Thursday, November 27, 2008

Risk Impact High

Symantec yesterday (11-26-2008) identified a new strain of adware bearing a risk impact of high. Adware.OneStep targets the Firefox browser ( It embeds search results from with hidden advertisements that use size zero iframe tags.

An examination of reveals additional cause for concern. The proprietor of is Navigation Catalyst Systems, Inc.; the firm was sued by Verizon on April 15th. In that lawsuit,
"Verizon California Inc., Verizon Trademark Services LLC and Verizon Licensing Company alleged that Defendants Navigation Catalyst Systems Inc. and Basic Fusion Inc. have used an automated process to register and use over three million domain names, many of which are confusingly similar to famous or distinctive trademarks owned by others."(
The mass registration of typosquatting domains is a tactic often practiced by the Russian Business Network.

McAfee's Site Advisor service ties to ("When we visited this site, we found that it appears to have a business relationship with, a known provider of adware, spyware or other potentially unwanted programs."). Indeed, shares both its IP address and name server with Other domains at IP address include a variety of sociopathic porn sites (,, etc.), hacker redirect sites (, typosquatter domains (, disreputable medical products and unsafe download sites (, etc.). is also present; waria is a trojan egg dropper which targets Linux and Unix systems. Also, corrupt DNS entries are deliberately employed by; the reverse DNS entry for,, is not whoisable, and no exists.

It is adviseable that you block the IP addresses as well as, the domain names associated with DNS blocking is useful as malware domains often change IP addresses, as their owners seek to avoid IP blocking.  - - - - - - and lurk within AS40634, and you may be able to block this entire route (, which appears to be rife with the worst malice.

Tuesday, November 11, 2008

Malware Domain IP Address Migration Rates

Building the Case for Black Hole DNS
by James McQuaid

In measuring the frequency with which malware domains changed IP addresses, I had two goals. One was to quantify enemy tactics, and the other was to evaluate the effectiveness of the tools we employ against them.

After stateful packet inspection, IP address blocking is the most commonly utilized method of securing the perimeter through filtering. Overreliance on IP address blocking has been criticized as inadequate (, and numerous analysts have suggested that it should be utilized in conjunction with Black Hole DNS (BHDNS) ( This may seem to be self-evident, but little data has been available regarding its comparative effectiveness.

I examined malware domains active between October 10th and November 10th 2008, and found that as the

life of a malware domain progressed, it was increasingly likely to have its IP address changed. This is the likely result of cybercriminals attempting to evade IP address blocking.

After 7 days, 80% of malware domains retained their initial IP address. 10% were no longer resolving, and 10% of the domains had undergone an IP address change.

After 15 days, 56% of malware domains retained their initial IP address. 21% of malware domains were no longer resolving, and 23% of the domains had undergone an IP address change.

At 30 days, 50% of malware domains retained their initial IP address. 7% of the domains were no longer resolving, and 42% of malware domains had undergone an IP address change.

Malware Domain IP Address Migration Rates

The data indicate that a network administrator who implements IP address blocking on a 30-day update cycle is facing up to a 42% failure rate in the effectiveness of the perimeter filtering policy. The data also imply that the RBN and other malware operators have a strategy of changing the IP address of malware domains in order to evade IP address blocking.

Snort Inline offers administrators exponentially greater levels of network protection, providing
substantial protection against advanced threats including fast flux malware networks. provides the most comprehensive set of open source Snort signatures which are
effective in real-time (

Black Hole DNS (filtering traffic by domain name) provides an effective, inexpensive and widely
available method of significantly improving the effectiveness of perimeter firewall filtering policy.

BHDNS is available in conventional DNS as well as, in widely deployed home and small business firewalls (such as Smoothwall and IPCop).

You can easily implement BHDNS in conventional DNS. provides complete instructions and domain blacklist files. I maintain a ready-to-go solution for Smoothwall at (

Sunday, September 21, 2008

Darkness At Dawn

Russian organized crime syndicates
      Russian organized crime syndicates

Darkness At Dawn can be read online at Google books I strongly recommend that you read at least one chapter; it is absolutely riveting reading.

