Thursday, November 27, 2008

Risk Impact High

Symantec yesterday (11-26-2008) identified a new strain of adware bearing a risk impact of high. Adware.OneStep targets the Firefox browser (http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2). It embeds search results from onestepsearch.net with hidden advertisements that use size zero iframe tags.

An examination of onestepsearch.net reveals additional cause for concern. The proprietor of onestepsearch.net is Navigation Catalyst Systems, Inc.; the firm was sued by Verizon on April 15th. In that lawsuit,
"Verizon California Inc., Verizon Trademark Services LLC and Verizon Licensing Company alleged that Defendants Navigation Catalyst Systems Inc. and Basic Fusion Inc. have used an automated process to register and use over three million domain names, many of which are confusingly similar to famous or distinctive trademarks owned by others."(http://news.justia.com/cases/featured/california/cacdce/2:2008cv02463/413394/)
The mass registration of typosquatting domains is a tactic often practiced by the Russian Business Network.

McAfee's Site Advisor service ties navigationcatalyst.com to qsrch.com ("When we visited this site, we found that it appears to have a business relationship with New.net, a known provider of adware, spyware or other potentially unwanted programs."). Indeed, onestepsearch.net shares both its IP address and name server with qsrch.com. Other domains at IP address 208.87.149.250 include a variety of sociopathic porn sites (teenagefucksluts.com, has.seen.godscock.net, etc.), hacker redirect sites (justgotpwned.com), typosquatter domains (blogpspot.com), disreputable medical products and unsafe download sites (01computersoftwar.biz, etc.). Waria.vg is also present; waria is a trojan egg dropper which targets Linux and Unix systems. Also, corrupt DNS entries are deliberately employed by onestepsearch.net; the reverse DNS entry for onestepsearch.net, 250.f.com, is not whoisable, and no f.com exists.

It is adviseable that you block the IP addresses as well as, the domain names associated with onestepsearch.net. DNS blocking is useful as malware domains often change IP addresses, as their owners seek to avoid IP blocking.

onestepsearch.net  - 208.87.149.250
ns1.onestepsearch.net - 209.128.80.137
ns2.onestepsearch.net - 209.128.80.138
ns3.onestepsearch.net - 209.128.76.101
ns4.onestepsearch.net - 209.128.76.102
mail01.quadzemail.com - 208.87.148.231

onestepsearch.net and quadzemail.com lurk within AS40634, and you may be able to block this entire route (208.87.148.0/23), which appears to be rife with the worst malice.

Tuesday, November 11, 2008

Malware Domain IP Address Migration Rates

Building the Case for Black Hole DNS
by James McQuaid


In measuring the frequency with which malware domains changed IP addresses, I had two goals. One was to quantify enemy tactics, and the other was to evaluate the effectiveness of the tools we employ against them.

After stateful packet inspection, IP address blocking is the most commonly utilized method of securing the perimeter through filtering. Overreliance on IP address blocking has been criticized as inadequate (http://blog.fireeye.com/research/2008/11/the-case-against-url-blacklists.html), and numerous analysts have suggested that it should be utilized in conjunction with Black Hole DNS (BHDNS) (http://malwaredomains.com/). This may seem to be self-evident, but little data has been available regarding its comparative effectiveness.

I examined malware domains active between October 10th and November 10th 2008, and found that as the

life of a malware domain progressed, it was increasingly likely to have its IP address changed. This is the likely result of cybercriminals attempting to evade IP address blocking.

After 7 days, 80% of malware domains retained their initial IP address. 10% were no longer resolving, and 10% of the domains had undergone an IP address change.

After 15 days, 56% of malware domains retained their initial IP address. 21% of malware domains were no longer resolving, and 23% of the domains had undergone an IP address change.

At 30 days, 50% of malware domains retained their initial IP address. 7% of the domains were no longer resolving, and 42% of malware domains had undergone an IP address change.

Malware Domain IP Address Migration Rates

The data indicate that a network administrator who implements IP address blocking on a 30-day update cycle is facing up to a 42% failure rate in the effectiveness of the perimeter filtering policy. The data also imply that the RBN and other malware operators have a strategy of changing the IP address of malware domains in order to evade IP address blocking.

Snort Inline offers administrators exponentially greater levels of network protection, providing
substantial protection against advanced threats including fast flux malware networks.
emergingthreats.net provides the most comprehensive set of open source Snort signatures which are
effective in real-time (http://doc.emergingthreats.net/bin/view/Main/AllRulesets).

Black Hole DNS (filtering traffic by domain name) provides an effective, inexpensive and widely
available method of significantly improving the effectiveness of perimeter firewall filtering policy.

BHDNS is available in conventional DNS as well as, in widely deployed home and small business firewalls (such as Smoothwall and IPCop).

You can easily implement BHDNS in conventional DNS. malwaredomains.com provides complete instructions and domain blacklist files. I maintain a ready-to-go solution for Smoothwall at emergingthreats.net (http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples).

Sunday, September 21, 2008

Darkness At Dawn


Russian organized crime syndicates
      Russian organized crime syndicates


Darkness At Dawn can be read online at Google books http://books.google.com/books?id=i-t6jle71ToC. I strongly recommend that you read at least one chapter; it is absolutely riveting reading.

The problem of cybercrime and malware is inextricably linked with the rise to power of organized crime in post-Soviet Russia. The extent to which organized crime has been institutionalized in Russia is indeed shocking, and continues to today:

    "under Putin, organized crime — especially in St. Petersburg and Moscow — has been changing. Since he has consolidated power as president, Putin considers organized crime and Barsukov relics of a bygone era. Organized crime groups have, in short, been institutionalized — if not completely swallowed by politicians or legal institutions. For example, until recently, Barsukov worked legally as vice president of the Petersburg Fuel Co. The Tambov group’s control over the four ports it once claimed also has changed; the group still receives large kickbacks on imports and exports, but it does not own the ports and is instead considered port “security.”

    - Stratfor

    http://www.stratfor.com/russia_kremlin_strikes_tambov_group

In Darkness At Dawn, David Satter explains in vivid detail reminiscent of an early Tom Clancy novel, how this took place, and the terrible price the Russian people have paid. Satter's book provided me with some insight into factors which produced the extreme nationalist mania now gripping Russia.

