Russian hacker gang goes dark to relocate; may be moving to China

Russian hacker gang goes dark to relocate; may be moving to China
Russian hacker gang goes dark to relocate; may be moving to China 

By Gregg Keizer
November 07, 2007 

The Russian Business Network (RBN), a notorious hacker and malware 
hosting organization that operates out of St. Petersburg, Russia, has 
gone off the air, security researchers said today.

According to a pair of Trend Micro Inc. researchers, RBN went dark 
around 10 p.m. EST Tuesday. "The routing information for their IP 
addresses has been withdrawn," said Paul Ferguson, a network architect 
at Trend Micro. "That's significant because while RBN has had 
connectivity issues in the past, then the routing [to its IP addresses] 
was still being advertised. This time, they've been voluntarily 

"This is not the result of someone, such as their ISP, blackholing their 
traffic," Ferguson continued. "This was done voluntarily." Another 
report, however, on The Washington Post's Web site, claimed that while 
RBN has severed links to the Internet, its upstream connectivity 
providers had begun to refuse to route RBN traffic as early as 

By relinquishing control of the IP blocks it had been allocated, RBN 
essentially cut ties to the Internet and made it impossible for its 
domains -- which number in the thousands -- to access the Web or for 
users to reach those domains. "Where once there might have been 22 
feasible paths for data to take to their IP blocks, now there are none," 
Ferguson said.

He speculated that RBN is simply shifting to new digs, diversifying its 
considerable back-end infrastructure, trying to lay low or all of the 
above. "No one knows why they've done this, but I think they're down, 
not out," he said.

Jamz Yaneza, a Trend Micro research project manager, agreed. "We're 
seeing signs of RBN-like activity elsewhere, in Turkey, Taiwan and 
China. RBN may be moving to places even more inaccessible to the law 
[than Russia]. Everyone knows they were in St. Petersburg, but now 
they're changing houses, changing addresses."

The Spamhaus Project antispam group has posted information that 
indicates RBN may have already laid claim to IP blocks located in China, 
Shanghai in particular.

RBN has been fingered as the source of a multitude of attacks, including 
last month's rigged-PDF blitz that used a vulnerability in Windows to 
drop malware on unsuspecting users who opened specially-crafted 
PDF-formatted documents. In September, security researchers blamed the 
gang for infecting customers of the Bank of India with a wide variety of 
malicious code when they visited the bank's hacked site.

But while RBN may be diversifying its assets -- "piecemealing," Ferguson 
called it -- it's unlikely to be gone long. "I can't believe they'd walk 
away from the money. Thinking that they're shutting shop is just naive."

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - 

Site design & layout copyright © 1986-2014 CodeGods