From Dancho Danchev:
Bleeding Edge Threats recently announced the release of some very handy RBN blocking/detecting rulesets.More here.
Remember RBN's fake anti virus and anti spyware software? The list is getting bigger with another 20 additions again hosted on RBN IPs exposed by the RBNExploit blog.
Meanwhile you may be also be interested in how does an abuse request get handled at the RBN? Deceptively of course. Each and every domain or IP that has been somehow reported malicious to them, not once but numerous times by different organizations starts serving a fake account suspended message like the following malicious domains hosted at the RBN do :
"This Account Has Been Suspended For Violation Of Hosting Terms And Conditions. Please contact the billing/support department as soon as possible."
UPDATE: RBN Rule Updates
http://www.bleedingthreats.net/rules/bleeding-rbn.rules
http://www.bleedingthreats.net/rules/bleeding-rbn-BLOCK.rules
Updated those to include the new Chinese additions to the RBN IP ranges, and split them out into 3 rules.
First are the major nets that rbn owns where mass servers are. Second are the new chinese nets, and then third are the individual hosts. SOme of those are just routers, some are individual web or dns servers.
Hopefully that separation helps out some, let me know if it could be done differently to be more useful.
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
4 comments:
This link might interest you...
http://it.slashdot.org/it/07/11/13/0214252.shtml
Russian Hacker Gang Vanishes Again
"The shadowy hacker and malware hosting network that only recently fled Russia to set up operations in China has now pulled the plug there and vanished yet again. An analyst at VeriSign's iDefense Labs unit said iDefense had tracked RBN's migration earlier in the week from servers based in Russia to ones running in China, after obtaining at least seven net blocks of Chinese IP addresses. As of Wednesday, RBN controlled 5,120 IP addresses assigned to Chinese service providers; known RBN clients were even seen using those addresses that day. But with its China move putting the spotlights of the media and the security community on the organization, RBN suddenly went offline on Thursday. 'They severed connections to six of the seven net blocks on November 8,' the analyst said. RBN as a single organization may be dead and gone; it may even now be breaking up into smaller pieces farmed out to multiple countries' Internet infrastructures."
Thank you, I also reported this in a previous post ;-)
http://security4all.blogspot.com/2007/11/has-russian-business-network-gone-into.html
Oops, must have missed that one ^^
the latest RBN snort rules are on www.emergingthreats.net
Post a Comment