The problem of cybercrime and malware is inextricably linked with the rise to power of organized crime in post-Soviet Russia. The extent to which organized crime has been institutionalized in Russia is indeed shocking, and continues to today:

    "under Putin, organized crime — especially in St. Petersburg and Moscow — has been changing. Since he has consolidated power as president, Putin considers organized crime and Barsukov relics of a bygone era. Organized crime groups have, in short, been institutionalized — if not completely swallowed by politicians or legal institutions. For example, until recently, Barsukov worked legally as vice president of the Petersburg Fuel Co. The Tambov group’s control over the four ports it once claimed also has changed; the group still receives large kickbacks on imports and exports, but it does not own the ports and is instead considered port “security.”

    - Stratfor

In Darkness At Dawn, David Satter explains in vivid detail reminiscent of an early Tom Clancy novel, how this took place, and the terrible price the Russian people have paid. Satter's book provided me with some insight into factors which produced the extreme nationalist mania now gripping Russia.

Anticipating a new dawn of freedom after the disintegration of the Soviet Union, Russians could hardly have foreseen the reality of their future a decade later: a country impoverished and controlled at every level by organized crime. This riveting book views the 1990s reform period through the experiences of individual citizens, revealing the changes that have swept Russia and their effect on Russia’s age-old ways of thinking.

“The Russia that Satter depicts in this brave, engaging book cannot be ignored. Darkness at Dawn should be required reading for anyone interested in the post-Soviet state.” — Christian Caryl, Newsweek

“Satter must be commended for saying what a great many people only dare to think.” — Matthew Brzezinski, Toronto Globe and Mail

“Humane and articulate.” — Raymond Asquith, Spectator

“Vivid, impeccably researched and truly frightening. . . . Western policy-makers, especially in Washington, would do well to study these pages.” — Martin Sieff, United Press International

More details:
Darkness at Dawn: The Rise of the Russian Criminal State
By David Satter
Published by Yale University Press, 2004
ISBN 0300105916, 9780300105919
326 pages

Monday, September 8, 2008

The RBN Operatives: Part II

In mid-August, I wrote that I suspected that long time RBN operatives Alexandr Boykov and Sergey Smirnov were the individuals most likely responsible for the cyber first strike against Georgia's Internet infrastructure, which preceded Russia's invasion of that country. Given their historical domination of CNet 76.135.167, I continue to hold this view. However, after many hours of investigative work, I have uncovered additional, specific information regarding the lessee of the IP space involved.

What I now know is that sometime between July 18 and July 31, 2008, a Russian cyber criminal named Sergey Astakhov deployed the botnet command and control domains involved in the DDOS attack to Using a fairly advanced RBN DNS obfusication method, Mr. Astakov created a multiheaded DNS typology in an attempt to elude discovery. Mr. Astakov's DNS server, located at IP address also bore an A record address of The domains at used a fast flux DNS method with a twist: most of the time in which one ran a DNS query against them, would be returned. Rarely, (located at would be returned as a result of a DNS query. I had noted this as early as 11 August, but the DNS topology of led nowhere. Similarly was a dead end.

The following diagram portrays Mr. Astakhov's control over the botnet command and control servers utilized in the cyber first strike:

A twisted DNS topology

The sophistication of the methods used to cloak Mr. Astakhov's identity are remarkable. Combined with the use of privacy protect type services, they could be used to create truely stealthed Internet attack systems, which would make attribution of criminal activity difficult to impossible. In this case, we are fortunate that Mr. Astakhov used his actual name in the WhoIs recod for


Shared analysis:

The DNS record at indicates that uses it as a name server, but this information has not been available at itself: DNS

Mr. Astakhov has a history of cyber criminal activity. Note the Artists Against 419 web site entry for Mr. Astakhov's Mr. Astakhov was previously noted as a Zlob trojan distributor at (and that data is still available in Google's cache). Mr. Astakhov's domain is known to install the RBN fake antivirus software xpantivirus 2009; note

I have previously determined that Alexey Vasiliev was responsible for the spam attack which besmirched the President of Georgia:

spam attacker

Saturday, September 6, 2008


By James McQuaid

As early as November 2007, I had corresponded regarding with several security researchers regarding the presence of former customers of the Russian Business Network ISP operating in Atrivo IP space. Over the next several months, as a part of my normal malware investigations, I noted the disproportionate amount of malware within Atrivo. During this time, I was publishing a list of RBN IPs at Matt Jonkman's, and also a blackhole DNS file for Smoothwall. To that end, in March 2008 I completed a survey of all class C networks within Atrivo and incorporated those domains into the Smoothwall blackhole DNS file. I also added all of Atrivo's IP space to the blacklist of RBN IP addresses.

