips .com/index.php?id=1287&q=
    immensevids .com
    planetfreepornmovies .com/?t=1&id=1219
    poweradult .net/edmund/16551689/1/&id=1219
    scan-porn .net/rosalyn/1742941675/1/&id=1219
    about-adult .net/emiline/108846601/1/&id=1219
    service-porn .com/inde/964842117/1/&id=1219
    pleasure-porn .com/elnora/648311952/1/&id=1219
    porn-the .net/verge/1734135233/1/&id=1219
    porn-pleasure .net/dal/1663381205/1/&id=1219
    scan-porn .net/gretchen/515268975/1/&id=1219
    abc-adult .com/lillah/1467790484/1/&id=1219
    about-adult .net/jenne/434165228/1/&id=1219
    look-adult .net/ette/681831796/1/&id=1219
    about-adult .net/mime/65729013/1/&id=1219
    name-adult .net/alfe/550398461/1/&id=1219
    group-adult .net/demerias/867452637/1/&id=1219
    useporn .net/rhode/167691118/1/&id=1219
    porn-look .net/hephsibah/1254235416/1/&id=1219
    scan-porn .net/hence/1684651134/1/&id=1219
    abc-adult .com/kendra/371598555/1/&id=1219
    name-adult .net/link/1334727639/1/&id=1219
    porn-the .net/flo/84660854/1/&id=1219
    porn-popular .com/assene/875893411/1/&id=1219
    about-adult .net/charlotta/972714195/1/&id=1219
    porn-comp .com/orlando/761508522/1/&id=1219
    useporn .net/jemima/1405735776/1/&id=1219
    about-adult .net/obadiah/263904242/1/&id=1219
    group-adult .net/douglas/1110779475/1/&id=1219
    porn-look .net/lydde/1844064103/1/&id=1219
    pleasure-porn .com/marcia/1627490290/1/&id=1219
    service-porn .com/cono/295680123/1/&id=1219
    group-adult .net/wes/1733468207/1/&id=1219
    abc-adult .com/wib/648341815/1/&id=1219
    scan-porn .net/greg/2064937302/1/&id=1219
    contact-adult .net/maris/33184936/1/&id=1219
    look-adult .net/regina/1273816838/1/&id=1219
    abc-adult .com/gwendolyn/869744046/1/&id=1219
    service-porn .com/carthaette/1021629112/1/&id=1219
    scan-porn .net/ninell/1522355420/1/&id=1219
    porn-pleasure .net/waldo/755290223/1/&id=1219
    porn-the .net/green/669090607/1/&id=1219
    try-adult .com/lula/447057398/1/&id=1219
    visit-adult .net/jay/1021153563/1/&id=1219
    contact-adult .net/rosa/849017739/1/&id=1219
    name-adult .net/hannah/2111126283/1/&id=1219
    about-adult .net/robin/2114086747/1/&id=1219
    scan-porn .net/geraldine/921262381/1/&id=1219
    contact-adult .net/christine/1821111087/1/&id=1219
    porn-popular .com/frederica/364993202/1/&id=1219
    about-adult .net/kerste/735582753/1/&id=1219
    porn-the .net/vine/715820953/1/&id=1219
    porn-the .net/newt/1835463160/1/&id=1219
    try-adult .com/max/602914725/1/&id=1219
    porn-pleasure .net/cille/1420660046/1/&id=1219
    poweradult .net/phililpa/178057959/1/&id=1219
    name-adult .net/lise/1379126759/1/&id=1219
    pleasure-porn .com/marianne/1083617952/1/&id=1219
    poweradult .net/emile/1173468576/1/&id=1219
    useporn .net/patse/155685496/1/&id=1219
    helpporn .net/verna/625840253/1/&id=1219
    name-adult .net/aubrey/190928373/1/&id=1219
    about-adult .net/alphinias/1345158043/1/&id=1219
    useporn .net/rosa/223743611/1/&id=1219
    pleasure-porn .com/nerva/1509620489/1/&id=1219
    helpporn .net/leet/1619667733/1/&id=1219
    about-adult .net/roberta/887345003/1/&id=1219
    porn-pleasure .net/tore/1032556395/1/&id=1219
    useporn .net/bo/1963737386/1/&id=1219
    porn-look .net/karon/136085893/1/&id=1219
    poweradult .net/tense/1523522750/1/&id=1219
    poweradult .net/hopp/1955964399/1/&id=1219
    scan-porn .net/vanne/350822489/1/&id=1219
    porn-comp .com/deb/1451360694/1/&id=1219
    about-adult .net/moll/1511640690/1/&id=1219
    porn-popular .com/obediah/562846948/1/&id=1219
    helpporn .net/tamarra/776122096/1/&id=1219
    pleasure-porn .com/aristotle/1046422029/1/&id=1219
    porn-comp .com/titia/158157566/1/&id=1219
    group-adult .net/gay/1297835054/1/&id=1219
    porn-look .net/katherine/2136357734/1/&id=1219
    helpporn .net/azubah/1197502147/1/&id=1219
    porn-comp .com/claes/770105101/1/&id=1219

