Risk Impact High

Symantec yesterday (11-26-2008) identified a new strain of adware bearing a risk impact of high. Adware.OneStep targets the Firefox browser (http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2). It embeds search results from onestepsearch.net with hidden advertisements that use size zero iframe tags.

An examination of onestepsearch.net reveals additional cause for concern. The proprietor of onestepsearch.net is Navigation Catalyst Systems, Inc.; the firm was sued by Verizon on April 15th. In that lawsuit,

"Verizon California Inc., Verizon Trademark Services LLC and Verizon Licensing Company alleged that Defendants Navigation Catalyst Systems Inc. and Basic Fusion Inc. have used an automated process to register and use over three million domain names, many of which are confusingly similar to famous or distinctive trademarks owned by others."(http://news.justia.com/cases/featured/california/cacdce/2:2008cv02463/413394/)

The mass registration of typosquatting domains is a tactic often practiced by the Russian Business Network.

McAfee's Site Advisor service ties navigationcatalyst.com to qsrch.com ("When we visited this site, we found that it appears to have a business relationship with New.net, a known provider of adware, spyware or other potentially unwanted programs."). Indeed, onestepsearch.net shares both its IP address and name server with qsrch.com. Other domains at IP address 208.87.149.250 include a variety of sociopathic porn sites (teenagefucksluts.com, has.seen.godscock.net, etc.), hacker redirect sites (justgotpwned.com), typosquatter domains (blogpspot.com), disreputable medical products and unsafe download sites (01computersoftwar.biz, etc.). Waria.vg is also present; waria is a trojan egg dropper which targets Linux and Unix systems. Also, corrupt DNS entries are deliberately employed by onestepsearch.net; the reverse DNS entry for onestepsearch.net, 250.f.com, is not whoisable, and no f.com exists.

It is adviseable that you block the IP addresses as well as, the domain names associated with onestepsearch.net. DNS blocking is useful as malware domains often change IP addresses, as their owners seek to avoid IP blocking.

onestepsearch.net  - 208.87.149.250
ns1.onestepsearch.net - 209.128.80.137
ns2.onestepsearch.net - 209.128.80.138
ns3.onestepsearch.net - 209.128.76.101
ns4.onestepsearch.net - 209.128.76.102
mail01.quadzemail.com - 208.87.148.231

onestepsearch.net and quadzemail.com lurk within AS40634, and you may be able to block this entire route (208.87.148.0/23), which appears to be rife with the worst malice.

Malware Domain IP Address Migration Rates

Building the Case for Black Hole DNS
by James McQuaid

In measuring the frequency with which malware domains changed IP addresses, I had two goals. One was to quantify enemy tactics, and the other was to evaluate the effectiveness of the tools we employ against them.

After stateful packet inspection, IP address blocking is the most commonly utilized method of securing the perimeter through filtering. Overreliance on IP address blocking has been criticized as inadequate (http://blog.fireeye.com/research/2008/11/the-case-against-url-blacklists.html), and numerous analysts have suggested that it should be utilized in conjunction with Black Hole DNS (BHDNS) (http://malwaredomains.com/). This may seem to be self-evident, but little data has been available regarding its comparative effectiveness.

I examined malware domains active between October 10th and November 10th 2008, and found that as the

life of a malware domain progressed, it was increasingly likely to have its IP address changed. This is the likely result of cybercriminals attempting to evade IP address blocking.

After 7 days, 80% of malware domains retained their initial IP address. 10% were no longer resolving, and 10% of the domains had undergone an IP address change.

After 15 days, 56% of malware domains retained their initial IP address. 21% of malware domains were no longer resolving, and 23% of the domains had undergone an IP address change.

At 30 days, 50% of malware domains retained their initial IP address. 7% of the domains were no longer resolving, and 42% of malware domains had undergone an IP address change.



The data indicate that a network administrator who implements IP address blocking on a 30-day update cycle is facing up to a 42% failure rate in the effectiveness of the perimeter filtering policy. The data also imply that the RBN and other malware operators have a strategy of changing the IP address of malware domains in order to evade IP address blocking.

Snort Inline offers administrators exponentially greater levels of network protection, providing
substantial protection against advanced threats including fast flux malware networks.
emergingthreats.net provides the most comprehensive set of open source Snort signatures which are
effective in real-time (http://doc.emergingthreats.net/bin/view/Main/AllRulesets).

Black Hole DNS (filtering traffic by domain name) provides an effective, inexpensive and widely
available method of significantly improving the effectiveness of perimeter firewall filtering policy.

BHDNS is available in conventional DNS as well as, in widely deployed home and small business firewalls (such as Smoothwall and IPCop).

You can easily implement BHDNS in conventional DNS. malwaredomains.com provides complete instructions and domain blacklist files. I maintain a ready-to-go solution for Smoothwall at emergingthreats.net (http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples).

Darkness At Dawn

Russian organized crime syndicates

Darkness At Dawn can be read online at Google books http://books.google.com/books?id=i-t6jle71ToC. I strongly recommend that you read at least one chapter; it is absolutely riveting reading.

The problem of cybercrime and malware is inextricably linked with the rise to power of organized crime in post-Soviet Russia. The extent to which organized crime has been institutionalized in Russia is indeed shocking, and continues to today:

"under Putin, organized crime — especially in St. Petersburg and Moscow — has been changing. Since he has consolidated power as president, Putin considers organized crime and Barsukov relics of a bygone era. Organized crime groups have, in short, been institutionalized — if not completely swallowed by politicians or legal institutions. For example, until recently, Barsukov worked legally as vice president of the Petersburg Fuel Co. The Tambov group’s control over the four ports it once claimed also has changed; the group still receives large kickbacks on imports and exports, but it does not own the ports and is instead considered port “security.”

- Stratfor

http://www.stratfor.com/russia_kremlin_strikes_tambov_group

In Darkness At Dawn, David Satter explains in vivid detail reminiscent of an early Tom Clancy novel, how this took place, and the terrible price the Russian people have paid. Satter's book provided me with some insight into factors which produced the extreme nationalist mania now gripping Russia.

Anticipating a new dawn of freedom after the disintegration of the Soviet Union, Russians could hardly have foreseen the reality of their future a decade later: a country impoverished and controlled at every level by organized crime. This riveting book views the 1990s reform period through the experiences of individual citizens, revealing the changes that have swept Russia and their effect on Russia’s age-old ways of thinking.