Anticipating a new dawn of freedom after the disintegration of the Soviet Union, Russians could hardly have foreseen the reality of their future a decade later: a country impoverished and controlled at every level by organized crime. This riveting book views the 1990s reform period through the experiences of individual citizens, revealing the changes that have swept Russia and their effect on Russia’s age-old ways of thinking.

“The Russia that Satter depicts in this brave, engaging book cannot be ignored. Darkness at Dawn should be required reading for anyone interested in the post-Soviet state.” — Christian Caryl, Newsweek

“Satter must be commended for saying what a great many people only dare to think.” — Matthew Brzezinski, Toronto Globe and Mail

“Humane and articulate.” — Raymond Asquith, Spectator

“Vivid, impeccably researched and truly frightening. . . . Western policy-makers, especially in Washington, would do well to study these pages.” — Martin Sieff, United Press International

More details:
Darkness at Dawn: The Rise of the Russian Criminal State
By David Satter
Published by Yale University Press, 2004
ISBN 0300105916, 9780300105919
326 pages

Monday, September 8, 2008

The RBN Operatives: Part II

In mid-August, I wrote that I suspected that long time RBN operatives Alexandr Boykov and Sergey Smirnov were the individuals most likely responsible for the cyber first strike against Georgia's Internet infrastructure, which preceded Russia's invasion of that country. Given their historical domination of CNet 76.135.167, I continue to hold this view. However, after many hours of investigative work, I have uncovered additional, specific information regarding the lessee of the IP space involved.

What I now know is that sometime between July 18 and July 31, 2008, a Russian cyber criminal named Sergey Astakhov deployed the botnet command and control domains involved in the DDOS attack to 76.135.167.22. Using a fairly advanced RBN DNS obfusication method, Mr. Astakov created a multiheaded DNS typology in an attempt to elude discovery. Mr. Astakov's DNS server, judex.cn located at IP address 210.145.102.19 also bore an A record address of 79.135.167.22. The domains at 79.135.167.22 used a fast flux DNS method with a twist: most of the time in which one ran a DNS query against them, ns1.guagua.net would be returned. Rarely, ns1.srv.com (located at 210.145.102.19) would be returned as a result of a DNS query. I had noted this as early as 11 August, but the DNS topology of ns1.srv.com led nowhere. Similarly judex.com was a dead end.

The following diagram portrays Mr. Astakhov's control over the botnet command and control servers utilized in the cyber first strike:


A twisted DNS topology


The sophistication of the methods used to cloak Mr. Astakhov's identity are remarkable. Combined with the use of privacy protect type services, they could be used to create truely stealthed Internet attack systems, which would make attribution of criminal activity difficult to impossible. In this case, we are fortunate that Mr. Astakhov used his actual name in the WhoIs recod for judex.cn.


WhoIs judex.cn



Shared analysis: judex.cn


The DNS record at judex.cn indicates that guagua.net uses it as a name server, but this information has not been available at guagua.net itself:

judex.cn DNS


Mr. Astakhov has a history of cyber criminal activity. Note the Artists Against 419 web site entry for Mr. Astakhov's alexexpress.com: http://db.aa419.org/fakebanksview.php?key=28770. Mr. Astakhov was previously noted as a Zlob trojan distributor at malwaredomainlist.com (and that data is still available in Google's cache). Mr. Astakhov's domain theworldnews5.com is known to install the RBN fake antivirus software xpantivirus 2009; note http://forum.hosts-file.net/viewtopic.php?f=9&p=4511.

I have previously determined that Alexey Vasiliev was responsible for the spam attack which besmirched the President of Georgia:

spam attacker

Saturday, September 6, 2008

BEHIND THE MAKING OF THE ATRIVO TAKEDOWN

By James McQuaid

As early as November 2007, I had corresponded regarding with several security researchers regarding the presence of former customers of the Russian Business Network ISP operating in Atrivo IP space. Over the next several months, as a part of my normal malware investigations, I noted the disproportionate amount of malware within Atrivo. During this time, I was publishing a list of RBN IPs at Matt Jonkman's emergingthreats.net, and also a blackhole DNS file for Smoothwall. To that end, in March 2008 I completed a survey of all class C networks within Atrivo and incorporated those domains into the Smoothwall blackhole DNS file. I also added all of Atrivo's IP space to the blacklist of RBN IP addresses.

My fights with the Russian mob had started several years earlier when I worked as a programmer at a web hosting firm (the earliest encounter preceded 9-11). The RBN had hacked the fully patched Windows IIS server of the firm's largest client. The network administrator was unable to expel the intruder, and the firm's owner tasked me with resolving the mess. After two days of tightening permissions, and command line combat, I nuked the box. Although I feared that I might be fired, the client subsequently insisted that I take over network administration of all of their servers. Thereafter, it would be a strict scorched earth policy against the RBN.

Over the next couple of years my tactics against the RBN were primarily defensive. By that, I mean that I blocked those IPs and domains that I encountered or read about. It was essentially an avoidance policy, and primarily reactive. This changed when Saint Petersburg black hats targeted the computer of one of my children. That machine was freshly loaded with Windows XP at Christmas, fully patched, and quite well locked down, and I had installed the Panda Platinum security suite (scans were scheduled daily). Within three weeks, the RBN had taken the machine, and installed Kuang II. The intruder had stored some particularly offensive Hentai images on the computer. It was then, in a moment of dizzying cold terror, that I realized that one could not avoid them, and that I needed to actively hunt them.

_________________________________________________________________________________________________________

It was then, in a moment of dizzying cold terror, that I realized that
one could not avoid them, and that I needed to actively hunt them.


_________________________________________________________________________________________________________


My initial step was to repartition the hard drives of and reload every computer in the house. This included reloading Microsoft Small Business Server 2003 with the open source firewall Smoothwall Express. I had not relied on SBS's firewall, although I employed it; SBS had been positioned behind a Netgear FVS-318 firewall router. With Smoothwall I was able to block IP addresses as well as, blacklist domains at the perimeter. Microsoft had made these capabilities unavailable in SBS 2003, and it had a ridiculous number of shares that were impossible to effectively secure. Smoothwall's blocking capability meant that I could perform reconnaissance against cyber criminals, and apply the data acquired, to my home defense. Thus I began to hunt them with the care that one employs when confronting any dangerous predator.