My fights with the Russian mob had started several years earlier when I worked as a programmer at a web hosting firm (the earliest encounter preceded 9-11). The RBN had hacked the fully patched Windows IIS server of the firm's largest client. The network administrator was unable to expel the intruder, and the firm's owner tasked me with resolving the mess. After two days of tightening permissions, and command line combat, I nuked the box. Although I feared that I might be fired, the client subsequently insisted that I take over network administration of all of their servers. Thereafter, it would be a strict scorched earth policy against the RBN.

Over the next couple of years my tactics against the RBN were primarily defensive. By that, I mean that I blocked those IPs and domains that I encountered or read about. It was essentially an avoidance policy, and primarily reactive. This changed when Saint Petersburg black hats targeted the computer of one of my children. That machine was freshly loaded with Windows XP at Christmas, fully patched, and quite well locked down, and I had installed the Panda Platinum security suite (scans were scheduled daily). Within three weeks, the RBN had taken the machine, and installed Kuang II. The intruder had stored some particularly offensive Hentai images on the computer. It was then, in a moment of dizzying cold terror, that I realized that one could not avoid them, and that I needed to actively hunt them.


It was then, in a moment of dizzying cold terror, that I realized that
one could not avoid them, and that I needed to actively hunt them.


My initial step was to repartition the hard drives of and reload every computer in the house. This included reloading Microsoft Small Business Server 2003 with the open source firewall Smoothwall Express. I had not relied on SBS's firewall, although I employed it; SBS had been positioned behind a Netgear FVS-318 firewall router. With Smoothwall I was able to block IP addresses as well as, blacklist domains at the perimeter. Microsoft had made these capabilities unavailable in SBS 2003, and it had a ridiculous number of shares that were impossible to effectively secure. Smoothwall's blocking capability meant that I could perform reconnaissance against cyber criminals, and apply the data acquired, to my home defense. Thus I began to hunt them with the care that one employs when confronting any dangerous predator.

Flash forward to 2007 when I learned from the Internet Storm Center that Brian Krebs of The Washington Post wanted to interview someone who was blocking the Russian Business Network. I emailed Brian and he subsequently telephoned me. After his now famous articles on the RBN were published, the FBI pressed the Russian government, other networks quit routing their traffic, and the RBN ISP disintegrated. Consequently, the customers of the RBN ISP sortied and a virtual Diaspora of Russian cyber crime was created. We doggedly tracked them into Panama, Malaysia, China, the United States (Atrivo and Optical Jungle), and elsewhere.

When I met the StopBadWare team at Harvard Law's Berkman Center for the Internet and Society for the Berkman@10 Conference in May 2008, I was impressed with StopBadWare's unequivocal attribution of the problems on the Internet to organized crime. It was a fact with which I was well acquainted, but few had been willing to say as much. Jonathan Zittrain also impressed me with his discussions of the power of the generative Internet. Over the Christmas 2007 holiday, Russian cyber criminals had created several thousands of exquisitely social engineered Blogspot pages. Google and StopBadWare had been fighting them since. The attempt to poison Blogspot was a direct threat to the generative Internet, and threatens to seriously diminish the value of the Internet to the entire world. Fortunately, Russia's high profile cyber attacks against Estonia and Georgia seem to have awakened the governments of the democracies that the problem of cyber crime is serious, and can no longer be ignored.

