RBN possibly relocating to Asia

November 11, 2007

In a follow-up on the recent article "The baddest of the bad" on the Internet, the Russian Business Network (RBN) may be in the process of relocating their business to Asia. According to a pair of Trend Micro Inc. researchers, RBN went dark on November 6th around 10 PM EST. Paul Ferguson, a network architect at Trend Micro states that the routing information for RBN's IP addresses have been withdrawn. While RBN has had connectivity issues in the past, then the routing to its IP addresses was still being advertised. But this time it appears that they've voluntarily withdrawn it.1

Additionally, iDefense has tracked RBN's migration earlier in the week from servers based in Russia to ones running in China. iDefense claims that on November 6th, RBN relocated to China and Taiwan after obtaining at least seven net blocks of Chinese IP addresses, and that as of November 7th, RBN controlled 5,120 IP addresses assigned to Chinese service providers. Known RBN clients were even seen using those addresses that same day.2

Although Trend Micro says it cannot be 100 percent certain, the company believes that the gang has shifted operations to Asia.3 They have also noticed RBN-like activity on blocks of IP addresses that were registered in China and other locations shortly before the RBN closed down the routes to its St. Petersburg addresses. Although it is hard to put a finger on who's behind the activity, it is "strikingly similar" to what the RBN was doing, including malware proxying for drive-by downloads. For example, calling cards for the RBN have included the MPack and Icepack exploits: malware hosted at third-party locations that serve up sophisticated binary Trojan downloaders. These downloaders are top-notch professional badware that determine what operating system their prey is running, on what browser, as well as what vulnerabilities are available for exploit. They have long been associated with the RBN, and now Trend Micro is detecting their use at the new Chinese IP digs.4

Another report however, on The Washington Post's Web site, claimed that while RBN has severed links to the Internet, its upstream connectivity providers had begun to refuse to route RBN traffic as early as mid-October.1 In fact, the disappearance of RBN comes less than a month after Brian Krebs from The Washington Post wrote a series of stories in mid October detailing the organization and history of the shadowy ISP. Since then there has been a small flood of news articles discussing the RBN network posted on various web sites. This unwanted attention may have given RBN the desire to relocate elsewhere.5

As Ferguson explains: "As more publicity [was generated], it lowers the threshold of financial gain and overhead if people can say 'Ah, I can link the RBN to this block of addresses.' They must have said, 'We're too easily identifiable now. We need to go to another set of IP addresses. We have to diversify.'" The move is similar to the evolution in botnet technology and deployment. Whereas researchers once saw huge, noisy botnets that were easy to whack, they now track much smaller, more nimble and more numerous botnets that are much harder to squash. That's no coincidence. The RBN is still pulling the strings behind the largest botnet out there, the Storm worm botnet. The gang uses Storm for communications and for command and control of other activities. The RBN is getting more sophisticated, more diversified and more dispersed, but this is nothing. Trend Micro Senior Threat Researcher Jamz Yaneza said he believes this is the quiet before the storm. "We've seen how the Storm worm has changed over time, how the RBN has been checking networks and experimenting, changing topology and this and that. [Storm's herders have] also messed around with researchers and security vendors with retaliation, with the RBN monitoring those who are monitoring them."4

But while RBN may be diversifying its assets -- "piecemealing," Ferguson called it, he believes that it is unlikely that they will be gone for long. "I can't believe they'd walk away from the money. Thinking that they're shutting shop is just naive."1

1. "Russian Hackers Go Dark to Relocate", PC World, November 8, 2007

2. "Update: Russian hacker gang vanishes day after moving to China", Computerworld, November 10, 2007

3. "Infamous Russian malware gang vanishes", CNET, November 9, 2007

4. "RBN Gang Moves, Sets Up Shop in China", eWeek, November 8, 2007

5. "Russian Business Network: Down, But Not Out", The Washington Post, November 7, 2007