Flash forward to 2007 when I learned from the Internet Storm Center that Brian Krebs of The Washington Post wanted to interview someone who was blocking the Russian Business Network. I emailed Brian and he subsequently telephoned me. After his now famous articles on the RBN were published, the FBI pressed the Russian government, other networks quit routing their traffic, and the RBN ISP disintegrated. Consequently, the customers of the RBN ISP sortied and a virtual Diaspora of Russian cyber crime was created. We doggedly tracked them into Panama, Malaysia, China, the United States (Atrivo and Optical Jungle), and elsewhere.

When I met the StopBadWare team at Harvard Law's Berkman Center for the Internet and Society for the Berkman@10 Conference in May 2008, I was impressed with StopBadWare's unequivocal attribution of the problems on the Internet to organized crime. It was a fact with which I was well acquainted, but few had been willing to say as much. Jonathan Zittrain also impressed me with his discussions of the power of the generative Internet. Over the Christmas 2007 holiday, Russian cyber criminals had created several thousands of exquisitely social engineered Blogspot pages. Google and StopBadWare had been fighting them since. The attempt to poison Blogspot was a direct threat to the generative Internet, and threatens to seriously diminish the value of the Internet to the entire world. Fortunately, Russia's high profile cyber attacks against Estonia and Georgia seem to have awakened the governments of the democracies that the problem of cyber crime is serious, and can no longer be ignored.

Over the months of painstakingly investigating Atrivo, we found that cyber crime was no longer merely a cottage industry of Russian ultra nationalists, but had morphed into a multinational enterprise involving large corporations. Please download the PDF of our report, Cyber Crime U.S.A. You will find it engaging reading. Since its release a week ago, and Brian Krebs' articles about it in The Washington Post, Atrivo has given the appearance of being on the ropes. Est and Atrivo are taking down a number of fake anti-virus sites, but not all, and new ones have been introduced. We expect that they will continue to distribute malware through bogus search sites as well as, sociopathic porn sites in hopes of going unnoticed. The current activity is an attempt to avoid prosecution, but it does not alter their fundamental economic model, or long-standing contractual obligations and relationships. We will continue to evaluate and scrutinize reports of malware across their networks.

The time for action is now, as the future of a generative Internet hangs in the balance. If the telecommunications industry does not cease routing the traffic of criminal networks, government must step in with physical take downs and prosecutions.



Notes:

Cyber Crime U.S.A.:
http://hostexploit.com/index.php?option=com_content&view=article&id=12&Itemid=15
http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html
http://voices.washingtonpost.com/securityfix/2008/09/scam-heavy_us_isp_grows_more_i.html

Support for Cyber Crime U.S.A.:
http://www.avertlabs.com/research/blog/index.php/2008/09/04/the-darksides-domains/
http://www.spamhaus.org/news.lasso?article=636
http://msmvps.com/blogs/hostsnews/archive/2008/09/03/1646589.aspx
http://www.theregister.co.uk/2008/09/03/cyber_crime_reports/
http://blog.stopbadware.org/2008/08/28/report-calls-out-atrivo-intercage-and-affiliates
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080906
http://www.circleid.com/posts/89610_cyber_crime_an_economic_problem/

On 13 October 2007,
The Washington Post published Brian Krebs' excellent articles on the Russian Business Network:
http://blog.washingtonpost.com/securityfix/2007/10/mapping_the_russian_business_n.html
http://blog.washingtonpost.com/securityfix/2007/10/taking_on_the_russian_business.html
http://www.washingtonpost.com/wp-dyn/content/story/2007/10/12/ST2007101202661.html?hpid=moreheadlines
http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101201700.html?sub=new

With respect to events since October 2007, note "The Russians Go Chinese":
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7829

and "Russian Business Network: Down, But Not Out":
http://blog.washingtonpost.com/securityfix/2007/11/russian_business_network_down.html

The following sources have provided timely information:
Jart Armin research: http://rbnexploit.blogspot.com

Dancho Danchev research: http://ddanchev.blogspot.com

David Bizeul research: http://isc.sans.org/presentations/RBN_study.pdf

Shadowserver research 'Clarifying the "guesswork" of Criminal Activity':
http://www.shadowserver.org/wiki/uploads/Information/RBN-AS40989.pdf

Utilize the Emerging RBN Rules:
http://docs.emergingthreats.net/bin/view/Main/RussianBusinessNetwork

Other Resources:
http://www.bytecrime.org/
http://www.fbi.gov/cyberinvest/cyberhome.htm
http://cyber.law.harvard.edu/
http://cyber.law.harvard.edu/events/berkmanat10
http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples
http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork

Monday, August 18, 2008

The RBN Operatives Who Attacked Georgia

In my view, the individuals most directly responsible for carrying out the cyber "first strike" on Georgia are two Russian Business Network operatives, Alexandr A. Boykov and Andrew Smirnov, both of Saint Petersburg, Russia. These men are not "kiddie scripters" (as some have sought to rather narrowly characterize the attackers of Georgia).

Mr. Boykov has been engaged in criminal activity for some time. He is best known for registering an distributing the malware VirusIsolator (which downloads trojans to take control of the victims computer) (1). He has been directly involved in financial crime, and operated scam sites including: Harbor Lending, Oakwood Lending, and Capital Lending (2). Mr Boykov is also a purveyor of porn spam (3).

Mr. Smirnov is known for operating a number a scam sites including canadian-pharmacy-support (4) and canadiandiscountmeds (5). Mr. Smirnov is known to hold Russian nationalist views, and supported cutting off natural gas supplies to the Ukraine (6). The Ukrainian authorities should note that he often travels between Russia and the Ukraine (7).