Associated fake porn sites :
    pornbrake .com
    sexnitro .net
    brakesex .net
    pornnitro .net
    adultbookings .com
    qazsex .com
    lightporn .net
    delfiporn .net
    pornqaz .com
    megazporn .com
    uinsex .com
    xerosex .com
    serviceporn .com
    aboutadultsex .com
    superliveporn .com
    bestpriceporn .com
    contactporn .net
    relatedporn .com
    landporno .com
    adultsper .com
    plus-porn .com
    adultstarworld .com
    cutadult .com
    moviexxxhotel .com
    porno-go .com
    pornxxxfilm .com
    porn-sea .com
    review-sex .com
    sureadult .com
    browseadult .com
    network-adult .com
    timeadult .com
    virtual-sexy .net
    funxxxporn .com
    loweradult .com
    adultfilmsite .com
    xxxallvideo .com
    custom-sex .com
    gallerypictures .net
    usaadultvideo .com
    adultmovieplus .com
    porn-cruise .com
    clubxxxvideo .com
    mitadult .com
    galleryalbum .net
    xxxteenfilm .com
    hardcorevideosite .com
    helpadult .com
    portaladult .net
    service-sex .com
    driveadult .com
    access-porno .com
    time-sex .com
    plus-adult .com
    worldadultvideo .com
    key-adult .com
    estatesex .com
    superadultfriend .com
    superporncity .com
    zero-porno .com
    scanadult .com
    adultsexpro .com
    adultzoneworld .com
    porntimeguide .com
    usbestporn .com
    adulttow .com
    look-porn .com
    galleryclick .net
    micro-sex .com
    estatesex .com
    try-sex .com
    0bucksforpornmovie .com
    gays-video-xxx .com
    hackthegrid .com
    savetop .info
    vidsplanet .net
    freexxxhere .com
    gestkoeporno .com
    tv-adult .info
    gays-adult-video .com
    matures-video .com
    analcekc .com
    tabletskard .in
    molodiedevki .com
    dom-porno .com
    pornoaziatki .com
    latinosvideo .com
    geiporno .com
    sweetfreeporn .com

If exposing a huge domains portfolio of currently active redirectors has the potential to ruin someone's vacation, then consider someone's vacation ruined already.
0-= DDanchev Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Russian Business Network Updates: [May 13]

Postby TeMerc » Sat Aug 09, 2008 10:11 am

RBN Partaking In Russia Attacks On Georgian Cyber Attacks

For confirmation and current status of the cyberwar:

Example - Nameservers for http://www.itdc.ge Georgia’s web development enterprise are continuously showing : * ns1.garse.net returned (SERVFAIL) * ns2.garse.net returned (SERVFAIL)

Two traceroutes to web site mfa.gov.ge - Georgia Foreign Affairs - show:
    (a) From US - Ge = Blocked via TTnet Turkey
    (b) From Ukraine - Ge = available & slow; note; cached (forged page),now only via redirect through Bryansk Ru
    Other Georgia government websites e.g. mod.gov.ge (Ministry of Defense) - president.gov.ge show:
    (c) From US - Ge = Blocked via TTnet Turkey
    (d) From Ukraine - Ge = Blocked via TTnet Turkey
Internally - several Georgia based servers now only under external routing control e.g. AS28751 CAUCASUS NET AS Caucasus Network Tbilisi, Georgia & AS20771 DeltaNet Autonomous System DeltaNet ltd 0179 Tbilisi Georgia

Now only available via AS12389 ROSTELECOM AS JSC Rostelecom (Ru) and AS8342 RTCOMM AS RTComm RU Autonomous System (Ru) - servers - Georgia traffic through Deltanet being redirected via TTnet

It should be noted servers; AS8342 RTCOMM (Ru), AS12389 ROSTELECOM (Ru), AS9121 TTNet Autonomous System Turk Telekom (Tk) are well known to be under the control of RBN and influenced by the Russian Government. All efforts are being made to regain server control, and International assistance is requested to provide added Internet routing via neutral cyber space.
0-= RBN Exploit Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Russian Business Network Updates: [Cyber War Aug 9]

Postby TeMerc » Sat Aug 09, 2008 3:15 pm

Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Russian Business Network Updates: [Cyber War Aug 9]

Postby TeMerc » Sun Aug 10, 2008 1:34 pm

Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Russian Business Network Updates: [Cyber War Aug 10]

Postby TeMerc » Mon Sep 08, 2008 7:45 am

Monday, September 8, 2008
The RBN Operatives: Part II
In mid-August, I wrote that I suspected that long time RBN operatives Alexandr Boykov and Sergey Smirnov were the individuals most likely responsible for the cyber first strike against Georgia's Internet infrastructure, which preceded Russia's invasion of that country. Given their historical domination of CNet 76.135.167, I continue to hold this view. However, after many hours of investigative work, I have uncovered additional, specific information regarding the lessee of the IP space involved.

What I now know is that sometime between July 18 and July 31, 2008, a Russian cyber criminal named Sergey Astakhov deployed the botnet command and control domains involved in the DDOS attack to 76.135.167.22. Using a fairly advanced RBN DNS obfusication method, Mr. Astakov created a multiheaded DNS typology in an attempt to elude discovery. Mr. Astakov's DNS server, judex.cn located at IP address 210.145.102.19 also bore an A record address of 79.135.167.22. The domains at 79.135.167.22 used a fast flux DNS method with a twist: most of the time in which one ran a DNS query against them, ns1.guagua.net would be returned. Rarely, ns1.srv.com (located at 210.145.102.19) would be returned as a result of a DNS query. I had noted this as early as 11 August, but the DNS topology of ns1.srv.com led nowhere. Similarly judex.com was a dead end.

The sophistication of the methods used to cloak Mr. Astakhov's identity are remarkable. Combined with the use of privacy protect type services, they could be used to create truely stealthed Internet attack systems, which would make attribution of criminal activity difficult to impossible. In this case, we are fortunate that Mr. Astakhov used his actual name in the WhoIs recod for judex.cn.

nwz Continued @ Secure Home Network
Image


Return to “General News\Security News”

Who is online

Users browsing this forum: No registered users and 1 guest