Via ComputerWorld -
November 10, 2007 (Computerworld) -- The shadowy hacker and malware hosting network that only recently fled Russia to set up operations in China has now pulled the plug there and vanished yet again, researchers said late Friday.
The latest disappearing act of the Russian Business Network (RBN) has left researchers scratching their heads. "Where have they gone, that's the question," said an analyst with VeriSign's iDefense Labs, who wanted to remain anonymous, leery of retribution from the gang. "What's really interesting is how fast they shut everything down."
iDefense had tracked RBN's migration earlier in the week from servers based in Russia to ones running in China. On Tuesday, RBN's Russian servers went dark as the group relinquished control of its assigned IP addresses, effectively severing its connection to the Internet. By Wednesday, however, RBN had relocated to China and Taiwan after obtaining at least seven net blocks of Chinese IP addresses, said iDefense. According to the Sterling, Va.-based security intelligence firm, as of Wednesday RBN controlled 5,120 IP addresses assigned to Chinese service providers; known RBN clients were even seen using those addresses that day.
But with its China move putting media and security community spotlights on the organization, RBN suddenly went offline on Thursday, said the analyst. "They severed connections to six of the seven net blocks on November 8."
The analyst speculated that while RBN's operators might dismiss the unflattering stories as attacks meant to discredit Russia and its president, Vladimir Putin, the attention was definitely unwelcome. "If their clients are afraid to use them," said the analyst, "it becomes a real issue of finances for RBN."
...
In mid-October, the group spoke with a Western news organization for the first time when it told Wired that it was a legitimate business, and was considering suing Spamhaus, an well-known anti-spam organization, for blacklisting its IP addresses. Two days later, CNews Russia ran a story within the country that claimed the RBN allegations were fabrications meant to smear Putin.
Where RBN has gone, or whether it will resurface is, however, a mystery for now. ""Where will they go next, assuming they want to reproduce the same model somewhere else? I don't know," said the iDefense analyst.
According to iDefense, RBN as we've known it may be dead and gone. The model used in Russia, which it replicated momentarily in China, was of a top-down, centrally-controlled network in which one or two ISPs (Internet service providers) connected a number of semi-legitimate companies to the Web. Those companies, in turn, rented so-called "bullet-proof" servers to criminals, meaning that the servers wouldn't be taken offline when complaints were filed by security researchers.
"It was great in terms of control and in terms of money," said the iDefense analyst, noting that the vertical integration put more money in the organization's pockets.
Rather than return in that format, RBN may even now be breaking up into smaller pieces farmed out to multiple countries' Internet infrastructures. "That may keep it under the radar, but it's also more expensive for them and it's riskier, too, because the more ISPs that it has to deal with, the better the chance that one of those ISPs says 'no' to hosting RBN content and shuts them off," said the analyst.
On the plus side (for their clients), by splitting up RBN can delay detection and make prosecution difficult. "It's a lot harder for law enforcement when there are six or seven countries involved," said the iDefense researcher. "But I think we'll be able to track them. We've done that kind of thing before when a group has been spread across two or more ISPs."
But as a monolithic, centrally-controlled organization -- ironically the model that dominated the now-defunct Soviet Union -- RBN is likely dead. "As we've known it, I think RBN is gone," said the researcher.
No comments:
Post a Comment