According to Spamhaus, Ukrainian cyber criminals operate a hosting service in Class C Network 79.135.167.0/24. Mr. Boykov is considered by many analysts to be the proprietor. It should be noted that opening salvos on Georgia emanated from 79.135.167.22. This was noted as early as the morning of Sunday 10 August by both Shadowserver.org (8) and Dancho Danchev (9). These opening cyber attacks preceeded the large-scale mobilization of Russian nationalist hacktivists. In fact, the Website for the President of Georgia had been under attack since July 20th (10)

In the following days, a very heavy (11) spam campaign was launched purporting to be from the BBC which accuses the President of Georgia of being gay . When an individual clicks on the link in the email, a compromised web site is opened, which downloads a virus from 79.135.167.49 (12). Spamhaus issued a warning regarding the malware at 79.135.167.49 on July 29th in SBL66533 (13). On August 5th, Alexey Vasiliev of Novosibirsk, Russia, one of the Storm worm's authors (14), had a malware domain, freepostcardonline_com parked at 79.135.167.49 (15).

AbdAllah a/k/a IstanbulTelecom (79.135.167.0/24) has long been a haven for criminal activity. Steven Adair of Shadowserver has previously identified the AbdAllah Internet Hizmetleri group as RBN affiliated (16). Currently, the malware distributing domain antivirus-2008pro_net resolves to 79.135.167.54 (along with ninety-three other dangerous domains). Malwaredomains.com listed the domain as a hazard on May 28th of this year (17). Presently, virus-isolator_com resolves to 79.135.167.54. The whois information for the site no longer lists Mr. Boykov, but was registered through the notorious EstDomains to a Vargendia Limited in Cyprus. Mr. Boykov's *.virusisolator_com, a subdomain of virusisolator, resolves to IP address 217.170.77.150, as do numerous other virus-isolator sites (18). Such DNS resolution schemes are typical of fast flux and botnet operators. As with many other Russian spammers and cybercriminals, Mr. Smirnov also is now in the process of anonymizing the whois information associated with the spam domains he has registered.

Our research indicates that Mr. Smirnov and Mr. Boykov have exercised administrative level control over this Class C Network (CNet). This is clear in the historical data related to the CNet. The sheer number and frequency of their domains that have moved from IP address to IP address, across the full range of IP addresses in CNet 79.135.167, allows for no other conclusion. Given the degree of control they have historically exercised, it is very likely that they conducted or were a party to the cyber "first strike".

James McQuaid

(1) http://www.malwarebytes.org/forums/index.php?showtopic=4288&pid=16324&mode=threaded&show=&st=0
(2) http://www.ripoffreport.com/reports/0/337/RipOff0337263.htm
(3) http://www.castlecops.com/Blogspot_redirection_Porn_site_spam167793.html
(4) http://www.robtex.com/whois/canadian-pharmacy-support.info.html
(5) http://groups.google.com/group/news.admin.net-abuse.sightings/browse_thread/thread/9d9aa3a014ae6748
and http://www.robtex.com/whois/canadiandiscountmeds.com.html
(6) http://translate.google.com/translate?hl=en&sl=ru&u=http://supol.narod.ru/members/Andrew_Smirnov/gaz1.htm&sa=X&oi=translate&resnum=6&ct=result&prev=/search%3Fq%3Dandrew_smirnov%26hl%3Den%26sa%3DG
(7) author's private note
(8) http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080720
(9) http://ddanchev.blogspot.com/2008/08/russia-vs-georgia-cyber-attack.html
(10) http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080720
(11) https://forums.symantec.com/syment/blog/article?message.uid=344935
(12) http://garwarner.blogspot.com/2008/08/new-bbc-spam-mocks-georgias-president.html
(13) http://www.spamhaus.org/security/cookies.lasso?query=SBL66533
(14) http://www.sudosecure.net/archives/212
(15) http://www.dozleng.com/updates/index.php?autocom=custom&page=results&numpage=1&words=blocklist
(16) http://www.securityzone.org/?cat=8
(17) http://malwaredomains.com/?p=218
(18) http://www.robtex.com/ip/217.170.77.150.html

Friday, August 15, 2008

DNS Blackhole for Smoothwall

DNS Blackhole for Smoothwall 3.0 available at Emerging Threats:
This is the most comprehensive DNS blacklist available. These files allow you to blacklist malicious domains by name. This is particularly useful because of the frequency with which the enemy changes the IP addresses of malware domains in an effort to evade IP blocking.

* config-hosts: 175,550 organized crime, RBN affiliates, malware hosts and bad actors blacklisted for Smoothwall 3. Leave last line blank. Place in /var/smoothwall/hosts/, then rename config-hosts to config. Updated 8-14-2008.
http://doc.emergingthreats.net/pub/Main/HoneywallSamples/config-hosts

* hosts: Protect your home from 175,550 bad domains for Smoothwall 3; placed in /var/smoothwall/hosts/. Note: with this many objects in BlackHole, you must use local loopback. Update 8-14-2008: added 3,000 new malware domains.
http://doc.emergingthreats.net/pub/Main/HoneywallSamples/hosts

For effective protection, you should use anti-spyware and anti-virus products in addition to IP blocking and DNS blacklisting.

I maintain the Snort Config Samples Project at Emerging Threats. Visit http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples for more information.

Thursday, August 14, 2008

OSS arrives

Let friend and foe alike know that the OSS has arrived in Georgia.

Monday, August 11, 2008

Real Time Cyber Attack Details Against Georgia

Russia's SVR Seen Acting in Collusion with the Criminal RBN

Top ace Internet security researcher, Dancho Danchev, indicated late today that it was likely that the Russian Foreign Intelligence service (SVR) was behind the attacks on Georgia's communications infrastructure, "It smells like a three letter intelligence agency’s propaganda arm has managed to somehow supply the creative for the defacement of Georgia President’s official web site, thereby forgetting a simple rule of engagement in such a conflict - risk forwarding the responsibility of the attack to each and every Russian".

In his "Zero Day" column at ZDNet http://blogs.zdnet.com/security/?p=1670 and at his brilliant blog http://ddanchev.blogspot.com/ Danchev identified the RBN command and control servers acting on behalf of the Russian government. The RBN is at the crux of malware creation, child pornography, and financial crime on the Internet. The close relationship between these activities and the Russian government may shock soccer moms in the West, but Internet security professionals have long suspected as much.