“The Russia that Satter depicts in this brave, engaging book cannot be ignored. Darkness at Dawn should be required reading for anyone interested in the post-Soviet state.” — Christian Caryl, Newsweek

“Satter must be commended for saying what a great many people only dare to think.” — Matthew Brzezinski, Toronto Globe and Mail

“Humane and articulate.” — Raymond Asquith, Spectator

“Vivid, impeccably researched and truly frightening. . . . Western policy-makers, especially in Washington, would do well to study these pages.” — Martin Sieff, United Press International

More details:
Darkness at Dawn: The Rise of the Russian Criminal State
By David Satter
Published by Yale University Press, 2004
ISBN 0300105916, 9780300105919
326 pages

The RBN Operatives: Part II

In mid-August, I wrote that I suspected that long time RBN operatives Alexandr Boykov and Sergey Smirnov were the individuals most likely responsible for the cyber first strike against Georgia's Internet infrastructure, which preceded Russia's invasion of that country. Given their historical domination of CNet 76.135.167, I continue to hold this view. However, after many hours of investigative work, I have uncovered additional, specific information regarding the lessee of the IP space involved.

What I now know is that sometime between July 18 and July 31, 2008, a Russian cyber criminal named Sergey Astakhov deployed the botnet command and control domains involved in the DDOS attack to 76.135.167.22. Using a fairly advanced RBN DNS obfusication method, Mr. Astakov created a multiheaded DNS typology in an attempt to elude discovery. Mr. Astakov's DNS server, judex.cn located at IP address 210.145.102.19 also bore an A record address of 79.135.167.22. The domains at 79.135.167.22 used a fast flux DNS method with a twist: most of the time in which one ran a DNS query against them, ns1.guagua.net would be returned. Rarely, ns1.srv.com (located at 210.145.102.19) would be returned as a result of a DNS query. I had noted this as early as 11 August, but the DNS topology of ns1.srv.com led nowhere. Similarly judex.com was a dead end.

The following diagram portrays Mr. Astakhov's control over the botnet command and control servers utilized in the cyber first strike:





The sophistication of the methods used to cloak Mr. Astakhov's identity are remarkable. Combined with the use of privacy protect type services, they could be used to create truely stealthed Internet attack systems, which would make attribution of criminal activity difficult to impossible. In this case, we are fortunate that Mr. Astakhov used his actual name in the WhoIs recod for judex.cn.









The DNS record at judex.cn indicates that guagua.net uses it as a name server, but this information has not been available at guagua.net itself:




Mr. Astakhov has a history of cyber criminal activity. Note the Artists Against 419 web site entry for Mr. Astakhov's alexexpress.com: http://db.aa419.org/fakebanksview.php?key=28770. Mr. Astakhov was previously noted as a Zlob trojan distributor at malwaredomainlist.com (and that data is still available in Google's cache). Mr. Astakhov's domain theworldnews5.com is known to install the RBN fake antivirus software xpantivirus 2009; note http://forum.hosts-file.net/viewtopic.php?f=9&p=4511.

I have previously determined that Alexey Vasiliev was responsible for the spam attack which besmirched the President of Georgia:

BEHIND THE MAKING OF THE ATRIVO TAKEDOWN

By James McQuaid

As early as November 2007, I had corresponded regarding with several security researchers regarding the presence of former customers of the Russian Business Network ISP operating in Atrivo IP space. Over the next several months, as a part of my normal malware investigations, I noted the disproportionate amount of malware within Atrivo. During this time, I was publishing a list of RBN IPs at Matt Jonkman's emergingthreats.net, and also a blackhole DNS file for Smoothwall. To that end, in March 2008 I completed a survey of all class C networks within Atrivo and incorporated those domains into the Smoothwall blackhole DNS file. I also added all of Atrivo's IP space to the blacklist of RBN IP addresses.

My fights with the Russian mob had started several years earlier when I worked as a programmer at a web hosting firm (the earliest encounter preceded 9-11). The RBN had hacked the fully patched Windows IIS server of the firm's largest client. The network administrator was unable to expel the intruder, and the firm's owner tasked me with resolving the mess. After two days of tightening permissions, and command line combat, I nuked the box. Although I feared that I might be fired, the client subsequently insisted that I take over network administration of all of their servers. Thereafter, it would be a strict scorched earth policy against the RBN.

Over the next couple of years my tactics against the RBN were primarily defensive. By that, I mean that I blocked those IPs and domains that I encountered or read about. It was essentially an avoidance policy, and primarily reactive. This changed when Saint Petersburg black hats targeted the computer of one of my children. That machine was freshly loaded with Windows XP at Christmas, fully patched, and quite well locked down, and I had installed the Panda Platinum security suite (scans were scheduled daily). Within three weeks, the RBN had taken the machine, and installed Kuang II. The intruder had stored some particularly offensive Hentai images on the computer. It was then, in a moment of dizzying cold terror, that I realized that one could not avoid them, and that I needed to actively hunt them.

_________________________________________________________________________________________________________

It was then, in a moment of dizzying cold terror, that I realized that
one could not avoid them, and that I needed to actively hunt them.

_________________________________________________________________________________________________________

My initial step was to repartition the hard drives of and reload every computer in the house. This included reloading Microsoft Small Business Server 2003 with the open source firewall Smoothwall Express. I had not relied on SBS's firewall, although I employed it; SBS had been positioned behind a Netgear FVS-318 firewall router. With Smoothwall I was able to block IP addresses as well as, blacklist domains at the perimeter. Microsoft had made these capabilities unavailable in SBS 2003, and it had a ridiculous number of shares that were impossible to effectively secure. Smoothwall's blocking capability meant that I could perform reconnaissance against cyber criminals, and apply the data acquired, to my home defense. Thus I began to hunt them with the care that one employs when confronting any dangerous predator.

Flash forward to 2007 when I learned from the Internet Storm Center that Brian Krebs of The Washington Post wanted to interview someone who was blocking the Russian Business Network. I emailed Brian and he subsequently telephoned me. After his now famous articles on the RBN were published, the FBI pressed the Russian government, other networks quit routing their traffic, and the RBN ISP disintegrated. Consequently, the customers of the RBN ISP sortied and a virtual Diaspora of Russian cyber crime was created. We doggedly tracked them into Panama, Malaysia, China, the United States (Atrivo and Optical Jungle), and elsewhere.

