Monday, September 8, 2008The RBN Operatives: Part II In mid-August, I wrote that I suspected that long time RBN operatives Alexandr Boykov and Sergey Smirnov were the individuals most likely responsible for the cyber first strike against Georgia's Internet infrastructure, which preceded Russia's invasion of that country. Given their historical domination of CNet 76.135.167, I continue to hold this view. However, after many hours of investigative work, I have uncovered additional, specific information regarding the lessee of the IP space involved.
What I now know is that sometime between July 18 and July 31, 2008, a Russian cyber criminal named Sergey Astakhov deployed the botnet command and control domains involved in the DDOS attack to 126.96.36.199. Using a fairly advanced RBN DNS obfusication method, Mr. Astakov created a multiheaded DNS typology in an attempt to elude discovery. Mr. Astakov's DNS server, judex.cn located at IP address 188.8.131.52 also bore an A record address of 184.108.40.206. The domains at 220.127.116.11 used a fast flux DNS method with a twist: most of the time in which one ran a DNS query against them, ns1.guagua.net would be returned. Rarely, ns1.srv.com (located at 18.104.22.168) would be returned as a result of a DNS query. I had noted this as early as 11 August, but the DNS topology of ns1.srv.com led nowhere. Similarly judex.com was a dead end.
The sophistication of the methods used to cloak Mr. Astakhov's identity are remarkable. Combined with the use of privacy protect type services, they could be used to create truely stealthed Internet attack systems, which would make attribution of criminal activity difficult to impossible. In this case, we are fortunate that Mr. Astakhov used his actual name in the WhoIs recod for judex.cn. Continued @ Secure Home Network