Wednesday

Has the Russian Business Network gone into hiding? *updated*



From the Trendlabs Malware Blog:

Yesterday, the infamous Russian Business Network (RBN) dropped out of the Internet at around 7 PM PST. Since then, IP addresses of RBN can no longer be reached because there is no routing for them any longer. It could be that the upstream providers who provided RBN with Internet connectivity may have terminated their services to their problematic customer temporarily or (hopefully) even permanently. Trend Micro will continue to closely monitor whether RBN remains down.
In recent weeks, moreover, Trend Micro has seen equivalents of RBN pop up in Turkey and Taiwan. These hosting providers seem to have the same kind of customer base as RBN. Thus, even if RBN drops off of the Internet permanently, its customers might find a new home soon.

It seems that nearly all of the RBN's known autonomous systems (AS) have recently disappeared from the global routing tables: RBN-AS, SBT-AS, MICRONNET-AS, OINVEST-AS, AKIMON-AS, CONNCETCOM-AS and NEVSKCC-AS.

CREDOLINK-ASN is the only one left but the network has also become unavailable. It seems almost voluntarily. Are they moving their base of operation? Did they got too much attention? According to the Spamhaus Project, RBN might have gone Chinese. Somehow they managed to get IP blocks located in China, Shanghai in particular.

http://cidr-report.org/cgi-bin/as-report?as=AS43603
http://cidr-report.org/cgi-bin/as-report?as=AS42811
http://cidr-report.org/cgi-bin/as-report?as=AS43259
http://cidr-report.org/cgi-bin/as-report?as=AS43702
http://cidr-report.org/cgi-bin/as-report?as=AS43188
http://cidr-report.org/cgi-bin/as-report?as=AS42672
http://cidr-report.org/cgi-bin/as-report?as=AS42662

Will this become a whac-a-mole game? To be continued. Anyway, for a little while, the internet is a safer place.

UPDATE (8/11/2007): Some ranges of the RBN still seem active. This excellent blog has more information:
RBN – The Russian Business Network Has Closed Shop?

Prefixes withdrawn by this origin AS in the past 7 days = AS40989 (RBN)

- 81.95.144.0/22 = Withdrawn
- 81.95.148.0/22 = Withdrawn
- 81.95.154.0/24 = Withdrawn
- 81.95.155.0/24 = Withdrawn

However, as shown here and elsewhere the recent RBN based PDF exploit utilized 81.95.146.130 and 81.95.147.107, further many of the RBN “fake” anti-spyware and anti-malware websites use 81.95.145.186 as one of the many Internet “name servers”. Therefore one can only conclude

- 81.95.145.0/22 = Still active
- 81.95.146.0/22 = Still active
- 81.95.147.0/22 = Still active
Full story.

Posted by Security4all at 7.11.07

Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)