When I met the StopBadWare team at Harvard Law's Berkman Center for the Internet and Society for the Berkman@10 Conference in May 2008, I was impressed with StopBadWare's unequivocal attribution of the problems on the Internet to organized crime. It was a fact with which I was well acquainted, but few had been willing to say as much. Jonathan Zittrain also impressed me with his discussions of the power of the generative Internet. Over the Christmas 2007 holiday, Russian cyber criminals had created several thousands of exquisitely social engineered Blogspot pages. Google and StopBadWare had been fighting them since. The attempt to poison Blogspot was a direct threat to the generative Internet, and threatens to seriously diminish the value of the Internet to the entire world. Fortunately, Russia's high profile cyber attacks against Estonia and Georgia seem to have awakened the governments of the democracies that the problem of cyber crime is serious, and can no longer be ignored.

Over the months of painstakingly investigating Atrivo, we found that cyber crime was no longer merely a cottage industry of Russian ultra nationalists, but had morphed into a multinational enterprise involving large corporations. Please download the PDF of our report, Cyber Crime U.S.A. You will find it engaging reading. Since its release a week ago, and Brian Krebs' articles about it in The Washington Post, Atrivo has given the appearance of being on the ropes. Est and Atrivo are taking down a number of fake anti-virus sites, but not all, and new ones have been introduced. We expect that they will continue to distribute malware through bogus search sites as well as, sociopathic porn sites in hopes of going unnoticed. The current activity is an attempt to avoid prosecution, but it does not alter their fundamental economic model, or long-standing contractual obligations and relationships. We will continue to evaluate and scrutinize reports of malware across their networks.

The time for action is now, as the future of a generative Internet hangs in the balance. If the telecommunications industry does not cease routing the traffic of criminal networks, government must step in with physical take downs and prosecutions.



Notes:

Cyber Crime U.S.A.:
http://hostexploit.com/index.php?option=com_content&view=article&id=12&Itemid=15
http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html
http://voices.washingtonpost.com/securityfix/2008/09/scam-heavy_us_isp_grows_more_i.html

Support for Cyber Crime U.S.A.:
http://www.avertlabs.com/research/blog/index.php/2008/09/04/the-darksides-domains/
http://www.spamhaus.org/news.lasso?article=636
http://msmvps.com/blogs/hostsnews/archive/2008/09/03/1646589.aspx
http://www.theregister.co.uk/2008/09/03/cyber_crime_reports/
http://blog.stopbadware.org/2008/08/28/report-calls-out-atrivo-intercage-and-affiliates
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080906
http://www.circleid.com/posts/89610_cyber_crime_an_economic_problem/

On 13 October 2007,
The Washington Post published Brian Krebs' excellent articles on the Russian Business Network:
http://blog.washingtonpost.com/securityfix/2007/10/mapping_the_russian_business_n.html
http://blog.washingtonpost.com/securityfix/2007/10/taking_on_the_russian_business.html
http://www.washingtonpost.com/wp-dyn/content/story/2007/10/12/ST2007101202661.html?hpid=moreheadlines
http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101201700.html?sub=new

With respect to events since October 2007, note "The Russians Go Chinese":
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7829

and "Russian Business Network: Down, But Not Out":
http://blog.washingtonpost.com/securityfix/2007/11/russian_business_network_down.html

The following sources have provided timely information:
Jart Armin research: http://rbnexploit.blogspot.com

Dancho Danchev research: http://ddanchev.blogspot.com

David Bizeul research: http://isc.sans.org/presentations/RBN_study.pdf

Shadowserver research 'Clarifying the "guesswork" of Criminal Activity':
http://www.shadowserver.org/wiki/uploads/Information/RBN-AS40989.pdf

Utilize the Emerging RBN Rules:
http://docs.emergingthreats.net/bin/view/Main/RussianBusinessNetwork

Other Resources:
http://www.bytecrime.org/
http://www.fbi.gov/cyberinvest/cyberhome.htm
http://cyber.law.harvard.edu/
http://cyber.law.harvard.edu/events/berkmanat10
http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples
http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork

The RBN Operatives Who Attacked Georgia

In my view, the individuals most directly responsible for carrying out the cyber "first strike" on Georgia are two Russian Business Network operatives, Alexandr A. Boykov and Andrew Smirnov, both of Saint Petersburg, Russia. These men are not "kiddie scripters" (as some have sought to rather narrowly characterize the attackers of Georgia).

Mr. Boykov has been engaged in criminal activity for some time. He is best known for registering an distributing the malware VirusIsolator (which downloads trojans to take control of the victims computer) (1). He has been directly involved in financial crime, and operated scam sites including: Harbor Lending, Oakwood Lending, and Capital Lending (2). Mr Boykov is also a purveyor of porn spam (3).

Mr. Smirnov is known for operating a number a scam sites including canadian-pharmacy-support (4) and canadiandiscountmeds (5). Mr. Smirnov is known to hold Russian nationalist views, and supported cutting off natural gas supplies to the Ukraine (6). The Ukrainian authorities should note that he often travels between Russia and the Ukraine (7).

According to Spamhaus, Ukrainian cyber criminals operate a hosting service in Class C Network 79.135.167.0/24. Mr. Boykov is considered by many analysts to be the proprietor. It should be noted that opening salvos on Georgia emanated from 79.135.167.22. This was noted as early as the morning of Sunday 10 August by both Shadowserver.org (8) and Dancho Danchev (9). These opening cyber attacks preceeded the large-scale mobilization of Russian nationalist hacktivists. In fact, the Website for the President of Georgia had been under attack since July 20th (10)

In the following days, a very heavy (11) spam campaign was launched purporting to be from the BBC which accuses the President of Georgia of being gay . When an individual clicks on the link in the email, a compromised web site is opened, which downloads a virus from 79.135.167.49 (12). Spamhaus issued a warning regarding the malware at 79.135.167.49 on July 29th in SBL66533 (13). On August 5th, Alexey Vasiliev of Novosibirsk, Russia, one of the Storm worm's authors (14), had a malware domain, freepostcardonline_com parked at 79.135.167.49 (15).

