By Gregg Keizer
November 07, 2007
The Russian Business Network (RBN), a notorious hacker and malware
hosting organization that operates out of St. Petersburg, Russia, has
gone off the air, security researchers said today.
According to a pair of Trend Micro Inc. researchers, RBN went dark
around 10 p.m. EST Tuesday. "The routing information for their IP
addresses has been withdrawn," said Paul Ferguson, a network architect
at Trend Micro. "That's significant because while RBN has had
connectivity issues in the past, then the routing [to its IP addresses]
was still being advertised. This time, they've been voluntarily
"This is not the result of someone, such as their ISP, blackholing their
traffic," Ferguson continued. "This was done voluntarily." Another
report, however, on The Washington Post's Web site, claimed that while
RBN has severed links to the Internet, its upstream connectivity
providers had begun to refuse to route RBN traffic as early as
By relinquishing control of the IP blocks it had been allocated, RBN
essentially cut ties to the Internet and made it impossible for its
domains -- which number in the thousands -- to access the Web or for
users to reach those domains. "Where once there might have been 22
feasible paths for data to take to their IP blocks, now there are none,"
He speculated that RBN is simply shifting to new digs, diversifying its
considerable back-end infrastructure, trying to lay low or all of the
above. "No one knows why they've done this, but I think they're down,
not out," he said.
Jamz Yaneza, a Trend Micro research project manager, agreed. "We're
seeing signs of RBN-like activity elsewhere, in Turkey, Taiwan and
China. RBN may be moving to places even more inaccessible to the law
[than Russia]. Everyone knows they were in St. Petersburg, but now
they're changing houses, changing addresses."
The Spamhaus Project antispam group has posted information that
indicates RBN may have already laid claim to IP blocks located in China,
Shanghai in particular.
RBN has been fingered as the source of a multitude of attacks, including
last month's rigged-PDF blitz that used a vulnerability in Windows to
drop malware on unsuspecting users who opened specially-crafted
PDF-formatted documents. In September, security researchers blamed the
gang for infecting customers of the Bank of India with a wide variety of
malicious code when they visited the bank's hacked site.
But while RBN may be diversifying its assets -- "piecemealing," Ferguson
called it -- it's unlikely to be gone long. "I can't believe they'd walk
away from the money. Thinking that they're shutting shop is just naive."
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com