Russian Business Network

From Wikipedia, the free encyclopedia

The Russian Business Network (commonly abbreviated as RBN) is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale. It is the originator of MPack (software) and the operator of the Storm botnet.[1][2][3] The RBN, which is notorious for its hosting of illegal and dubious businesses, originated as an Internet Service Provider for child pornography, phishing, spam, and malware distribution physically based in St. Petersburg Russia. More recently it has developed partner and affiliate marketing techniques in many countries to provide a method for organized crime to target victims internationally.[4]

Contents

[edit] Activities

The RBN has been described as "the baddest of the bad". It offers web hosting services and internet access to all kinds of criminal and objectionable activities, with individual activities earning up to $150 000 000 in one year[5]. Businesses that take active stands against such attacks are sometimes targeted by denial of service attacks originating in the RBN network.[6] RBN has been known to sell its services to these operations for $600 per month.[4]

The business is difficult to trace. It is not a registered company, and its domains are registered to anonymous addresses. Its owners are known only by nicknames. It does not advertise, and trades only in untraceable electronic transactions.[6]

There is one increasingly known activity of the RBN which is an exploit delivery method by applying fake anti-spyware and anti-malware for the purpose of PC hijacking and personal identity (ID) theft.[7] According to McAfee’s SiteAdvisor, MalwareAlarm is a dangerous fake anti-spyware software and is an updated version of Malware Wiper. They tested 279 “bad” downloads from this one site.[8] The methodology is to entice the user to use a “free download” to test for spyware or malware on their PC, MalwareAlarm then displays a warning message of problems on the PC to persuade the unwary web site visitor to purchase the paid version. Along with MalwareAlarm, numerous other rogue software are linked to and hosted by the RBN.[9]

In the 2007 cyber threat matrix developed by Spy-Ops, RBN was ranked number 4 in the development and sale of cyber attack weapons.

According to Spamhaus RBN is “Among the world's worst spammer, child-pornography, malware, phishing and cybercrime hosting networks. Provides "bulletproof hosting", but is probably involved in the crime too”.[10] RBN was the subject of an article[11] in the Washington Post on October 13, 2007, where Symantec and other security firms claim RBN provides hosting for many illegal activities, including identity theft and phishing. The article quotes a spokesman for Kaspersky Labs that the owners of RBN might not have directly violated the law as they primarily provide hosting services; their customers are apparently the ones violating laws.

[edit] Organization

The RBN also operates under the guise of several other different names or what even could conventionally be regarded as international business or operating divisions. These core operations apparently have no geographical base with a few showing a physical location, however again the validity of these is doubtful.[12][13]

RBN Autonomous System
RBN Autonomous System
  • RBNet,
  • RBNetwork,
  • RBusinessNetwork,
  • iFrame Cash,
  • SBT Telecom Network (Seychelles),
  • Aki Mon Telecom,
  • 4Stat
  • Eexhost
  • Rusouvenirs Ltd.,
  • TcS Network (Panama),
  • Nevcon Ltd. (Panama),
  • Micronnet Ltd. (St. Petersburg Russia),
  • Too coin Software (UK)
  • 76service
  • MalwareAlarm

[edit] Political Connections

It has recently been alleged that the founder and leader of the organization, known as 'Flyman', is related to a "powerful and well-connected" Russian politician.[14] In light of this, it is entirely possible that recent cyber-terrorism activities, such as the May 2007 denial of service attacks in Estonia,[15] may have been co-ordinated by or out-sourced to such an organization. Although this is currently unproven, intelligent estimates suggest this may be the case.[16]

[edit] References

  1. ^ http://rbnexploit.com
  2. ^ SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc
  3. ^ Topical Research Reports - Security Intelligence from VeriSign, Inc
  4. ^ a b Brian Krebs (2007-10-13). Shadowy Russian Firm Seen as Conduit for Cybercrime. Washington Post.
  5. ^ Cybergang raises fear of new crime wave
  6. ^ a b A walk on the dark side. The Economist (2007-09-30).
  7. ^ Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: The Russian Business Network
  8. ^ malwarealarm.com | Web Safety Ratings from McAfee SiteAdvisor
  9. ^ Russian Business Network (RBN): RBN – The Top 20, fake anti-spyware and anti-malware Tools
  10. ^ http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Russian%20Business%20Network
  11. ^ Shadowy Russian Firm Seen as Conduit for Cybercrime
  12. ^ http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7465
  13. ^ Russian Business Network (RBN)
  14. ^ Hunt for Russia's web criminals | Technology | The Guardian
  15. ^ Russia accused of unleashing cyberwar to disable Estonia | World news | The Guardian
  16. ^ The hunt for Russia's web crims - Security - Technology - theage.com.au

[edit] External links

  • RBNexploit - The RBN watch-blog that provides detailed information on the RBN [1]
  • Spamhaus – Rokso listing and description of RBN activities [2]
  • StopBadWare - RBN User's Guide [3]
  • Verisign / iDefense - Uncovering Online Fraud Rings: The Russian Business Network [4]
  • Emerging Threats - Blocking Rules and Snort Signatures for RBN Networks [5]
  • RBN Study - bizeul org - PDF [6]
  • Shadowserver - RBN as RBusiness Network AS40898 - Clarifying the guesswork of Criminal Activity - PDF [7]

[edit] News

[edit] Internet comments