AbdAllah a/k/a IstanbulTelecom (79.135.167.0/24) has long been a haven for criminal activity. Steven Adair of Shadowserver has previously identified the AbdAllah Internet Hizmetleri group as RBN affiliated (16). Currently, the malware distributing domain antivirus-2008pro_net resolves to 79.135.167.54 (along with ninety-three other dangerous domains). Malwaredomains.com listed the domain as a hazard on May 28th of this year (17). Presently, virus-isolator_com resolves to 79.135.167.54. The whois information for the site no longer lists Mr. Boykov, but was registered through the notorious EstDomains to a Vargendia Limited in Cyprus. Mr. Boykov's *.virusisolator_com, a subdomain of virusisolator, resolves to IP address 217.170.77.150, as do numerous other virus-isolator sites (18). Such DNS resolution schemes are typical of fast flux and botnet operators. As with many other Russian spammers and cybercriminals, Mr. Smirnov also is now in the process of anonymizing the whois information associated with the spam domains he has registered.

Our research indicates that Mr. Smirnov and Mr. Boykov have exercised administrative level control over this Class C Network (CNet). This is clear in the historical data related to the CNet. The sheer number and frequency of their domains that have moved from IP address to IP address, across the full range of IP addresses in CNet 79.135.167, allows for no other conclusion. Given the degree of control they have historically exercised, it is very likely that they conducted or were a party to the cyber "first strike".

James McQuaid

(1) http://www.malwarebytes.org/forums/index.php?showtopic=4288&pid=16324&mode=threaded&show=&st=0
(2) http://www.ripoffreport.com/reports/0/337/RipOff0337263.htm
(3) http://www.castlecops.com/Blogspot_redirection_Porn_site_spam167793.html
(4) http://www.robtex.com/whois/canadian-pharmacy-support.info.html
(5) http://groups.google.com/group/news.admin.net-abuse.sightings/browse_thread/thread/9d9aa3a014ae6748
and http://www.robtex.com/whois/canadiandiscountmeds.com.html
(6) http://translate.google.com/translate?hl=en&sl=ru&u=http://supol.narod.ru/members/Andrew_Smirnov/gaz1.htm&sa=X&oi=translate&resnum=6&ct=result&prev=/search%3Fq%3Dandrew_smirnov%26hl%3Den%26sa%3DG
(7) author's private note
(8) http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080720
(9) http://ddanchev.blogspot.com/2008/08/russia-vs-georgia-cyber-attack.html
(10) http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080720
(11) https://forums.symantec.com/syment/blog/article?message.uid=344935
(12) http://garwarner.blogspot.com/2008/08/new-bbc-spam-mocks-georgias-president.html
(13) http://www.spamhaus.org/security/cookies.lasso?query=SBL66533
(14) http://www.sudosecure.net/archives/212
(15) http://www.dozleng.com/updates/index.php?autocom=custom&page=results&numpage=1&words=blocklist
(16) http://www.securityzone.org/?cat=8
(17) http://malwaredomains.com/?p=218
(18) http://www.robtex.com/ip/217.170.77.150.html

DNS Blackhole for Smoothwall

DNS Blackhole for Smoothwall 3.0 available at Emerging Threats:
This is the most comprehensive DNS blacklist available. These files allow you to blacklist malicious domains by name. This is particularly useful because of the frequency with which the enemy changes the IP addresses of malware domains in an effort to evade IP blocking.

* config-hosts: 175,550 organized crime, RBN affiliates, malware hosts and bad actors blacklisted for Smoothwall 3. Leave last line blank. Place in /var/smoothwall/hosts/, then rename config-hosts to config. Updated 8-14-2008.
http://doc.emergingthreats.net/pub/Main/HoneywallSamples/config-hosts

* hosts: Protect your home from 175,550 bad domains for Smoothwall 3; placed in /var/smoothwall/hosts/. Note: with this many objects in BlackHole, you must use local loopback. Update 8-14-2008: added 3,000 new malware domains.
http://doc.emergingthreats.net/pub/Main/HoneywallSamples/hosts

For effective protection, you should use anti-spyware and anti-virus products in addition to IP blocking and DNS blacklisting.

I maintain the Snort Config Samples Project at Emerging Threats. Visit http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples for more information.

OSS arrives

Let friend and foe alike know that the OSS has arrived in Georgia.

Real Time Cyber Attack Details Against Georgia

Russia's SVR Seen Acting in Collusion with the Criminal RBN

Top ace Internet security researcher, Dancho Danchev, indicated late today that it was likely that the Russian Foreign Intelligence service (SVR) was behind the attacks on Georgia's communications infrastructure, "It smells like a three letter intelligence agency’s propaganda arm has managed to somehow supply the creative for the defacement of Georgia President’s official web site, thereby forgetting a simple rule of engagement in such a conflict - risk forwarding the responsibility of the attack to each and every Russian".

In his "Zero Day" column at ZDNet http://blogs.zdnet.com/security/?p=1670 and at his brilliant blog http://ddanchev.blogspot.com/ Danchev identified the RBN command and control servers acting on behalf of the Russian government. The RBN is at the crux of malware creation, child pornography, and financial crime on the Internet. The close relationship between these activities and the Russian government may shock soccer moms in the West, but Internet security professionals have long suspected as much.

Earlier this week, the West's top RBN expert Jart Armin http://rbnexploit.blogspot.com identified many of the routing details of the Russian attack on Georgia's communications infrastructure.

Since Danchev published those details 5 hours ago, the Russian mafia/SVR operation has sought to evade detection by changing the DNS servers (ns1.guagaga.net and ns2.guagaga.net) of their actual command and control location (a-nahui-vse-zaebalo-v-pizdu.com) from the Turkish Telecom IP address 79.135.167.22 to an IP address (210.145.102.19) in the Yamato Life Insurance Building in Japan (DNS server is ns1.srv.com). Meanwhile they have created two new DNS servers ns1.guagaga.net.guagaga.net and ns2.guagaga.net.guagaga.net, which they are preparing to bring online between 10:00 pm and 2:00 am EST to act as authoritative name servers for the other attacking command and control servers, domains and botnets.

A complete list of RBN IP addresses, domains, franchisees and affiliates is available at http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt.

Georgia, Ukraine and NATO should refer to Dancho Danchev's column for additional details and incisive analysis. Security professionals should DNS Blackhole all of the involved domains, as well as their DNS servers. Given their infamous history, compounded by events of the past several days, it is time that the RBN was officially designated as a terrorist organization by the government of the United States.

James McQuaid

Russian Cyberattack on Georgia

In line with its information warfare doctrine, the opening salvos of Russia's invasion of Georgia consisted of attacks on Georgia's communications infrastructure. The goal of this activity was to deny Georgia the opportunity to provide its perspective to the international press, and give Russia a corresponding advantage in shaping world opinion.