Over the months of painstakingly investigating Atrivo, we found that cyber crime was no longer merely a cottage industry of Russian ultra nationalists, but had morphed into a multinational enterprise involving large corporations. Please download the PDF of our report, Cyber Crime U.S.A. You will find it engaging reading. Since its release a week ago, and Brian Krebs' articles about it in The Washington Post, Atrivo has given the appearance of being on the ropes. Est and Atrivo are taking down a number of fake anti-virus sites, but not all, and new ones have been introduced. We expect that they will continue to distribute malware through bogus search sites as well as, sociopathic porn sites in hopes of going unnoticed. The current activity is an attempt to avoid prosecution, but it does not alter their fundamental economic model, or long-standing contractual obligations and relationships. We will continue to evaluate and scrutinize reports of malware across their networks.

The time for action is now, as the future of a generative Internet hangs in the balance. If the telecommunications industry does not cease routing the traffic of criminal networks, government must step in with physical take downs and prosecutions.


Cyber Crime U.S.A.:

Support for Cyber Crime U.S.A.:

On 13 October 2007,
The Washington Post published Brian Krebs' excellent articles on the Russian Business Network:

With respect to events since October 2007, note "The Russians Go Chinese":

and "Russian Business Network: Down, But Not Out":

The following sources have provided timely information:
Jart Armin research:

Dancho Danchev research:

David Bizeul research:

Shadowserver research 'Clarifying the "guesswork" of Criminal Activity':

Utilize the Emerging RBN Rules:

Other Resources:

Monday, August 18, 2008

The RBN Operatives Who Attacked Georgia

In my view, the individuals most directly responsible for carrying out the cyber "first strike" on Georgia are two Russian Business Network operatives, Alexandr A. Boykov and Andrew Smirnov, both of Saint Petersburg, Russia. These men are not "kiddie scripters" (as some have sought to rather narrowly characterize the attackers of Georgia).

Mr. Boykov has been engaged in criminal activity for some time. He is best known for registering an distributing the malware VirusIsolator (which downloads trojans to take control of the victims computer) (1). He has been directly involved in financial crime, and operated scam sites including: Harbor Lending, Oakwood Lending, and Capital Lending (2). Mr Boykov is also a purveyor of porn spam (3).

Mr. Smirnov is known for operating a number a scam sites including canadian-pharmacy-support (4) and canadiandiscountmeds (5). Mr. Smirnov is known to hold Russian nationalist views, and supported cutting off natural gas supplies to the Ukraine (6). The Ukrainian authorities should note that he often travels between Russia and the Ukraine (7).

According to Spamhaus, Ukrainian cyber criminals operate a hosting service in Class C Network Mr. Boykov is considered by many analysts to be the proprietor. It should be noted that opening salvos on Georgia emanated from This was noted as early as the morning of Sunday 10 August by both (8) and Dancho Danchev (9). These opening cyber attacks preceeded the large-scale mobilization of Russian nationalist hacktivists. In fact, the Website for the President of Georgia had been under attack since July 20th (10)

In the following days, a very heavy (11) spam campaign was launched purporting to be from the BBC which accuses the President of Georgia of being gay . When an individual clicks on the link in the email, a compromised web site is opened, which downloads a virus from (12). Spamhaus issued a warning regarding the malware at on July 29th in SBL66533 (13). On August 5th, Alexey Vasiliev of Novosibirsk, Russia, one of the Storm worm's authors (14), had a malware domain, freepostcardonline_com parked at (15).

AbdAllah a/k/a IstanbulTelecom ( has long been a haven for criminal activity. Steven Adair of Shadowserver has previously identified the AbdAllah Internet Hizmetleri group as RBN affiliated (16). Currently, the malware distributing domain antivirus-2008pro_net resolves to (along with ninety-three other dangerous domains). listed the domain as a hazard on May 28th of this year (17). Presently, virus-isolator_com resolves to The whois information for the site no longer lists Mr. Boykov, but was registered through the notorious EstDomains to a Vargendia Limited in Cyprus. Mr. Boykov's *.virusisolator_com, a subdomain of virusisolator, resolves to IP address, as do numerous other virus-isolator sites (18). Such DNS resolution schemes are typical of fast flux and botnet operators. As with many other Russian spammers and cybercriminals, Mr. Smirnov also is now in the process of anonymizing the whois information associated with the spam domains he has registered.

