Russian Business Network study - bizeul.org
Russian Business Network study - bizeul.org
Russian Business Network study - bizeul.org
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Version 1.0.1<br />
RBN <strong>study</strong> – before and after<br />
David Bizeul<br />
RBN activities / Web focus<br />
1. Malware diffusion<br />
During the last years, RBN has been closely tied with malware burning issues. Most of the time; everyone seems to<br />
discover once again that this <strong>org</strong>anisation is a malicious shelter.<br />
Let’s start the time machine and flash back the important security incidents history.<br />
2005 : CoolWebSearch<br />
CoolWebSearch is a browser hijacker and those who have tried to remove it might remind it clearly as it’s a real pain.<br />
Following addresses were used to distribute CWS (CoolWebSearch) [ 4 ]:<br />
NEVACON : 194.146.206.9-194.146.206.9#qagwetobzb.com/CWS<br />
NEVACON : 194.146.206.12-194.146.206.12#qbwblcjkbg.com/CWS<br />
NEVACON : 194.146.206.18-194.146.206.18#qdobtjdizw.com/CWS<br />
NEVACON : 194.146.207.12-194.146.207.12#xibrid16.com/CWS<br />
RBN : 81.95.144.0-81.95.147.255#<strong>Russian</strong> <strong>Business</strong> <strong>Network</strong> (CoolWebSearch)<br />
RBN: 81.95.145.173-81.95.145.173#zgeghrlgro.biz|dollarrevenue<br />
RBN: 81.95.146.154-81.95.146.154#CWS<br />
RBN: 81.95.146.170-81.95.146.170#CWS<br />
RBN: 81.95.147.107-81.95.147.107#rpcc.exe|hijack|BT<br />
LUGLINK : 85.249.16.0-85.249.31.255#Joy Hosting NOC Nn-valuedot-net (CoolWebSearch)<br />
LUGLINK : 85.249.17.185-85.249.17.185#CWS<br />
LUGLINK : 85.249.19.122-85.249.19.122#extreme.biz|hijacks|BT<br />
LUGLINK : 85.249.23.82-85.249.23.82#VXGAMET1|magik888.ru<br />
LUGLINK : 85.249.23.98-85.249.23.98#Hijack|BT<br />
LUGLINK : 85.249.23.248-85.249.23.248#unme.exe|BT|Hijacks<br />
DATAPOINT : 85.249.128.0-85.249.143.255#DataPoint (CoolWebSearch)<br />
September 19 th 2006 : Vector Markup Language vulnerabilty<br />
Computer Associates wrote a note on a UrSnif trojan installed via a VML exploit on a computer hosted on RBN [ 5 ]. This<br />
note was written 3 days only after Microsoft released its advisory. This small delay can prove that malware hosted on<br />
RBN is up to date.<br />
VML has been a vulnerability actively exploited. Richard Bejtlich also wrote a blog entry [ 6 ] where we can see two<br />
computers from RBN used for exploit diffusion<br />
GET http://back88008800.com/dating.html - DIRECT/81.95.146.166 -<br />
1170223062.070 355 192.168.2.5 TCP_MISS/200 1946<br />
GET http://back88008800.com/script.js - DIRECT/81.95.146.166 application/x-javascript<br />
1170223062.329 123 192.168.2.5 TCP_MISS/302 438<br />
GET http://www.worlddatinghere.com/ - DIRECT/63.218.226.67 text/html<br />
1170223062.463 392 192.168.2.5 TCP_MISS/302 696<br />
GET http://81.95.146.133/sutra/in.cgi - DIRECT/81.95.146.133 text/html<br />
1170223062.802 339 192.168.2.5 TCP_MISS/200 4084<br />
GET http://81.95.146.133/sp/sp2/index.php - DIRECT/81.95.146.133 text/html<br />
4 http://www.pianetapc.it/file/Blockpost/blockpost.txt<br />
http://www.bluetack.co.uk/config/blockpost/BPV3_malware_blocklist.txt<br />
5 http://ca.com/it/blogs/posting.aspxid=90744&pid=93273&date=2006/9<br />
6 http://taosecurity.blogspot.com/2007_01_01_archive.html<br />
6