As documented at http://rbnexploit.blogspot.com, this cyberattack has been systematic and thorough. It's coordinated timing with the Russian conventional attack suggests that the criminal RBN is a military intelligence asset of the Russian government.

Many of Georgia's web servers are now under "unauthorized external control", and some web sites have been defaced. In addition, other Georgian servers are inaccessible due to disruptions by Russia and the RBN in the Internet's routing infrastructure. It should be noted that "AS8342 RTCOMM (Ru), AS12389 ROSTELECOM (Ru), AS9121 TTNet Autonomous System Turk Telekom (Tk) are well known to be under the control of RBN and influenced by the Russian government."

As noted in the August 8th editorial by The Washington Post, "Russian military probes, always denied by Moscow, have been frequent in recent years. But certainly the deeper source of tension between the two countries is Russia's insistence on maintaining hegemony in the Caucasus. Georgia's democratically elected government has accepted U.S. military and economic aid, supported the mission in Iraq and pursued NATO membership. Moscow will not tolerate such independence -- even by a relatively poor country of just 4.6 million people."

The Russian government's use of murder, extortion and blackmail in pursuit of political and economic policy goals has been well documented in the past several years. Europe, the United States, and the world at large will proceed from this point wary of the Russian mafia state.

For the purpose of circumventing the Russian cyber blockade of Georgia, I am reproducing below an official statement of the government of Georgia:



"Georgia seeks peaceful resolution to the conflict in South Ossetia Georgian troops mobilize to protect civilian population from rebel attacks TBILISI – Sat 09 August 2008 –

The Government of Georgia has sought to defuse the tense and violent situation in the South Ossetia region yesterday by declaring a unilateral ceasefire and appealing to the leadership of the separatist rebels to begin talks with the State Minister for Reintegration Temuri Yakobashvili. Despite calls for peace, separatist rebels continued to attack Georgian police posts and the civilian population.

Initially government forces did not return fire. However, at 8:30pm the village of Avnevi came under fire from separatists and the village was almost completely destroyed. The government-controlled village of Prisi also came under attack by separatists, which left several people wounded.

In response to separatist attacks on government-controlled villages, Georgian Armed Forces occupied several villages in South Ossetia early this morning. At around 5:30am, Russian Federation forces began moving into the conflict zone through the Roki tunnel, which connects Russia and Georgia and has been an entry point for the illegal transfer and sale of arms to separatist rebels. Two additional Russian units entered into Georgia through the Roki tunnel around 8:00am. The first Russian unit that entered Georgia through the Roki tunnel was killed as they attempted to cross the Gufta Bridge, which was also destroyed in the operation conducted by the government’s air command.

The Russian air force has also been conducting military operations in Georgia. Military fighter planes dropped bombs in four towns. The Russian air force also bombed the villages of Variani, injuring seven civilians, and dropped three bombs on Gori. The OSCE has confirmed the Gori operation was conducted by the Russian air force. So far several people have been killed and wounded, including innocent civilians.

In an effort to protect the civilian population, the President of Georgia Mikhail Saakashvili declared a unilateral ceasefire to be in effective between 3:00pm – 6:00pm Friday. During this time, the civilian population and the separatists were invited to cross the line of control. The government has also provided humanitarian assistance and full amnesty for those separatists that choose to surrender. As of 2:30pm, Georgian forces controlled 100% of Tskhinvali with just a few small groups still resisting government presence. Despite the ceasefire, Russia continued to take aggressive military action within Georgian territory.

At 4:30pm and 5:35pm, Russian military aircraft bombed a Georgian military base in Marneuli three times, in the southern part of the country about 30 kilometres from Tbilisi, resulting in the destruction of grounded Georgian military equipment, severe damage to a number of buildings, and several causalities.

Russian military aircraft also entered Georgian airspace at 3:05pm and dropped two bombs on the Georgian military airbase in Vaziani, just on the outskirts of the capital."

Stop the Russian Mafia state

Both Senator Barack Obama and Senator John McCain have demanded that Russia withdraw from Georgia. The Washington Post has just published an editorial calling on the West to stop Russia. If we fail to do so, we can expect more predatory violence from the Russian Mafia state.

http://www.washingtonpost.com/wp-dyn/content/article/2008/08/08/AR2008080802741.html

"Stopping Russia
The U.S. and its allies must unite against Moscow's war on Georgia.

THE OUTBREAK of fighting between Russia and the former Soviet republic of Georgia was sudden but not surprising. Conflict has been brewing between Moscow and its tiny, pro-Western neighbor for months. The flashpoints are two breakaway Georgian provinces, Abkhazia and South Ossetia -- the latter being the scene of the latest fighting. The skirmishing and shelling around Georgian villages that prompted Georgian President Mikheil Saakashvilito launch an offensive against the South Ossetian capital, Tskhinvali, may or may not have been a deliberate Russian provocation, to which Russia's tank and air assault was the inevitable follow-up. Russian military probes, always denied by Moscow, have been frequent in recent years. But certainly the deeper source of tension between the two countries is Russia's insistence on maintaining hegemony in the Caucasus. Georgia's democratically elected government has accepted U.S. military and economic aid, supported the
mission in Iraq and pursued NATO membership. Moscow will not tolerate such independence -- even by a relatively poor country of just 4.6 million people.

At its summit in Bucharest, Romania, in April, NATO offered Georgia eventual membership. This was not the more concrete promise that Georgia, and the Bush administration, had wanted. But Tbilisi and Washington settled for less in deference to European NATO members who wanted to avoid inflaming Russia. It didn't work, because Moscow responded by increasing its ties to Abkhazia and South Ossetia, including by beefing up the "peacekeeping" forces it maintains in both regions under the settlement that concluded Moscow-backed secessionist wars in the early 1990s. Even before these latest maneuvers, Russia had issued passports to most inhabitants of the two breakaway regions, which is why it claims to be defending its own people now.

It's doubtful, though not unthinkable, that Russia actually plans to conquer all of Georgia. But its objectives are no less cynical for that. Simply by keeping the country in a constant state of territorial division and conflict, it hopes to show NATO that Georgia is too unstable for membership -- thus giving Georgia no choice but to submit to Moscow's "influence." Probably Russia intends to administer a quick military "punishment" (as Russian President Dmitry Medvedev described Moscow's war aim) to Mr. Saakashvili, and then restore some version of the unstable status quo ante.

