RBN Updates: [Site Block Lists-Apr 9]

All Security related news can be posted here, and unrelated news can be posted here as well.

Moderators: Admin Team, Moderators

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Re: Russian Business Network Updates: [RBN Tracking Sept 8]

Postby MysteryFCM » Tue Oct 07, 2008 9:14 pm

Russian Business Network having fun in Italy
http://hphosts.blogspot.com/2008/10/rus ... un-in.html
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Russian Business Network Updates: [RBN Tracking Sept 8]

Postby TeMerc » Tue Oct 14, 2008 5:36 pm

RBN - Russian Cyberwar on Georgia: Report

"In August 2008, cyberwar associated with the Russian Federation struck once more, this time against Georgia. The DDoS attacks began in the weeks running up to the outbreak of the Russian invasion and continued after the Kremlin announced that it had ceased hostilities on August 12th."

This excerpt is from the 29 page report available for download from HostExploit.com or georgiaupdate.gov.ge this is probably the most thorough analysis available on the cyberwarfare related to Georgia.

Concerning RBN (Russian Business Network)

"The individual, with direct responsibility for carrying out the cyber "first strike" on Georgia, is a RBN operative named Alexandr A. Boykov of Saint Petersburg, Russia. Also involved in the attack was a programmer and spammer from Saint Petersburg named Andrey Smirnov. These
men are leaders of RBN sections and are not "script-kiddies" or "hacktivists," as some have maintained of the cyber attacks on Georgia – but senior operatives in positions of responsibility with vast background knowledge.

Intelligence can suggest further information about these individual cyber-terrorists. According to Spamhaus SBL64881, Mr. Boykov operates a hosting service in Class C Network 79.135.167.0/24. It should be noted that the pre-invasion attacks emanated from 79.135.167.22, clearly showing professional planning and not merely ‘hacktivism.’ Due to the degree of professionalism and the required massive costs to run such operations, a state-sponsor is suspected. Further information gathered also links the RBN to known disruptive websites
0-= Continued @ RBN Exploit Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: RBN Updates: [RBN & CyberWar On Georgia Oct 14]

Postby TeMerc » Sun Mar 22, 2009 9:43 am

RUSSIAN BUSINESS NETWORK DEPLOYS IN THE IP SPACE OF THE ISLAMIC REPUBLIC
A Russian organized crime group involved in pornography, drug smuggling, and the distribution of malware has initiated operations from the IP address space of the Islamic Republic of Iran. It is unknown if this activity was launched with state approval.

The Russian Business Network affiliate involved has established a front company, autonomous system AS48669 NTCOLO-AS NTCOLO, and has been allocated 510 unique IP addresses. AS48669 consists of 105 malware domains, 19 domain name servers, 8 mail servers and 3 fraudulent payment processors. The affiliate's contact email address is staff@ntcolo.com.ua.

The domain to IP address assignments are modified several times per week, as the RBN seeks to evade IP blocking by network administrators.
0-= Complete List Of IPs\Domains @ Secure Home Netwroks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: RBN Updates: [Now Set Up In Iran-Mar 22]

Postby TeMerc » Thu Mar 26, 2009 11:29 pm

Thursday, March 26, 2009
RBN Registers Racist Domains Using Go Daddy
Russian Business Network malware distributors have registered numerous racist domain names using domain registrar Go Daddy. The domains, and subsequently created subdomain names, provide insight into the RBN's misanthropic perspective.