Our research indicates that Mr. Smirnov and Mr. Boykov have exercised administrative level control over this Class C Network (CNet). This is clear in the historical data related to the CNet. The sheer number and frequency of their domains that have moved from IP address to IP address, across the full range of IP addresses in CNet 79.135.167, allows for no other conclusion. Given the degree of control they have historically exercised, it is very likely that they conducted or were a party to the cyber "first strike".

James McQuaid

(7) author's private note

Friday, August 15, 2008

DNS Blackhole for Smoothwall

DNS Blackhole for Smoothwall 3.0 available at Emerging Threats:
This is the most comprehensive DNS blacklist available. These files allow you to blacklist malicious domains by name. This is particularly useful because of the frequency with which the enemy changes the IP addresses of malware domains in an effort to evade IP blocking.

* config-hosts: 175,550 organized crime, RBN affiliates, malware hosts and bad actors blacklisted for Smoothwall 3. Leave last line blank. Place in /var/smoothwall/hosts/, then rename config-hosts to config. Updated 8-14-2008.

* hosts: Protect your home from 175,550 bad domains for Smoothwall 3; placed in /var/smoothwall/hosts/. Note: with this many objects in BlackHole, you must use local loopback. Update 8-14-2008: added 3,000 new malware domains.

For effective protection, you should use anti-spyware and anti-virus products in addition to IP blocking and DNS blacklisting.

I maintain the Snort Config Samples Project at Emerging Threats. Visit for more information.

Thursday, August 14, 2008

OSS arrives

Let friend and foe alike know that the OSS has arrived in Georgia.

Monday, August 11, 2008

Real Time Cyber Attack Details Against Georgia

Russia's SVR Seen Acting in Collusion with the Criminal RBN

Top ace Internet security researcher, Dancho Danchev, indicated late today that it was likely that the Russian Foreign Intelligence service (SVR) was behind the attacks on Georgia's communications infrastructure, "It smells like a three letter intelligence agency’s propaganda arm has managed to somehow supply the creative for the defacement of Georgia President’s official web site, thereby forgetting a simple rule of engagement in such a conflict - risk forwarding the responsibility of the attack to each and every Russian".

In his "Zero Day" column at ZDNet and at his brilliant blog Danchev identified the RBN command and control servers acting on behalf of the Russian government. The RBN is at the crux of malware creation, child pornography, and financial crime on the Internet. The close relationship between these activities and the Russian government may shock soccer moms in the West, but Internet security professionals have long suspected as much.

Earlier this week, the West's top RBN expert Jart Armin identified many of the routing details of the Russian attack on Georgia's communications infrastructure.

Since Danchev published those details 5 hours ago, the Russian mafia/SVR operation has sought to evade detection by changing the DNS servers ( and of their actual command and control location ( from the Turkish Telecom IP address to an IP address ( in the Yamato Life Insurance Building in Japan (DNS server is Meanwhile they have created two new DNS servers and, which they are preparing to bring online between 10:00 pm and 2:00 am EST to act as authoritative name servers for the other attacking command and control servers, domains and botnets.

A complete list of RBN IP addresses, domains, franchisees and affiliates is available at

Georgia, Ukraine and NATO should refer to Dancho Danchev's column for additional details and incisive analysis. Security professionals should DNS Blackhole all of the involved domains, as well as their DNS servers. Given their infamous history, compounded by events of the past several days, it is time that the RBN was officially designated as a terrorist organization by the government of the United States.

James McQuaid

Saturday, August 9, 2008

Russian Cyberattack on Georgia

In line with its information warfare doctrine, the opening salvos of Russia's invasion of Georgia consisted of attacks on Georgia's communications infrastructure. The goal of this activity was to deny Georgia the opportunity to provide its perspective to the international press, and give Russia a corresponding advantage in shaping world opinion.

As documented at, this cyberattack has been systematic and thorough. It's coordinated timing with the Russian conventional attack suggests that the criminal RBN is a military intelligence asset of the Russian government.

Many of Georgia's web servers are now under "unauthorized external control", and some web sites have been defaced. In addition, other Georgian servers are inaccessible due to disruptions by Russia and the RBN in the Internet's routing infrastructure. It should be noted that "AS8342 RTCOMM (Ru), AS12389 ROSTELECOM (Ru), AS9121 TTNet Autonomous System Turk Telekom (Tk) are well known to be under the control of RBN and influenced by the Russian government."

