Russian Business Network study - bizeul.org
Russian Business Network study - bizeul.org
Russian Business Network study - bizeul.org
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Version 1.0.1<br />
RBN <strong>study</strong> – before and after<br />
David Bizeul<br />
10. Affiliates presentation through networks<br />
This part of the <strong>study</strong> offers a brief introduction to each RBN affiliate whenever it’s possible.<br />
Too Coin Software<br />
This name has not been presented at yet. It’s the global name used to register the whole IP netblock owned by RBN.<br />
Too Coin Software has registered the netblock 81.95.144.0/20. This means that IP addresses from 81.95.144.1 to<br />
81.95.159.255 belong to TCS.<br />
We can already say that RBN and SBTel are part of TCS because their IP netblocks are included in TCS netblock.<br />
SpamHaus has released a SBL for TCS [ 28 ]<br />
It may seem odd that RBN and SBTel are part of another subsidiary but actually TCS/RBN has succeeded to become a<br />
LIR (Local Internet Registry) and is now able to sub-divide its own netblock. Because of this, TCS/RBN has acquired the<br />
privilege to manage a PA (Provider Aggregatable) address space and to delegate one part of this space to whomever<br />
(for instance SBTel or Akimon).<br />
SBT<br />
SBT is the ISP of all RBN affiliates.<br />
SBT owns the netblock 81.95.156.0/22 and is connected to all RBN ISPs in order to bounce them across the Internet.<br />
SpamHaus has a case on SBT [ 29 ]<br />
RBN<br />
RBN is nothing and RBN is everything. RBN is the name of the whole cybercrime scheme described in this <strong>study</strong>. RBN<br />
is also the name of the small network zone where many malicious ISP are attached to.<br />
RBN owns the netblocks 81.95.144.0/22, 81.95.148.0/22, 81.95.154.0/24 and 81.95.155.0/24<br />
RBN offers bullet-proof hosting services. It is used for phishing, malware diffusion, child pornography and many other<br />
malicious activities. Bullet-proof hosting can guarantee that server won’t be shut down even when there is a complaint<br />
against it. RBN has an available abuse team (used to give a respectable image) and this abuse team will ask you to<br />
provide a <strong>Russian</strong> judicial indictment in order to process. Of course, this indictment is very difficult to obtain. Isn’t it a<br />
paradise for fraudsters<br />
Even the RBN homepage (when it was available) was used to spread malware [ 30 ] through an ActiveX object.<br />
SpamHaus offers further information on RBN [ 31 ]<br />
AkiMon<br />
Akimon is a direct subsidiary from RBN because it’s only a part of its IP address range that has been delegated to<br />
Akimon.<br />
Akimon owns the netblocks 81.95.152.0/22 and it spreads a network topology in which there is Micronnet and Deltasys<br />
Akimon is mostly used for hosting malware.<br />
27 http://www.retn.net/en/network/plan/<br />
28<br />
http://www.spamhaus.<strong>org</strong>/sbl/sbl.lassoquery=SBL43489<br />
29<br />
http://www.spamhaus.<strong>org</strong>/sbl/sbl.lassoquery=SBL55398<br />
30 http://web.archive.<strong>org</strong>/web/20060829111633/http://www.rbnnetwork.com/<br />
31<br />
http://www.spamhaus.<strong>org</strong>/rokso/listing.lasso-op=cn&spammer=<strong>Russian</strong>%20<strong>Business</strong>%20<strong>Network</strong><br />
21