This is a grave challenge to the United States and Europe. Ideally, the U.N. Security Council would step in, authorizing a genuine peacekeeping force to replace the Russian one that has turned into a de facto occupation of Abkhazia and South Ossetia. But a Russian veto rules that out. Thus, the United States and its NATO allies must together impose a price on Russia if it does not promptly change course. The principles at stake, including sovereignty and territorial integrity, apply well beyond the Caucasus. To abandon Georgia and its fragile democratic Rose Revolution would send a terrible signal to other former Soviet and Warsaw Pact republics that to Moscow's dismay have achieved or are working toward democracy and fully independent foreign policies. The West has made that sort of mistake before and must not do so again."

The Snort Config Samples Project
The Snort Config Samples Project provides instructions, ready to use files, and information for those who wish to quickly learn to use Snort Inline and Smoothwall to protect their home network. You can easily:

- deploy Snort rules to block unknown viruses and trojans before they reach your home computers

- block 172,000 known hostile domains

- block attackers by IP address

- protect your family from hacking

- employ super smart firewalling that no router/appliance can offer

Visit http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples
for Honeywall installation instructions and Smoothwall-based domain blocking.

Visit http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
to shut out the Russian Business Network.

Interactive Brands Targets Consumers

Interactive Brands is targeting the customers of Adobe, Ad Aware, AntiVir, McAfee, MySpace, Norton, Panda, and Spybot Search and Destroy. The malicious typosquatting technique has proven effective in the past. On Friday evening (March 14), CNet 63.243.188 included the following domains (CNet query through robtex.com):