Earlier this week, the West's top RBN expert Jart Armin http://rbnexploit.blogspot.com identified many of the routing details of the Russian attack on Georgia's communications infrastructure.

Since Danchev published those details 5 hours ago, the Russian mafia/SVR operation has sought to evade detection by changing the DNS servers (ns1.guagaga.net and ns2.guagaga.net) of their actual command and control location (a-nahui-vse-zaebalo-v-pizdu.com) from the Turkish Telecom IP address 79.135.167.22 to an IP address (210.145.102.19) in the Yamato Life Insurance Building in Japan (DNS server is ns1.srv.com). Meanwhile they have created two new DNS servers ns1.guagaga.net.guagaga.net and ns2.guagaga.net.guagaga.net, which they are preparing to bring online between 10:00 pm and 2:00 am EST to act as authoritative name servers for the other attacking command and control servers, domains and botnets.

A complete list of RBN IP addresses, domains, franchisees and affiliates is available at http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt.

Georgia, Ukraine and NATO should refer to Dancho Danchev's column for additional details and incisive analysis. Security professionals should DNS Blackhole all of the involved domains, as well as their DNS servers. Given their infamous history, compounded by events of the past several days, it is time that the RBN was officially designated as a terrorist organization by the government of the United States.

James McQuaid

Saturday, August 9, 2008

Russian Cyberattack on Georgia

In line with its information warfare doctrine, the opening salvos of Russia's invasion of Georgia consisted of attacks on Georgia's communications infrastructure. The goal of this activity was to deny Georgia the opportunity to provide its perspective to the international press, and give Russia a corresponding advantage in shaping world opinion.

As documented at http://rbnexploit.blogspot.com, this cyberattack has been systematic and thorough. It's coordinated timing with the Russian conventional attack suggests that the criminal RBN is a military intelligence asset of the Russian government.

Many of Georgia's web servers are now under "unauthorized external control", and some web sites have been defaced. In addition, other Georgian servers are inaccessible due to disruptions by Russia and the RBN in the Internet's routing infrastructure. It should be noted that "AS8342 RTCOMM (Ru), AS12389 ROSTELECOM (Ru), AS9121 TTNet Autonomous System Turk Telekom (Tk) are well known to be under the control of RBN and influenced by the Russian government."

As noted in the August 8th editorial by The Washington Post, "Russian military probes, always denied by Moscow, have been frequent in recent years. But certainly the deeper source of tension between the two countries is Russia's insistence on maintaining hegemony in the Caucasus. Georgia's democratically elected government has accepted U.S. military and economic aid, supported the mission in Iraq and pursued NATO membership. Moscow will not tolerate such independence -- even by a relatively poor country of just 4.6 million people."

The Russian government's use of murder, extortion and blackmail in pursuit of political and economic policy goals has been well documented in the past several years. Europe, the United States, and the world at large will proceed from this point wary of the Russian mafia state.

For the purpose of circumventing the Russian cyber blockade of Georgia, I am reproducing below an official statement of the government of Georgia:

Mikhail Saakashvili, President of Georgia

"Georgia seeks peaceful resolution to the conflict in South Ossetia Georgian troops mobilize to protect civilian population from rebel attacks TBILISI – Sat 09 August 2008 –

The Government of Georgia has sought to defuse the tense and violent situation in the South Ossetia region yesterday by declaring a unilateral ceasefire and appealing to the leadership of the separatist rebels to begin talks with the State Minister for Reintegration Temuri Yakobashvili. Despite calls for peace, separatist rebels continued to attack Georgian police posts and the civilian population.

Initially government forces did not return fire. However, at 8:30pm the village of Avnevi came under fire from separatists and the village was almost completely destroyed. The government-controlled village of Prisi also came under attack by separatists, which left several people wounded.

In response to separatist attacks on government-controlled villages, Georgian Armed Forces occupied several villages in South Ossetia early this morning. At around 5:30am, Russian Federation forces began moving into the conflict zone through the Roki tunnel, which connects Russia and Georgia and has been an entry point for the illegal transfer and sale of arms to separatist rebels. Two additional Russian units entered into Georgia through the Roki tunnel around 8:00am. The first Russian unit that entered Georgia through the Roki tunnel was killed as they attempted to cross the Gufta Bridge, which was also destroyed in the operation conducted by the government’s air command.

The Russian air force has also been conducting military operations in Georgia. Military fighter planes dropped bombs in four towns. The Russian air force also bombed the villages of Variani, injuring seven civilians, and dropped three bombs on Gori. The OSCE has confirmed the Gori operation was conducted by the Russian air force. So far several people have been killed and wounded, including innocent civilians.

In an effort to protect the civilian population, the President of Georgia Mikhail Saakashvili declared a unilateral ceasefire to be in effective between 3:00pm – 6:00pm Friday. During this time, the civilian population and the separatists were invited to cross the line of control. The government has also provided humanitarian assistance and full amnesty for those separatists that choose to surrender. As of 2:30pm, Georgian forces controlled 100% of Tskhinvali with just a few small groups still resisting government presence. Despite the ceasefire, Russia continued to take aggressive military action within Georgian territory.

At 4:30pm and 5:35pm, Russian military aircraft bombed a Georgian military base in Marneuli three times, in the southern part of the country about 30 kilometres from Tbilisi, resulting in the destruction of grounded Georgian military equipment, severe damage to a number of buildings, and several causalities.

Russian military aircraft also entered Georgian airspace at 3:05pm and dropped two bombs on the Georgian military airbase in Vaziani, just on the outskirts of the capital."

Friday, August 8, 2008

Stop the Russian Mafia state

Both Senator Barack Obama and Senator John McCain have demanded that Russia withdraw from Georgia. The Washington Post has just published an editorial calling on the West to stop Russia. If we fail to do so, we can expect more predatory violence from the Russian Mafia state.

http://www.washingtonpost.com/wp-dyn/content/article/2008/08/08/AR2008080802741.html

"Stopping Russia
The U.S. and its allies must unite against Moscow's war on Georgia.