As noted in the August 8th editorial by The Washington Post, "Russian military probes, always denied by Moscow, have been frequent in recent years. But certainly the deeper source of tension between the two countries is Russia's insistence on maintaining hegemony in the Caucasus. Georgia's democratically elected government has accepted U.S. military and economic aid, supported the mission in Iraq and pursued NATO membership. Moscow will not tolerate such independence -- even by a relatively poor country of just 4.6 million people."

The Russian government's use of murder, extortion and blackmail in pursuit of political and economic policy goals has been well documented in the past several years. Europe, the United States, and the world at large will proceed from this point wary of the Russian mafia state.

For the purpose of circumventing the Russian cyber blockade of Georgia, I am reproducing below an official statement of the government of Georgia:

Mikhail Saakashvili, President of Georgia

"Georgia seeks peaceful resolution to the conflict in South Ossetia Georgian troops mobilize to protect civilian population from rebel attacks TBILISI – Sat 09 August 2008 –

The Government of Georgia has sought to defuse the tense and violent situation in the South Ossetia region yesterday by declaring a unilateral ceasefire and appealing to the leadership of the separatist rebels to begin talks with the State Minister for Reintegration Temuri Yakobashvili. Despite calls for peace, separatist rebels continued to attack Georgian police posts and the civilian population.

Initially government forces did not return fire. However, at 8:30pm the village of Avnevi came under fire from separatists and the village was almost completely destroyed. The government-controlled village of Prisi also came under attack by separatists, which left several people wounded.

In response to separatist attacks on government-controlled villages, Georgian Armed Forces occupied several villages in South Ossetia early this morning. At around 5:30am, Russian Federation forces began moving into the conflict zone through the Roki tunnel, which connects Russia and Georgia and has been an entry point for the illegal transfer and sale of arms to separatist rebels. Two additional Russian units entered into Georgia through the Roki tunnel around 8:00am. The first Russian unit that entered Georgia through the Roki tunnel was killed as they attempted to cross the Gufta Bridge, which was also destroyed in the operation conducted by the government’s air command.

The Russian air force has also been conducting military operations in Georgia. Military fighter planes dropped bombs in four towns. The Russian air force also bombed the villages of Variani, injuring seven civilians, and dropped three bombs on Gori. The OSCE has confirmed the Gori operation was conducted by the Russian air force. So far several people have been killed and wounded, including innocent civilians.

In an effort to protect the civilian population, the President of Georgia Mikhail Saakashvili declared a unilateral ceasefire to be in effective between 3:00pm – 6:00pm Friday. During this time, the civilian population and the separatists were invited to cross the line of control. The government has also provided humanitarian assistance and full amnesty for those separatists that choose to surrender. As of 2:30pm, Georgian forces controlled 100% of Tskhinvali with just a few small groups still resisting government presence. Despite the ceasefire, Russia continued to take aggressive military action within Georgian territory.

At 4:30pm and 5:35pm, Russian military aircraft bombed a Georgian military base in Marneuli three times, in the southern part of the country about 30 kilometres from Tbilisi, resulting in the destruction of grounded Georgian military equipment, severe damage to a number of buildings, and several causalities.

Russian military aircraft also entered Georgian airspace at 3:05pm and dropped two bombs on the Georgian military airbase in Vaziani, just on the outskirts of the capital."

Friday, August 8, 2008

Stop the Russian Mafia state

Both Senator Barack Obama and Senator John McCain have demanded that Russia withdraw from Georgia. The Washington Post has just published an editorial calling on the West to stop Russia. If we fail to do so, we can expect more predatory violence from the Russian Mafia state.

"Stopping Russia
The U.S. and its allies must unite against Moscow's war on Georgia.