1-866-software.com
2008-downloads.com
3000tvchannels.net
360-share-music.com
360share.cn
360share.net
360sharepro.com
accurate-searches.com
acrobat-pdf-reader.com
acrobat-reader-ib.com
acrobat8download.com
acrobatbundle.com
acrobatdownload-ib.com
acrobatpack.com
acrobatreader-8.com
ad-aware-ib.com
adaware-ib.com
adawarebundle.com
adawarepack.com
adobe-pack.com
adobe-reader-it.com
adobeacrobatpack.com
adobeacrobatreader-8.com
adobepack.com
adobereader-8.com
adobereader-download.com
adobereader-ib.com
adultmoviesmembersarea.com
advanced-people-finder.com
advanced-people-lookup.com
advancedpeoplelookup.com
adwarepro.com
affiliate.mp3downloading.com
affiliate.netmp3downloads.com
all-public-records.com
allcountyrecords.com
ancestorsdatabase.com
anti-virus-free.net
antispyware-2007.com
antispyware007.com
antivir-2007.com
antivir-2008.com
antivir-protection.com
antivir-security.com
antivir-software.com
antivir2007.com
antivirus-2007.com
antivirus-ib.com
antivirus-pack.com
antivirus-panda-suite.com
antivirus2k7.com
antivirus2k8.com
antivirusreview.info
any-court-record.net
anypublicrecords.com
apisvr01.email.upclk.com
apisvr01.logger.upclk.com
apisvr01.messages.upclk.com
arabic-tv-online.com
arabiconlinetv.com
ares-usa.com
aresuk.com
aresunlimited.com
australian-ancestry.com
australian-records.com
australiapeoplerecords.com
avast-bundle.com
avast-pack.com
avastantivirus-pro.com
avastbundle.com
avastpack.com
avforce.com
avg-antivirus-ib.com
azulcancun.com
azureusunlimited.com
background-check-now.net
background-search.us
background-sniffer.com
backgroundsniffer.com
bajaprogramasgratis.com
bankruptcy-record-search.com
bcheck-pkg.com
bck-check.com
bearshare-uk.com
bearshare-usa.com
bearshareunlimited.com
becomeawebguru.com
becomebuisnessman.com
bejoin-devel.cashengines.com
bejoin.cashengines.com
bestedownloads.com
bestmp3review.com
blubsterunlimited.com
bongos.marketengines.com
build-myspace.com
bundlepartner.com
bundlesmembersarea.com
business-record-search.com
cashengines.com
cashslinger.com
ccpayinfo.com
ccpayinfo.net
cemetary-database.com
chat.marketengines.com
click.cashengines.com
click.cybertvpartner.com
click.interactivebrands.com
click.recordspartner.com
click.test.cashengines.com
comparatif-tv.com
criminal-records-now.us
csdetails.com
csib.interactivebrands.com
csmb.marketbill.com
cstool.interactivebrands.com
cstool.marketengines.com
cyber-tv-partner.com
cybertv-ib.com
cybertv-partner.com
cybertv-pkg.com
cybertvpartner.com
daurinaycesar.com
death-files.com
death-record-search.com
designer.cashengines.com
detectiveservices.info
devel_sql.upclick.com
digitaltvonpc.com
diguprecords.com
dldassist.com
dldbil.com
dldcs.com
dldguide.com
dldpay.com
dldprovide.com
dldsubscribe.com
dldsupports.com
doc-to-pdf.net
download--portal.com
download--torrent.com
download-ad-aware.com
download-it-free.com
download-mcafee.com
download-pro-version.com
download-utilities.com
download.mcetools.com
download.mp3downloading.com
download1.marketengines.com
download1.mp3downloading.com
download2.marketengines.com
downloadassist.com
downloadhome.net
downloadhq-2008.com
downloadhq2008.com
downloadinghome.com
downloads-reviews.info
drimagames.com
drmengines.com
dvdsoftwarereview.info
dwnldsupport.com
easy-antivirus.com
easy-office.co.uk
easy-pdf-creator.com
easy-tv-online.com
easycashtutorials.com
easysoftwaredownloads.com
emoneytutorial.com
emoneytutorials.com
epdf-creator.com
error-doctors.com
errormechanic.com
esubscribe.us
exact-searches.com
excellentlogiciel.com
extremedownloadnetwork.com
extremegamesdownload.com
extrememoviedownloads.com
ez-downloading.com
ezdvdclone.com
ezdvdripper.com
filmheadquarters.com
find-any-family.com
find-people.quick.com
find-them-all.com
fixwinmx.com
found-them.com
fr-telechargements.com
france-download.com
france-incredimail.com
free-2008.com
free-antivir.net
free-download-center.com
free-mp3-share.com
free-music-page.com
free-music-page.net
free-satellite-network.com
free-software-access.com
free-spybot.com
freedocumentsearch.com
freedowloads.com
freedownloadpage.com
freemusicpage.net
freesoftdownloadz.com
freesoftwareaccess.com
freetvdirectory.com
ftp2.interactivebrands.com
full-edition.com
full-editions.com
full-license.com
full-licenses.com
genealogytoday.info
get-divx.com
gicsasucks.com
gov-check.com
gov-check.org
gov-check.us
gov-files.com
gov-files.info
gov-files.net
gov-files.org
gov-files.us
government-check.com
government-check.org
government-check.us
government-records.org
governmentcheck.org
governmentcheck.us
hablar-espanol.com
howtostaylegal.com
hq-2008.com
hq-edition.com
hq-editions.com
hqedition.com
hsprovider.com
hsprovider.net
i-dot-music.com
ib-adaware.com
ib-pandaantivirus.com
ib-reviews.com
ib-site-manager.com
ib-softwares.com
ib-tvplayer.com
ibaffiliates.com
ibaffiliates.interactivebrands.com
ibrecordsmembersarea.com
imoviesearch.com
imusicnow.com
infinitemoviedownloads.com
instant-backgroundcheck.com
instant-magick.com
interactivebrands.com
interactivebrands.com
internationaltvnetworks.com
internettvaccess.com
intra.marketengines.com
ip-mymusicbill.com
ip-yourwebdownloads.com
ipdetection.marketengines.com
ipodblaster.com
irfanview-bdl.com
irfanview-ib.com
irfanviewbundle.com
irfanviewpack.com
join-devel.marketengines.com
la-tv-internet.com
last-version.com
latest-antivirus.com
latest-edition.com
latest-editions.com
learn-2-speak.com
legalsoftwarecentre.com
limewire-usa.com
limewireuk.com
liveplayer.tv
logiciel-winzip.com
lookchannels.com
magazines4free.com
mail.adwarepro.com
mail.avforce.com
mail.cashengines.com
mail.cashengines.com
mail.cashslinger.com
mail.cybertvpartner.com
mail.daurinaycesar.com
mail.daurinaycesar.com
mail.defenza.com
mail.fullsoftwaredownloadz.com
mail.hsprovider.com
mail.hsprovider.com
mail.hsprovider.com
mail.hsprovider.net
mail.ib-site-manager.com
mail.ib-softwares.com
mail.ib-softwares.com
mail.interactivebrands.com
mail.marketbill.com
mail.marketengines.at
mail.mp3downloading.com
mail.nadeaussrh.com
mail.netmp3downloads.com
mail.netmusicmania.com
mail.powercompress.com
mail.rackengines.com
mail.recordspartner.com
mail.richwebmedia.com
mail.ultimatetvshow.com
mail.upclick.com
mailer.cashengines.com
maimonide.net
marketbill.com
marketengines.at
marketengines.com
marriage-files.us
marriagefiles.us
marriagerecords-usa.com
maxyouripod.com
mcafee-antivirus-2007.com
mcafee-internetsecurity.com
mcafee-pack.com
mcafee-suite.com
mcafee-suite2007.com
mcafeeantivirus2007.com
mcafeebundle.com
mcafeepack.com
mcafeesuite-2007.com
mcafeesuite2007.com
mcetools.com
media-realplayer.com
megamoviedownloads.com
megamovienetwork.com
memberlog.net
members.cashslinger.com
members.cybertvpartner.com
members.recordspartner.com
membersredirection.marketengines.com
military-records-search.com
monitor-can.marketengines.com
morguedatabase.com
morguerecords.com
moviesupport.net
mp3chk.com
mp3downloading.com
mp3netonline.com
mp3reviewguide.com
mp3support.net
mp4university.com
music-download-central.com
music-download-network.com
musicdownloadreviews.info
musicformembers.com
musicmp3review.com
musiqueillimite.com
my-software-center.com
mybil1.com
mybil2.com
mybil3.com
mybil4.com
mybil5.com
mybil6.com
mybil7.com
mybil8.com
mybil9.com
mycybertv.com
mydefenza.com
mydownloading.com
