Russian Business Network study - bizeul.org
Russian Business Network study - bizeul.org
Russian Business Network study - bizeul.org
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Version 1.0.1<br />
RBN <strong>study</strong> – before and after<br />
David Bizeul<br />
June 20 th 2007 : Mpack<br />
Mpack is this kind of new threat that has developed during 2007. Mpack is a<br />
multi-exploit embedded attack tool. It can infect html pages and then exploit<br />
vulnerabilities from Windows, Internet Explorer, Winzip, Qucktime and others.<br />
Mpack works by injecting an iframe in legitimate html pages. These iframes<br />
redirect users to malicious sites. As you can imagine, many malicious sites were<br />
located on RBN.<br />
Several security observatories have published interesting studies on Mpack<br />
such as SANS Internet Storm Center [ 7 ]. Dancho Danchev also provided an<br />
interesting <strong>study</strong> [ 8 ] where he listed most implicated host:<br />
58.65.239.180 Intercage<br />
64.38.33.13 FASTservers<br />
194.146.207.129 Nevacon<br />
194.146.207.18 Nevacon<br />
194.146.207.23 Nevacon<br />
81.177.8.30 RTCommAS<br />
203.121.71.183 TTNET-MY<br />
81.95.148.42 RBN<br />
81.95.149.114 RBN<br />
Few days later, on the same site, researchers revealed that most of the Mpack exploits were originating from another<br />
RBN computer.<br />
August 31 st 2007: Bank of India attacked and hosting malware<br />
That’s not so usual; a major bank has been attacked and its main page has been hijacked to propose malware to its<br />
clients. Indeed, iframe tag was inserted into bankofindia.com leading to a malicious website. This malicious website<br />
tried to install 22 malware on the client computer. Some of the malware were spam oriented and other were identity<br />
theft oriented such as a modified Pinch version. And Sunbelt revealed that the attack was originating from ……RBN [ 9 ].<br />
July 21 st 2007 –October 10 th 2007: case <strong>study</strong> on Torpig/Sinowal<br />
Having received an interesting document on Torpig environment, I decided to start a quick investigation on the way it<br />
works.<br />
First, I checked some IP addresses and connected on http://194.146.207.18/config where I got a page with this content:<br />
storage_send_interval="600"<br />
config_file ="$_2341234.TMP"<br />
storage_file ="$_2341233.TMP"<br />
www_domains_list = "pageshowlink.com"<br />
redirector_url ="citibusinessonline.da-us.citibank.com /cbusol/uSignOn.do {www} /usa/citibusiness.php 2<br />
0 3"<br />
7 http://isc.sans.<strong>org</strong>/diary.htmlstoryid=3015<br />
8 http://ddanchev.blogspot.com/2007/06/massive-embedded-web-attack-in-italy.html<br />
9<br />
http://sunbeltblog.blogspot.com/2007/09/update-on-bank-of-india.html<br />
7