THE OUTBREAK of fighting between Russia and the former Soviet republic of Georgia was sudden but not surprising. Conflict has been brewing between Moscow and its tiny, pro-Western neighbor for months. The flashpoints are two breakaway Georgian provinces, Abkhazia and South Ossetia -- the latter being the scene of the latest fighting. The skirmishing and shelling around Georgian villages that prompted Georgian President Mikheil Saakashvilito launch an offensive against the South Ossetian capital, Tskhinvali, may or may not have been a deliberate Russian provocation, to which Russia's tank and air assault was the inevitable follow-up. Russian military probes, always denied by Moscow, have been frequent in recent years. But certainly the deeper source of tension between the two countries is Russia's insistence on maintaining hegemony in the Caucasus. Georgia's democratically elected government has accepted U.S. military and economic aid, supported the
mission in Iraq and pursued NATO membership. Moscow will not tolerate such independence -- even by a relatively poor country of just 4.6 million people.

At its summit in Bucharest, Romania, in April, NATO offered Georgia eventual membership. This was not the more concrete promise that Georgia, and the Bush administration, had wanted. But Tbilisi and Washington settled for less in deference to European NATO members who wanted to avoid inflaming Russia. It didn't work, because Moscow responded by increasing its ties to Abkhazia and South Ossetia, including by beefing up the "peacekeeping" forces it maintains in both regions under the settlement that concluded Moscow-backed secessionist wars in the early 1990s. Even before these latest maneuvers, Russia had issued passports to most inhabitants of the two breakaway regions, which is why it claims to be defending its own people now.

It's doubtful, though not unthinkable, that Russia actually plans to conquer all of Georgia. But its objectives are no less cynical for that. Simply by keeping the country in a constant state of territorial division and conflict, it hopes to show NATO that Georgia is too unstable for membership -- thus giving Georgia no choice but to submit to Moscow's "influence." Probably Russia intends to administer a quick military "punishment" (as Russian President Dmitry Medvedev described Moscow's war aim) to Mr. Saakashvili, and then restore some version of the unstable status quo ante.

This is a grave challenge to the United States and Europe. Ideally, the U.N. Security Council would step in, authorizing a genuine peacekeeping force to replace the Russian one that has turned into a de facto occupation of Abkhazia and South Ossetia. But a Russian veto rules that out. Thus, the United States and its NATO allies must together impose a price on Russia if it does not promptly change course. The principles at stake, including sovereignty and territorial integrity, apply well beyond the Caucasus. To abandon Georgia and its fragile democratic Rose Revolution would send a terrible signal to other former Soviet and Warsaw Pact republics that to Moscow's dismay have achieved or are working toward democracy and fully independent foreign policies. The West has made that sort of mistake before and must not do so again."

Sunday, July 13, 2008


The Snort Config Samples Project
The Snort Config Samples Project provides instructions, ready to use files, and information for those who wish to quickly learn to use Snort Inline and Smoothwall to protect their home network. You can easily:

  • - deploy Snort rules to block unknown viruses and trojans before they reach your home computers

  • - block 172,000 known hostile domains

  • - block attackers by IP address

  • - protect your family from hacking

  • - employ super smart firewalling that no router/appliance can offer

  • Visit http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples
    for Honeywall installation instructions and Smoothwall-based domain blocking.

    Visit http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
    to shut out the Russian Business Network.

    Friday, March 14, 2008

    Interactive Brands Targets Consumers

    Interactive Brands is targeting the customers of Adobe, Ad Aware, AntiVir, McAfee, MySpace, Norton, Panda, and Spybot Search and Destroy. The malicious typosquatting technique has proven effective in the past. On Friday evening (March 14), CNet 63.243.188 included the following domains (CNet query through robtex.com):

