Russian Business Network study - bizeul.org
Russian Business Network study - bizeul.org
Russian Business Network study - bizeul.org
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Version 1.0.1<br />
RBN <strong>study</strong> – before and after<br />
David Bizeul<br />
RBN customers / Real stats<br />
Before RBN became unavailable, it was possible to browse some of the affiliate’s networks. Thus it was possible to<br />
build some charts with stats on RBN activities. The abuse team manager (Tim Jaret) declared [ 34 ] RBN activities were<br />
not all bad. This part will show he was lying.<br />
1. Running services on entities<br />
This part of the <strong>study</strong> tries to identify interesting assets used on RBN affiliates and match which services were in use on<br />
those assets. Only few services have been analyzed in this paragraph:<br />
• http: http is the most well known protocol. http is used in malicious activities for accessing phishing<br />
content, downloading malware, exploiting browser vulnerabilities. This protocol has a real advantage as it<br />
is an open door for many (all) firewalls.<br />
• smtp: smtp can be used to spread spam<br />
• irc: irc can be used to control a botnet (even if this technique tends to disappear on behalf of http C&C).<br />
Each infected computer connects to an irc server and listens for orders given by the bot herder. This is a<br />
totally stealth operation for the computer’s user who can not imagine his computer is controlled by a<br />
10 000km far server.<br />
The following grids offer a complete view of services used on RBN affiliates<br />
Affiliate IRC servers SMTP servers HTTP<br />
servers<br />
RBN None on ports 6660-6669<br />
81.95.144.1 (gw1.rbnnetwork.com) 270 servers<br />
Akimon<br />
81.95.144.7 (ip-144-7.rbnnetwork.com)<br />
81.95.144.19 (ip-144-19.rbnnetwork.com)<br />
81.95.144.34 (ip-144-34.rbnnetwork.com)<br />
81.95.144.41 (ip-144-41.rbnnetwork.com)<br />
81.95.144.49 (ip-144-49.rbnnetwork.com)<br />
81.95.154.17<br />
81.95.154.34<br />
81.95.154.35<br />
81.95.154.36<br />
81.95.154.37<br />
81.95.154.38<br />
81.95.154.39<br />
81.95.154.40<br />
81.95.154.41<br />
81.95.154.42<br />
Nevacon None on ports 6660-6669 194.146.204.8<br />
58 servers<br />
Credolink<br />
80.70.226.25 (226-025.dialup.mns.ru)<br />
81.94.17.197 (vpnpool-81-94-17-197.users.mns.ru)<br />
81.84.20.212<br />
194.146.204.67<br />
80.70.224.4 (x-files.mns.ru)<br />
80.70.224.14 (batman.mns.ru)<br />
80.70.224.25 (babylon5.mns.ru)<br />
In brief, very few services except http have been identified on up and running assets.<br />
10 servers<br />
34 http://blog.wired.com/27bstroke6/2007/10/controversial-r.html<br />
24