Over the past year, Go Daddy has been criticized by anti-fraud watchdog groups for refusing to take down web sites engaged in the sale of illegal steroids. (note: http://www.darkreading.com/security/man ... =211201188)

As of March 26th, the malicious sites were hosted at XS4ALL Networking (cistron) in Amsterdam at IP address 83.68.16.6 (which XS4ALL classifies as "ADSL IP numbers"). One of the domains present on the IP address (and registered through Go Daddy), ntkrnlpa.info, has been involved in several RBN criminal campaigns. Note Dancho Danchev's excellent blog post of March 25th, "Embassy of Portugal in India Serving Malware", at http://ddanchev.blogspot.com/2009/03/em ... rving.html
0-= Continued @ Secure Home Network Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: RBN Updates: [Racist Site -Mar 26]

Postby TeMerc » Sun Mar 29, 2009 10:09 am

RBN Domains Fleeing HostFresh
After receiving information that the RBN malware bastion, HostFresh (aut-num: AS23898 as-name: HOSTFRESH-AS-AP), was in the process of being depeered, I decided to track fleeing malware domains.

During the takedowns of Atrivo, McColo and UkrTelegroup, we observed domains being migrated to other IP ranges, as the owners sought to keep their criminal enterprises alive.

As of Sunday morning 29 March 2009, 61% of the 18 malware domains that I sampled had been migrated
0-=Secure Home Networks Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: RBN Updates: [Site Migration-Mar 29]

Postby TeMerc » Tue Apr 07, 2009 12:14 am

Monday, April 6, 2009
RBN Hunting
Download the Emerging Russian Business Network rules for Snort

Emerging Threats RBN Project page

Download the IP list as a text file (last update: 4-7-2009)

Optional IP list (last update: 1-19-2009)

These addresses may be used to construct an effective IP block list
0-= Lists @ Secure Home Network Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: RBN Updates: [Site Block Lists-Apr 7]

Postby TeMerc » Thu Apr 09, 2009 4:17 pm

Black Hat SEO - RBN Hacks, p.1
The silent threat: Black Hat SEO, exploits, hacks, botnets

Inspecting the bad network
The Zlkon network (DATORU EXPRESS SERVISS) has been cited in several blogs
for hosting malicious content for cyber criminals - for example:

On Symantec website for spreading the TDSS trojan - in conjunction with IPs at
UkrTeleGroup Ltd.in December 2008

On the msmvps' blog for inaccurate whois details in January 2009
On bluetack.co.uk forum for rogue antivirus here in January 2009
Another example with "Total Defender", other rogue antivirus here
Also found on several websites including fireeye "Bad Actors Part 2 - ZlKon"
- dancho danchev's blog
Network in conjunction cited here: Bad, bad, cybercrime-friendly ISPs!
0-= Continued @ Malware Web Threats Blog
========================================================================
Black Hat SEO - RBN Hacks, p.2
The silent threat: Black Hat SEO - Cyber Crime Toolkit Exposed

Welcome to LuckySploit:) ITS TOASTED

A nice article provided by Finjan about the Lucky Sploit toolkit, one of the
latest script kiddies that cyber criminals used these days can be found
following this link: LuckySploit Toolkit Exposed

Using well known technic such as "Code Obfuscation" most often used to
hide its first intention (sometimes randomly generated), here is one of the
numerous malicious script found on several compromised website
0-= Continued @ Malware Web Threats Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: RBN Updates: [Site Block Lists-Apr 9]

Postby TeMerc » Fri Sep 11, 2009 6:15 pm

RBN Attacking White House Anti-Drug Web Sites

Friday, September 11, 2009

In another example of the RBN revealing the true measure of their malice, White House Anti-Drug Sites have been attacked over the past week.

Malware Domain List reported on September 5th that whitehousedrugpolicy.gov, the website of Office of National Drug Control Policy had been compromised. In that instance, the site was directing visitors to a trojan:

adgallery.whitehousedrugpolicy.gov/members/Miley-Cyrus-Nude/default.aspx 198.77.71.192 adgallery.whitehousedrugpolicy.gov directs to trojan abuse@noc.privatedns.com 2009/09/05.

whitehousedrugpolicy.gov features White House Drug Policy initiatives, programs, and resources as well as, testimony and press releases. The site outlines National Drug Control Strategy goals and objectives.
0-= Continued @ Secure Home Networks Blog
Image


Return to “General News\Security News”

Who is online

Users browsing this forum: No registered users and 4 guests