    1-866-software.com
    2008-downloads.com
    3000tvchannels.net
    360-share-music.com
    360share.cn
    360share.net
    360sharepro.com
    accurate-searches.com
    acrobat-pdf-reader.com
    acrobat-reader-ib.com
    acrobat8download.com
    acrobatbundle.com
    acrobatdownload-ib.com
    acrobatpack.com
    acrobatreader-8.com
    ad-aware-ib.com
    adaware-ib.com
    adawarebundle.com
    adawarepack.com
    adobe-pack.com
    adobe-reader-it.com
    adobeacrobatpack.com
    adobeacrobatreader-8.com
    adobepack.com
    adobereader-8.com
    adobereader-download.com
    adobereader-ib.com
    adultmoviesmembersarea.com
    advanced-people-finder.com
    advanced-people-lookup.com
    advancedpeoplelookup.com
    adwarepro.com
    affiliate.mp3downloading.com
    affiliate.netmp3downloads.com
    all-public-records.com
    allcountyrecords.com
    ancestorsdatabase.com
    anti-virus-free.net
    antispyware-2007.com
    antispyware007.com
    antivir-2007.com
    antivir-2008.com
    antivir-protection.com
    antivir-security.com
    antivir-software.com
    antivir2007.com
    antivirus-2007.com
    antivirus-ib.com
    antivirus-pack.com
    antivirus-panda-suite.com
    antivirus2k7.com
    antivirus2k8.com
    antivirusreview.info
    any-court-record.net
    anypublicrecords.com
    apisvr01.email.upclk.com
    apisvr01.logger.upclk.com
    apisvr01.messages.upclk.com
    arabic-tv-online.com
    arabiconlinetv.com
    ares-usa.com
    aresuk.com
    aresunlimited.com
    australian-ancestry.com
    australian-records.com
    australiapeoplerecords.com
    avast-bundle.com
    avast-pack.com
    avastantivirus-pro.com
    avastbundle.com
    avastpack.com
    avforce.com
    avg-antivirus-ib.com
    azulcancun.com
    azureusunlimited.com
    background-check-now.net
    background-search.us
    background-sniffer.com
    backgroundsniffer.com
    bajaprogramasgratis.com
    bankruptcy-record-search.com
    bcheck-pkg.com
    bck-check.com
    bearshare-uk.com
    bearshare-usa.com
    bearshareunlimited.com
    becomeawebguru.com
    becomebuisnessman.com
    bejoin-devel.cashengines.com
    bejoin.cashengines.com
    bestedownloads.com
    bestmp3review.com
    blubsterunlimited.com
    bongos.marketengines.com
    build-myspace.com
    bundlepartner.com
    bundlesmembersarea.com
    business-record-search.com
    cashengines.com
    cashslinger.com
    ccpayinfo.com
    ccpayinfo.net
    cemetary-database.com
    chat.marketengines.com
    click.cashengines.com
    click.cybertvpartner.com
    click.interactivebrands.com
    click.recordspartner.com
    click.test.cashengines.com
    comparatif-tv.com
    criminal-records-now.us
    csdetails.com
    csib.interactivebrands.com
    csmb.marketbill.com
    cstool.interactivebrands.com
    cstool.marketengines.com
    cyber-tv-partner.com
    cybertv-ib.com
    cybertv-partner.com
    cybertv-pkg.com
    cybertvpartner.com
    daurinaycesar.com
    death-files.com
    death-record-search.com
    designer.cashengines.com
    detectiveservices.info
    devel_sql.upclick.com
    digitaltvonpc.com
    diguprecords.com
    dldassist.com
    dldbil.com
    dldcs.com
    dldguide.com
    dldpay.com
    dldprovide.com
    dldsubscribe.com
    dldsupports.com
    doc-to-pdf.net
    download--portal.com
    download--torrent.com
    download-ad-aware.com
    download-it-free.com
    download-mcafee.com
    download-pro-version.com
    download-utilities.com
    download.mcetools.com
    download.mp3downloading.com
    download1.marketengines.com
    download1.mp3downloading.com
    download2.marketengines.com
    downloadassist.com
    downloadhome.net
    downloadhq-2008.com
    downloadhq2008.com
    downloadinghome.com
    downloads-reviews.info
    drimagames.com
    drmengines.com
    dvdsoftwarereview.info
    dwnldsupport.com
    easy-antivirus.com
    easy-office.co.uk
    easy-pdf-creator.com
    easy-tv-online.com
    easycashtutorials.com
    easysoftwaredownloads.com
    emoneytutorial.com
    emoneytutorials.com
    epdf-creator.com
    error-doctors.com
    errormechanic.com
    esubscribe.us
    exact-searches.com
    excellentlogiciel.com
    extremedownloadnetwork.com
    extremegamesdownload.com
    extrememoviedownloads.com
    ez-downloading.com
    ezdvdclone.com
    ezdvdripper.com
    filmheadquarters.com
    find-any-family.com
    find-people.quick.com
    find-them-all.com
    fixwinmx.com
    found-them.com
    fr-telechargements.com
    france-download.com
    france-incredimail.com
    free-2008.com
    free-antivir.net
    free-download-center.com
    free-mp3-share.com
    free-music-page.com
    free-music-page.net
    free-satellite-network.com
    free-software-access.com
    free-spybot.com
    freedocumentsearch.com
    freedowloads.com
    freedownloadpage.com
    freemusicpage.net
    freesoftdownloadz.com
    freesoftwareaccess.com
    freetvdirectory.com
    ftp2.interactivebrands.com
    full-edition.com
    full-editions.com
    full-license.com
    full-licenses.com
    genealogytoday.info
    get-divx.com
    gicsasucks.com
    gov-check.com
    gov-check.org
    gov-check.us
    gov-files.com
    gov-files.info
    gov-files.net
    gov-files.org
    gov-files.us
    government-check.com
    government-check.org
    government-check.us
    government-records.org
    governmentcheck.org
    governmentcheck.us
    hablar-espanol.com
    howtostaylegal.com
    hq-2008.com
    hq-edition.com
    hq-editions.com
    hqedition.com
    hsprovider.com
    hsprovider.net
    i-dot-music.com
    ib-adaware.com
    ib-pandaantivirus.com
    ib-reviews.com
    ib-site-manager.com
    ib-softwares.com
    ib-tvplayer.com
    ibaffiliates.com
    ibaffiliates.interactivebrands.com
    ibrecordsmembersarea.com
    imoviesearch.com
    imusicnow.com
    infinitemoviedownloads.com
    instant-backgroundcheck.com
    instant-magick.com
    interactivebrands.com
    interactivebrands.com
    internationaltvnetworks.com
    internettvaccess.com
    intra.marketengines.com
    ip-mymusicbill.com
    ip-yourwebdownloads.com
    ipdetection.marketengines.com
    ipodblaster.com
    irfanview-bdl.com
    irfanview-ib.com
    irfanviewbundle.com
    irfanviewpack.com
    join-devel.marketengines.com
    la-tv-internet.com
    last-version.com
    latest-antivirus.com
    latest-edition.com
    latest-editions.com
    learn-2-speak.com
    legalsoftwarecentre.com
    limewire-usa.com
    limewireuk.com
    liveplayer.tv
    logiciel-winzip.com
    lookchannels.com