THE OUTBREAK of fighting between Russia and the former Soviet republic of Georgia was sudden but not surprising. Conflict has been brewing between Moscow and its tiny, pro-Western neighbor for months. The flashpoints are two breakaway Georgian provinces, Abkhazia and South Ossetia -- the latter being the scene of the latest fighting. The skirmishing and shelling around Georgian villages that prompted Georgian President Mikheil Saakashvilito launch an offensive against the South Ossetian capital, Tskhinvali, may or may not have been a deliberate Russian provocation, to which Russia's tank and air assault was the inevitable follow-up. Russian military probes, always denied by Moscow, have been frequent in recent years. But certainly the deeper source of tension between the two countries is Russia's insistence on maintaining hegemony in the Caucasus. Georgia's democratically elected government has accepted U.S. military and economic aid, supported the
mission in Iraq and pursued NATO membership. Moscow will not tolerate such independence -- even by a relatively poor country of just 4.6 million people.

At its summit in Bucharest, Romania, in April, NATO offered Georgia eventual membership. This was not the more concrete promise that Georgia, and the Bush administration, had wanted. But Tbilisi and Washington settled for less in deference to European NATO members who wanted to avoid inflaming Russia. It didn't work, because Moscow responded by increasing its ties to Abkhazia and South Ossetia, including by beefing up the "peacekeeping" forces it maintains in both regions under the settlement that concluded Moscow-backed secessionist wars in the early 1990s. Even before these latest maneuvers, Russia had issued passports to most inhabitants of the two breakaway regions, which is why it claims to be defending its own people now.

It's doubtful, though not unthinkable, that Russia actually plans to conquer all of Georgia. But its objectives are no less cynical for that. Simply by keeping the country in a constant state of territorial division and conflict, it hopes to show NATO that Georgia is too unstable for membership -- thus giving Georgia no choice but to submit to Moscow's "influence." Probably Russia intends to administer a quick military "punishment" (as Russian President Dmitry Medvedev described Moscow's war aim) to Mr. Saakashvili, and then restore some version of the unstable status quo ante.

This is a grave challenge to the United States and Europe. Ideally, the U.N. Security Council would step in, authorizing a genuine peacekeeping force to replace the Russian one that has turned into a de facto occupation of Abkhazia and South Ossetia. But a Russian veto rules that out. Thus, the United States and its NATO allies must together impose a price on Russia if it does not promptly change course. The principles at stake, including sovereignty and territorial integrity, apply well beyond the Caucasus. To abandon Georgia and its fragile democratic Rose Revolution would send a terrible signal to other former Soviet and Warsaw Pact republics that to Moscow's dismay have achieved or are working toward democracy and fully independent foreign policies. The West has made that sort of mistake before and must not do so again."

Sunday, July 13, 2008

The Snort Config Samples Project
The Snort Config Samples Project provides instructions, ready to use files, and information for those who wish to quickly learn to use Snort Inline and Smoothwall to protect their home network. You can easily:

  • - deploy Snort rules to block unknown viruses and trojans before they reach your home computers

  • - block 172,000 known hostile domains

  • - block attackers by IP address

  • - protect your family from hacking

  • - employ super smart firewalling that no router/appliance can offer

  • Visit
    for Honeywall installation instructions and Smoothwall-based domain blocking.

    to shut out the Russian Business Network.

    Friday, March 14, 2008

    Interactive Brands Targets Consumers

    Interactive Brands is targeting the customers of Adobe, Ad Aware, AntiVir, McAfee, MySpace, Norton, Panda, and Spybot Search and Destroy. The malicious typosquatting technique has proven effective in the past. On Friday evening (March 14), CNet 63.243.188 included the following domains (CNet query through

    Block by IP range and by name. The hosts files for Smoothwall 3.0 in the Snort Config Samples Project at blackholes these domains.

    Dancho Danchev's blog of March 20th also reports on this criminal group:


    Saturday, February 2, 2008

    Snort Config Samples Project

    The Russian Business Network has migrated with Matt Jonkman from to The project provides instructions, ready to use files and information for those who wish to quickly learn to use Snort Inline and Smoothwall to protect their home network.

    You can easily:
    • use Snort rules to block unknown viruses and trojans before they reach your home computers
    • block 109,000 known hostile domains
    • block attackers by IP address
    • protect your family from targeted attacks
    • employ super smart firewalling that no router/appliance can offer

    Point your browser to to get tips, tricks and ready to use files.

    james mcquaid

    Multi-Layered Network Defense with Snort Inline and Smoothwall