"The baddest of the bad" on the Internet

October 14, 2007

The Russian Business Network (RBN), an Internet business based in St. Petersburg has become a world hub for Web sites devoted to child pornography, spamming and identity theft. The company isn't a mainstream Internet service provider such as Comcast or Verizon, rather, they specialize in offering web sites that will remain reachable on the Internet regardless of efforts to shut them down by law enforcement officials - so-called "bulletproof hosting".1

The Russian Business Network has structured itself in ways that make prosecution difficult. The illegal activities are all carried out by groups that buy the hosting services from RBN. "That's the main problem, because RBN, in fact, does not violate the law. From a legal point of view, they are clean," says Alexander Gostev, an analyst with Kaspersky Lab. In addition, criminals using the Russian Business Network tend to target non-Russian companies and consumers rather than Russians, who unlike Americans or Europeans, have easier access to local Russian authorities.1

Though there are thousands of Web sites that bear the Russian Business Network name on registration records, the company is unchartered and has no legal identity. In one sense, the Russian Business Network does not exist. It is not registered as a company. It has no official website of its own. Its senior figures are anonymous, known only by their nicknames. It does not advertise for customers. Those who want to buy its services must contact its operators via instant-messaging services or obscure, Russian-language online forums. Potential customers must also prove that they are not law enforcement investigators pretending to be criminals. Most often this proof takes the form of demonstrating active involvement in the theft of consumers' financial and personal data. Payment is done with anonymous electronic cash.1,2

According to Symantec, RBN "is literally a shelter for all illegal activities, be it child pornography, online scams, piracy or other illicit operations... It is alleged that this organized cyber crime syndicate has strong links with the Russian criminal underground as well as the government, probably accomplished by bribing officials." In a recent report, Symantec said that the Russian Business Network is responsible for hosting the web sites that carry out a major portion of the world's cybercrime and profiteering.1

VeriSign is not any kinder in describing RBN, calling them "one of the most notorious criminal groups on the Internet today" and saying that "nothing good ever comes out of the Russian Business Network net block"3. In a report titled Uncovering Online Fraud Rings: The Russian Business Network, VeriSign writes that "the Russian Business Network developed into its current incarnation as "the baddest of the bad" Internet service provider in June 2006... RBN is entirely illegal. VeriSign iDefense research identified phishing, malicious code, botnet command-and-control, and denial of service attacks on every single server owned and operated by RBN" and that "RBN is a for-hire service catering to large-scale criminal operations". They hosts cybercriminals, ranging from spammers to phishers, bot-herders and all manner of other fraudsters and wrongdoers from the venal to the vicious.2,4

It is reported that nearly every major advancement in computer viruses or worms over the past two years has emanated from or sent stolen consumer data back to servers to RBN, including such notable pieces of malware as Gozi, Grab, Haxdoor, Metaphisher, Mpack, Ordergun, Pinch, Rustock, Snatch, Torpig, and URsnif. In fact, it is tough to find a serious cyber-crime attack over the past two to three years that did not involve RBN Internet addresses to some degree. Going back as far as 2004 - when RBN was known variously as "TooCoin Software" and "ValueDot" - the network has offered an affiliate program called "iFramecash," wherein Web site administrators are paid a small sum for each visitor they silently refer to RBN's network. The visitor's machine is then peppered with trojans that try to install password-stealing programs. In the past year-and-a-half or so, the main affiliates of that program simply started hacking into legitimate Web sites and placing the redirect code there.5

In late 2005, security experts saw evidence that hacker gangs were taking advantage of a previously unknown security flaw in Microsoft's Internet Explorer browser to install keystroke-logging software on computers when users visited one of thousands of legitimate Web sites that had been hacked. In that attack, a large number of the sites set up by criminals to receive the keylogged data or serve up the exploit code resided on RBN's network.5

In the Fall of 2006, security experts saw RBN sites implicated in an attack against HostGator, a large Web hosting provider in Florida. The attackers in that case had broken into thousands of Web sites using an undocumented security hole in "Cpanel," the software HostGator and hundreds of other hosting firms rely upon to host their sites.5

Around that same time, RBN servers were heavily involved in exploiting yet another undocumented IE security hole to compromise an untold number of Web sites and Windows computers.5

One group of phishers, known as the Rock Group, used RBN's network to steal an estimated $150 million from bank accounts last year, according to VeriSign.1

In May 2007, Security Fix reported that a large percentage of the sites belonging to IPOWER Inc., one of the Web's biggest inexpensive Web site hosting firms, had been hijacked with code that silently redirected visitors to malicious RBN sites.5

Finally, RBN was recently discovered to have been behind the August 2007 Bank of India hack, in which an IFRAME exploit was embedded in the web site's HTML code that silently redirected users to a hacker server, which in turn pushed 22 different pieces of malware on PC running unpatched web browsers. The malware included one worm, three rootkits, five trojan downloaders, and several password stealers. "The biggest issue is the sheer volume of malware we've had to analyze," said Alex Eckelberry, CEO of Sunbelt, a provider of security software.6

And RBN even likes to fight back. In October 2006, the National Bank of Australia took active measures against Rock Phish, both directly and via a national anti-phishing group to which the bank's security director belonged. RBN-based cybercriminals replied by crashing the bank's home-page for three days.2

"People used to be scared of the Russian mafia, now they are scared of Russian hackers," police Lieutenant-general Boris Miroshnikov once told President Vladimir Putin in 2004.7

So how did we end up here? VeriSign summarizes it by saying that "Russia's geography and socio-economic conditions come together with the country's difficult recent history and an often draconian political order to create 'perfect storm' conditions in which criminality, including cybercrime, flourishes. Excellent schools produce tens of thousands of exceptional technical minds who enter a job market with prospects almost universally below their abilities. A culture of criminality and acceptance of corruption leads many into the criminal underground where they find easy prestige and money in improperly secured western companies and gullible individuals."8

Without a diplomatic or legal solution to the Russian Business Network, some Internet service providers have begun walling off their customers from the company. One security administrator, speaking on condition of anonymity, said that within a few months of blocking the Russian company, his employer found it was saving significant amounts of money by spending less time helping customers clean viruses originating from the Russian Business Network off computers or taking down online scam sites or spam-spewing PCs. "Our instances of spam and infected machines dropped exponentially," he said.1

1. "Shadowy Russian Firm Seen as Conduit for Cybercrime", Washington Post, October 13, 2007

2. "A walk on the dark side", The Economist Newspaper, August 30, 2007

3. "MPack Analysis", SANS Internet Storm Center, June 20, 2007

4. "Uncovering Online Fraud Rings: The Russian Business Network", VeriSign, August 8, 2007

5. "Mapping the Russian Business Network", Washington Post, October 13, 2007

6. "Bank of India site hacked, serves up 22 exploits", Computer World, August 31, 2007

7. "Police say Russian hackers are increasing threat", USA Today, August 28, 2004

8. "Cyber crime: the Russian threat, on your territory", VeriSign, September 2007