RBN Gang Moves, Sets Up Shop in China

The notorious Russian gang has shut down its St. Petersburg IP addresses, moving to China and elsewhere to evade network IP blocks.

The notorious Russian Business Network has suddenly picked up from its St. Petersburg digs and diversified, spreading its unwholesome activity to new chunks of IP addresses, with RBN-like activity almost immediately appearing on newly registered blocks of Chinese and Taiwanese IP addresses, according to security company Trend Micro.The Internet presence for the RBN—a Russian ISP that's infamous for hosting shady and criminal businesses—blinked off at about 7 p.m. PST on Nov. 6, security researchers at Trend Micro reportedthe following day.

The RBN's IP addresses can no longer be reached, since the routing for them no longer exists as of Nov. 8. In a posting, Trend Micro's Feike Hacquebord conjectured that the RBN's upstream providers may have yanked Internet connectivity services temporarily or even permanently.

For a few moments, Trend Micro researchers imagined the Internet had become, even fleetingly, a tad safer. That hope didn't last long, however.

Paul Ferguson, a network architect for the company, told eWEEK that Trend Micro has noticed RBN-like activity on blocks of IP addresses that were registered in China and other locations shortly before the RBN closed down the routes to its St. Petersburg addresses.

Although it's hard to put a finger on who's behind the activity, it's "strikingly similar" to what the RBN was doing, Ferguson said, including malware proxying for drive-by downloads. Calling cards for the RBN, for example, have included the MPack and Icepack exploits: malware hosted at third-party locations that serve up sophisticated binary Trojan downloaders. These downloaders are top-notch professional badware that determine what operating system their prey is running, on what browser, as well as what vulnerabilities are available for exploit. They have long been associated with the RBN, and now Trend Micro is detecting their use at the new Chinese IP digs.

Trend Micro was tipped off by a path that seems to lead back to the RBN and that has been laid in various sites that have had their HTML compromised. The path leads to domains with the recently registered Chinese IP addresses. Some of those domain registries have overlapping IP addresses on the back end, with the same name servers and similar functionality, all bearing the fingerprints of the RBN, Ferguson said.


Most malware is made in China. Click here to read more.

Trend Micro believes that increasing publicity about the criminal gang is the rationale behind the move—to "fly a little lower under the radar, just to be a little sneakier," Ferguson said.

Not that Russian authorities have been particularly energetic about shutting the RBN down, publicity or no. The RBN is a highly segmented, loosely affiliated criminal organization that specializes in virtually every aspect of online crime, with specialized work being handed out piecemeal to guns for hire, whether it's money laundering, money mule activity, child porn site hosting, search engine optimization for raising page rankings, bulletproof hosting, credit card information theft or raiding of bank accounts. Ferguson has tracked RBN foot soldiers worldwide, to locations such as the West Coast of the United States and to southern India.

So if it's not Russian police banging on the door, who's blackholing the RBN? Likely not upstream ISPs, Ferguson said. Rather, they've been part of the problem instead of the solution.

"They have a tendency to say, 'We're a common carrier; we don't get into blocking people's traffic,'" Ferguson said. U.S. ISPs have, in fact, blocked traffic for their own reasons, calling it bandwidth management instead of blocking, but the RBN hasn't surfaced as a bandwidth concern they care to manage.


"They've been part of the problem," Ferguson said.

But if publicity has failed to move ISPs or law enforcement to act, it has brought the RBN and its tainted IP addresses to the attention of enterprises. Trend Micro is one of multiple companies that maintain a reputation database for Web pages to stop spam in the cloud before it hits the network, as it were. Enterprises that subscribe to such lists block IP addresses to stop the RBN and its affiliates at the source.

Thus, a fresh range of IP addresses means fresh opportunities to evade roadblocks and to infiltrate organizations.

This is the first time the RBN has shifted IP addresses, but it wasn't sudden, it wasn't done in haste and it almost certainly was done on purpose. In the past year, researchers have tracked the RBN as the gang has staged back-end operations to gauge the effect of such a move.

Page 2: RBN Gang Moves, Sets Up Shop in China

The RBN conducted one such trial run in the past year, registering a large chunk of German IP addresses while leaving its St. Petersburg addresses up and reachable. Investigations have determined that the German addresses went to a domain registrar in Russia, where bogus contact information had been set up.

The move, in other words, was staged in a controlled environment, similar to any professional software development endeavor, and tested to gauge the effectiveness of operations running on backup IP addresses, were the RBN to remove reachability for its primary addresses.

It's an effective diversification strategy, Ferguson said. "[With] their back-end mechanics, they had all their eggs in one basket. As more publicity [was generated], it lowers the threshold of financial gain and overhead if people can say 'Ah, I can link the RBN to this block of addresses.' They must have said, 'We're too easily identifiable now. We need to go to another set of IP addresses. We have to diversify.'"

The move is similar to the evolution in botnet technology and deployment, Ferguson said. Whereas researchers once saw huge, noisy botnets that were easy to whack, they now track much smaller, more nimble and more numerous botnets that are much harder to squash.

That's no coincidence.

The RBN is still pulling the strings behind the largest botnet out there, the Storm worm botnet, Ferguson said. The gang uses Storm for communications and for command and control of other activities.

The RBN is getting more sophisticated, more diversified and more dispersed, but this is nothing. Trend Micro Senior Threat Researcher Jamz Yaneza said he believes this is the quiet before the storm. "We've seen how the Storm worm has changed over time, how the RBN has been checking networks and experimenting, changing topology and this and that. [Storm's herders have] also messed around with researchers and security vendors with retaliation, with the RBN monitoring those who are monitoring them."

In fact, the RBN's customers—all those child porn site holders and money launderers, et al.—most certainly have been giving their ISP heat over the unwanted publicity and its interference with their activities, he said. And like any nimble business, the RBN has been forced to be flexible and adapt, to keep its customers happy.

"In fear of losing their customers, they've diversified their connection and gone deeper underground," Ferguson said. "They've changed houses, but they haven't sold the lot. But it's like you go on vacation and come back. It doesn't mean business is over."

Besides, now that the gang has set up shop in China, a whole new land of opportunity awaits, Yaneza said. The level of computer education is high, laws are lax, pirated and unpatched software is rife, and low-hanging fruit is in season.

"It's easier to stage and hide a huge botnet in that field," he said.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.