Profile of the Russian Business Network

The Washington Post has an article detailing what is known of the workings of the Russian Business Network, a shadowy entity based in St. Petersburg that hosts a good fraction of the world's spammers, identity thieves, bot herders, and phishers. RBN is not incorporated anywhere and may not technically even be violating Russian law. It provides "bulletproof hosting" for about $600 a month to a wide range of bad guys.The author of the Post story, Brian Krebs, supplements it with two blog posts. One provides more detail and back story including a look at one ISP's security admin who decided last summer to ban all RBN traffic from his network, with outstanding results. The other post maps some of the RBN's upstream suppliers and details the extent of the RBN's involvement in recent cyber-attacks: "Nearly every major advancement in computer viruses or worms over the past two years has emanated from or sent stolen consumer data back to servers" in the RBN.

Re:Just block Russia

[AuMatar]

Except most spam comes from the US via zombies. Should we block them too?

Re:This article is useless without IP addresses

[arivanov]

Much easier - Autonomous system 40989.

Networks - 81.95.144.0/22, 81.95.148.0/22, 81.95.154.0/24, 81.95.155.0/24.

First upstream ISP - 41173 which is a provider in the Seichelles (so they either run a VPN tunnel to there or have a SAT link). So the article may be actually full of shit. I somehow suspect that they are not hopping back to Russia and the servers are outside Russian jurisdiction in the first place.

Primary upstream transit ISP is 3257 which is Tiscali. Now this does not surprise me in the slightest. No further comment.

Other transit ISPs are : 25577 - C4L (???), 8928 Interoute (again, this one is no surprise).

1. It does not look like Russian hosting to me. The Russians are laughing their arse off at the inept article (and other similar musings). The servers may actually be in Europe (or on an the Seyshelles where you can do diddly squat about them).

2. The hosting is truly bulletproof. Applause. They have most likely bought wholesale all relevant officials in a small nation telecoms operator. So all requests regarding their business activities will go straight to /dev/null. Add to that the fact that their upstream providers are not known to be particularly caring about fraud, spam and the like and the picture is complete.

Re: AS#s: 40989, 41173, 28866 and 25577

[anticypher]

A little late to the thread to get modded up, but I didn't have time this morning to post my own BGP filtering route-maps to keep these malware ISPs out of my tables. AS41173 seems to be the only upstream ISP to 40989. These companies seem to be the same mysterious people, hoping to hide their identities and locations. The internet isn't that easily fooled, though.

If you look at the RIPE and whois records for all the parties involved, this is an ISP that popped up in June of last year, apparently dedicated to hosting malware sites. Look closely at addresses and dates. Fictitious Panamanian and UK addresses with an American phone number, claims of being in the Seychelles (English spelling), again with other American phone numbers.

Some nmap fingerprinting of their routing equipment shows this operation tends towards low budget. I've seen ISPs that were nothing more than a couple of university students who obtained an AS#, a prefix, found a BGP feed, and filled a rented a rack in a colo with some servers and a linux box running quagga. Seen from a looking glass, no difference from the big players. A good looking website regularly updated, proper whois and RIPE records, and it's very difficult for a potential client to know the ISP may go down during exams week.

This operation seems not much more than what a couple of kids with a little knowledge could put together. The prefixes fill various spamhaus and RBL lists. Doubtful that there are any legitimate clients on those networks. This operation is the malware gangs getting a little more hi-tech, running their own ISP by buying IP transit from companies known for never turning down business. They use C4L/NetSumo, a known no-questions-asked ISP who resell an MPLS service between London and Eastern Europe, probably Interoute's.

As for location, looking at various internal looking glasses, the prefixes seem to be hitting the internet in London then through a leased line with 70 mSec of delay, and in Prague with a sudden 20 mSec of delay. This certainly is not going through the Seychelles. My best guess would be a data centre in Russia, where bribes to local authorities gives them a certain level of immunity to lawful pursuits.

Any reasonable ISP hoping to protect their clients from this criminal malware gang would just filter those four AS#s from their main routing tables, and save themselves a world of hurt. Better yet would be to actively blackhole those prefixes. Sure, it might fly in the face of one perfect internet, but since there is no legal remedy, internet providers need to protect themselves. Good ISPs and hosting services already filter all kinds of bogus routing information, adding a known spam and malware operation to the list is just good practice.

the AC