The Russian Business Network is on tenterhooks

It’s not a secret anymore; criminal organizations behind a large part of Internet-related frauds are huge and well organized. In the last quarter of 2007, two studies about RBN (Russian Business Network), one of the most well known criminal organizations so far, were published. Last year, I looked at them with great interest. The first is named Uncovering Online Fraud Rings: The Russian Business Network and is available as a webcast recording on the Verisign web site. The second was written by David Bizeul and is named Russian Business Network study.

These papers demonstrate and illustrate that RBN is an empire. It directly or indirectly manages potentially a million sites. Thanks to elaborate intrusive advertising techniques, millions of Internet users visit its fake retail sites every month. Hackers and other cybercriminals also have their stores and outlets there: malware sales, service offers and booby-trapped sites. Pornography and pedophilia always make money there.

In addition to these documents, some particularly thorough stories have been circulating on the Net (papers from Brian Krebs, Washington post and posts on the RBNexploit and Dancho Danchev blogs).

Mailing addresses, name and photos of suspects, detailed lists of machines and autonomous systems as well as many other details were revealed. Because of this, the group has deemed it best to partially disappear. On November 6th, 2007, many network nodes stopped responding. It was not the end of them though; the business has been carefully planned: high-activity sites – those leading the attacks at the time – were not disturbed. Gradually, the affected sites began to re-appear in Russia as well as all over the world. Today, many countries in Southeast Asia are mentioned, but they are not alone. The reorganization is on the move: new retail payment systems for fake products (mainly fake security products and fake video codecs), new legitimate sites hosting tricky banner ads redirecting computers to these fake retail web sites, new Storm (aka Nuwar) worm campaigns achieved by new C&C botnet implementations, new web sites hosting malicious software (like MPack or WebAttacker) and secretly reached after the victims encounter a hidden iFrame during Internet surfing.

People tracking down RBN regularly watch its Autonomous Systems (AS). These are collections of connected IP networks controlled by a single entity and defined by an AS number. The RBNexploit blog and the David Bizeul document are very comprehensive on this subject and various network maps or tables help the reader to understand the complexity of such an organization.

One puzzle piece is known as AS40989. Despite the fact it was not the core center of the RBN activity it is well-known because it seems to be the official name of the group. It is the subject of a new write-up available at the Shadowserver Foundation web site.

This document analyzes the malicious binary activity directed to and commanded by AS40989. From March to November 2007 the researchers collected 2859 pieces of malware which initiated HTTP connections to it. They found an impressive collection of malware: “Gozi, Goldun, Hupigon, Nurech, Nuklus, Pinch, Sinowal, Tibs, Xorpix, various dialers, downloaders, worms, adware, page hijackers, and proxies”. Once again, it demonstrates the professionalism and the size of the group.

Reading material on RBN is abundant. With this post, I only wish to draw your attention to this existing material. It demonstrates the vitality of the new criminal organizations, it also demonstrate that many people, at McAfee and elsewhere, stay tuned into the dark side of the Internet to understand how the situation is constantly changing and to fight against this threat at a worldwide level.