mydownloadnetwork.com
mydownloadsite.com
mydownloadsite.net
mymp3down.com
mymp3live.com
mymusic-cs.com
mymusicbill.com
mysoftwarecentral.com
mysoftwaredownloads.com
myspace-reactor.com
myspace.cashengines.com
myspacemembersarea.com
myspacereactor.com
myupclick.com
mywebcs.com
myxptools.com
nadeaussrh.com
netacuity01.marketengines.com
netdetectiveservices.info
netmp3downloads.com
netmp3music.com
netmusicmania.com
netspyprotector.com
nettvbroadcasts.com
nettvdirect.com
new.daurinaycesar.com
norton-antivirus2007.com
norton-virus-scan.com
nortonsecurity2007.com
ns.maimonide.net
ns.patrickdanino.com
ns.redactionb13.com
ns1.background-search.us
ns1.hsprovider.com
ns1.hsprovider.net
ns1.ib-site-manager.com
ns1.liveplayer.tv
ns1.maimonide.net
ns1.marriage-files.us
ns1.marriagefiles.us
ns1.nadeaussrh.com
ns1.officialreports.us
ns1.online-fernsehen.tv
ns1.onlineplayer.tv
ns1.patrickdanino.com
ns1.redactionb13.com
ns1.reseaumaimo.com
ns1.search-and-find.us
ns1.tele-enligne.tv
ns1.watchonline.tv
ns2.background-search.us
ns2.hsprovider.com
ns2.hsprovider.net
ns2.ib-site-manager.com
ns2.infoglyphe.com.ns-not-in-service.com
ns2.liveplayer.tv
ns2.maimonide.net
ns2.marriage-files.us
ns2.marriagefiles.us
ns2.nadeaussrh.com
ns2.officialreports.us
ns2.online-fernsehen.tv
ns2.onlineplayer.tv
ns2.patrickdanino.com
ns2.rackengines.com
ns2.search-and-find.us
ns2.tele-enligne.tv
ns2.watchonline.tv
obituary-records.com
oem-license.com
official--software.com
official--softwares.com
official-hq.com
official-installer.com
official-realplayer.com
officialbundles.com
officialinstaller.com
officialreports.us
officialsoftwaredownload.com
online-fernsehen.tv
onlinemoneyinstitute.com
onlineplayer.tv
onlinetv-review.com
onlinetvaccess.com
onlinetvreviews.com
p2p-outlet.com
p2p-vault.com
p2psupport.net
pack-avg.com
panda-2008.com
panda-anti-virus.com
panda-antivirus-2007.com
panda-antivirus-2008.com
panda-antivirus-2008.net
panda-bdl.com
panda-bundle.com
panda-ib.com
panda-suite.com
pandaantivirus-2007.com
pandaantivirus-2008.com
pandaantivirus-ib.com
pandaantivirus2008.com
pandabundle.com
pandasecurity2008.com
pandasecuritysoftware.com
pandasecuritysoftware.net
pandashield.com
pandasuite2007.com
paradox.marketengines.com
paybox01.marketengines.com
paybox01.upbill.com
paybox02.marketengines.com
paybox03.marketengines.com
paybox04.marketengines.com
pbpuserservice.marketengines.com
pc-pitbull.com
pcdefenza.com
pcdefenza.net
pcsecurityreview.com
pctvreview.com
pctvreviews.com
pdf-2008.com
pdf-2009.com
pdf-2k7.com
pdf-2k8.com
pdf-2k9.com
pdf-8.com
pdf-creator-8.com
pdf-files.net
pdf-suite.com
pdf-wizard.com
pdf-writer-reader.com
pdf2k7.com
pdf2k8.com
pdf2k9.com
people-search-database.com
people-tracer.com
powercompress.com
premium-tv-network.com
premiumtvchannels.com
pro-editions.com
pro-protection.com
proeditions.com
property-record-search.com
public-database.com
public-marriage-records.com
puredownloadz.com
pwibill.com
quick-people-finder.com
rackengines.com
rd.marketengines.com
reader-2008.com
reader-8.com
reader-pdf.com
real-bdl.com
real-ib.com
real-media-player.com
realopinions.net
realplayer-10.com
realplayer-music.com
realplayer-suite.com
realplayer2007.com
realplayerbundle.com
realplayerpack.com
recommendedsoftware.net
record-detectives.com
recordsonline.us
recordspartner.com
registrycleantool.com
relatives-finder.com
resilientnetworks.com
revealedidentity.com
richwebmedia.com
safepay1.interactivebrands.com
safepay2.interactivebrands.com
safepay3.interactivebrands.com
safepay4.interactivebrands.com
safesoftwaredownloads.com
satellitetv4pc.com
search-and-find.us
search-for-relatives.com
search-people-records.com
searchfamilymembers.com
searchib.com
searchyourgenealogy.com
secure.cybertvpartner.com
secure.marketengines.com
secure.recordspartner.com
secure2.cybertvpartner.com
secure2.marketengines.com
secure3.cybertvpartner.com
secure3.marketengines.com
secure4.cybertvpartner.com
secure4.marketengines.com
security-review.info
securitybundles.com
securitypacks.com
sexoffender-registry.com
sft.marketengines.com
skypephonepackage.com
smtp.interactivebrands.com
smtp.marketengines.com
smtp.upclick.com
soft-tv.com
software-2008.com
software-torrent.com
softwarehq-2008.com
softwarehq2008.com
spybot-search-n-destroy.com
spyerazer-pkg.com
spyerazer.com
spywaretech.net
sqlgt.marketengines.com
sqlop.marketengines.com
sqlprod.marketengines.com
sqlrep.marketengines.com
ssl-a.upclicksolutions.com
ssl-b.upclicksolutions.com
ssl-c.upclicksolutions.com
ssl-d.upclicksolutions.com
stage.build-myspace.com
stage.myspace-reactor.com
stage.myspacemembersarea.com
stage.myspacereactor.com
tele-enligne.tv
tele-envivo.com
telechargements-fr.com
teleenlinea.com
teleenvivo.com
teleparinternet.com
thecopydvd.com
themusicsmembersarea.com
thenuker.com
thesoftwaremembersarea.com
thetvmembersarea.com
to-pdf.com
tool.daurinaycesar.com
tool.thesoftwaremembersarea.com
tools.build-myspace.com
top-free-downloads.com
top-software-downloads.com
topsoftware-reviews.com
torentopia.org
torenttopia.com
torenttopia.org
torrent-topia.com
torrent-topia.org
torrentfreebie.com
tunovelas.com
tv-4-free.com
tv-4-pc.com
tv-par-internet.com
tv-su-pc.com
tv-sur-pc.com
tvparapc.com
tvsupc.com
tweekspace.com
ultimatemoviedownload.com
ultimatemusicnetwork.com
ultimatesoftwaredownload.com
ultimatesoftwaredownloads.com
ultimatetvshow.com
ultra--downloads.com
ultra-download.com
universal-music-downloads.com
unlimitedgamesdownload.com
unlimitedmovienetwork.com
upbill.com
upclk.com
upclkcorp.com
us-federalrecords.com
usa-lostandfound.com
version-2008.com
version-2k8.com
version-officielle.com
version2008.com
version2k7.com
version2k8.com
virusscan2007.com
virusscan2k7.com
virusscan2k8.com
virusscanxp.com
watch-tv-live.com
watchonline.tv
web-sports-tv.com
web-tv-interactive.com
webmail.upclick.com
website-2008.com
webtvinteractive.com
weprotect-u.com
winmx-uk.com
winmx-usa.com
winzip-10.com
wordtopdf.net
worldtv-online.com
ws1.marketengines.com
wsdmks.marketengines.com
wservices.cashengines.com
wservices.marketengines.com
wsoplogin.cashengines.com
wspaysystem.marketengines.com
wstrack.cashengines.com
www.free-2008.com
xp-secure.com
xtrarevenues.com
youbikini.com
your-tv-online.com
yourwebdownloads.com
yousearchandwefind.com

Block by IP range and by name. The hosts files for Smoothwall 3.0 in the Snort Config Samples Project at emergingthreats.net blackholes these domains.

Dancho Danchev's blog of March 20th also reports on this criminal group:
http://ddanchev.blogspot.com/

James

Snort Config Samples Project

The Russian Business Network has migrated with Matt Jonkman from bleedingthreats.net to emergingthreats.net. The project provides instructions, ready to use files and information for those who wish to quickly learn to use Snort Inline and Smoothwall to protect their home network.

You can easily:

• use Snort rules to block unknown viruses and trojans before they reach your home computers
• block 109,000 known hostile domains
• block attackers by IP address
• protect your family from targeted attacks
• employ super smart firewalling that no router/appliance can offer
  

Point your browser to http://doc.emergingthreats.net/bin/view/Main/SnortConfSamples to get tips, tricks and ready to use files.

james mcquaid