    magazines4free.com
    mail.adwarepro.com
    mail.avforce.com
    mail.cashengines.com
    mail.cashengines.com
    mail.cashslinger.com
    mail.cybertvpartner.com
    mail.daurinaycesar.com
    mail.daurinaycesar.com
    mail.defenza.com
    mail.fullsoftwaredownloadz.com
    mail.hsprovider.com
    mail.hsprovider.com
    mail.hsprovider.com
    mail.hsprovider.net
    mail.ib-site-manager.com
    mail.ib-softwares.com
    mail.ib-softwares.com
    mail.interactivebrands.com
    mail.marketbill.com
    mail.marketengines.at
    mail.mp3downloading.com
    mail.nadeaussrh.com
    mail.netmp3downloads.com
    mail.netmusicmania.com
    mail.powercompress.com
    mail.rackengines.com
    mail.recordspartner.com
    mail.richwebmedia.com
    mail.ultimatetvshow.com
    mail.upclick.com
    mailer.cashengines.com
    maimonide.net
    marketbill.com
    marketengines.at
    marketengines.com
    marriage-files.us
    marriagefiles.us
    marriagerecords-usa.com
    maxyouripod.com
    mcafee-antivirus-2007.com
    mcafee-internetsecurity.com
    mcafee-pack.com
    mcafee-suite.com
    mcafee-suite2007.com
    mcafeeantivirus2007.com
    mcafeebundle.com
    mcafeepack.com
    mcafeesuite-2007.com
    mcafeesuite2007.com
    mcetools.com
    media-realplayer.com
    megamoviedownloads.com
    megamovienetwork.com
    memberlog.net
    members.cashslinger.com
    members.cybertvpartner.com
    members.recordspartner.com
    membersredirection.marketengines.com
    military-records-search.com
    monitor-can.marketengines.com
    morguedatabase.com
    morguerecords.com
    moviesupport.net
    mp3chk.com
    mp3downloading.com
    mp3netonline.com
    mp3reviewguide.com
    mp3support.net
    mp4university.com
    music-download-central.com
    music-download-network.com
    musicdownloadreviews.info
    musicformembers.com
    musicmp3review.com
    musiqueillimite.com
    my-software-center.com
    mybil1.com
    mybil2.com
    mybil3.com
    mybil4.com
    mybil5.com
    mybil6.com
    mybil7.com
    mybil8.com
    mybil9.com
    mycybertv.com
    mydefenza.com
    mydownloading.com
    mydownloadnetwork.com
    mydownloadsite.com
    mydownloadsite.net
    mymp3down.com
    mymp3live.com
    mymusic-cs.com
    mymusicbill.com
    mysoftwarecentral.com
    mysoftwaredownloads.com
    myspace-reactor.com
    myspace.cashengines.com
    myspacemembersarea.com
    myspacereactor.com
    myupclick.com
    mywebcs.com
    myxptools.com
    nadeaussrh.com
    netacuity01.marketengines.com
    netdetectiveservices.info
    netmp3downloads.com
    netmp3music.com
    netmusicmania.com
    netspyprotector.com
    nettvbroadcasts.com
    nettvdirect.com
    new.daurinaycesar.com
    norton-antivirus2007.com
    norton-virus-scan.com
    nortonsecurity2007.com
    ns.maimonide.net
    ns.patrickdanino.com
    ns.redactionb13.com
    ns1.background-search.us
    ns1.hsprovider.com
    ns1.hsprovider.net
    ns1.ib-site-manager.com
    ns1.liveplayer.tv
    ns1.maimonide.net
    ns1.marriage-files.us
    ns1.marriagefiles.us
    ns1.nadeaussrh.com
    ns1.officialreports.us
    ns1.online-fernsehen.tv
    ns1.onlineplayer.tv
    ns1.patrickdanino.com
    ns1.redactionb13.com
    ns1.reseaumaimo.com
    ns1.search-and-find.us
    ns1.tele-enligne.tv
    ns1.watchonline.tv
    ns2.background-search.us
    ns2.hsprovider.com
    ns2.hsprovider.net
    ns2.ib-site-manager.com
    ns2.infoglyphe.com.ns-not-in-service.com
    ns2.liveplayer.tv
    ns2.maimonide.net
    ns2.marriage-files.us
    ns2.marriagefiles.us
    ns2.nadeaussrh.com
    ns2.officialreports.us
    ns2.online-fernsehen.tv
    ns2.onlineplayer.tv
    ns2.patrickdanino.com
    ns2.rackengines.com
    ns2.search-and-find.us
    ns2.tele-enligne.tv
    ns2.watchonline.tv
    obituary-records.com
    oem-license.com
    official--software.com
    official--softwares.com
    official-hq.com
    official-installer.com
    official-realplayer.com
    officialbundles.com
    officialinstaller.com
    officialreports.us
    officialsoftwaredownload.com
    online-fernsehen.tv
    onlinemoneyinstitute.com
    onlineplayer.tv
    onlinetv-review.com
    onlinetvaccess.com
    onlinetvreviews.com
    p2p-outlet.com
    p2p-vault.com
    p2psupport.net
    pack-avg.com
    panda-2008.com
    panda-anti-virus.com
    panda-antivirus-2007.com
    panda-antivirus-2008.com
    panda-antivirus-2008.net
    panda-bdl.com
    panda-bundle.com
    panda-ib.com
    panda-suite.com
    pandaantivirus-2007.com
    pandaantivirus-2008.com
    pandaantivirus-ib.com
    pandaantivirus2008.com
    pandabundle.com
    pandasecurity2008.com
    pandasecuritysoftware.com
    pandasecuritysoftware.net
    pandashield.com
    pandasuite2007.com
    paradox.marketengines.com
    paybox01.marketengines.com
    paybox01.upbill.com
    paybox02.marketengines.com
    paybox03.marketengines.com
    paybox04.marketengines.com
    pbpuserservice.marketengines.com
    pc-pitbull.com
    pcdefenza.com
    pcdefenza.net
    pcsecurityreview.com
    pctvreview.com
    pctvreviews.com
    pdf-2008.com
    pdf-2009.com
    pdf-2k7.com
    pdf-2k8.com
    pdf-2k9.com
    pdf-8.com
    pdf-creator-8.com
    pdf-files.net
    pdf-suite.com
    pdf-wizard.com
    pdf-writer-reader.com
    pdf2k7.com
    pdf2k8.com
    pdf2k9.com
    people-search-database.com
    people-tracer.com
    powercompress.com
    premium-tv-network.com
    premiumtvchannels.com
    pro-editions.com
    pro-protection.com
    proeditions.com
    property-record-search.com
    public-database.com
    public-marriage-records.com
    puredownloadz.com
    pwibill.com
    quick-people-finder.com
    rackengines.com
    rd.marketengines.com
    reader-2008.com
    reader-8.com
    reader-pdf.com
    real-bdl.com
    real-ib.com
    real-media-player.com
    realopinions.net
    realplayer-10.com
    realplayer-music.com
    realplayer-suite.com
    realplayer2007.com
    realplayerbundle.com
    realplayerpack.com
    recommendedsoftware.net
    record-detectives.com
    recordsonline.us
    recordspartner.com
    registrycleantool.com
    relatives-finder.com
    resilientnetworks.com
    revealedidentity.com
    richwebmedia.com
    safepay1.interactivebrands.com
    safepay2.interactivebrands.com
    safepay3.interactivebrands.com
    safepay4.interactivebrands.com
    safesoftwaredownloads.com
    satellitetv4pc.com
    search-and-find.us
    search-for-relatives.com
    search-people-records.com
    searchfamilymembers.com
    searchib.com
    searchyourgenealogy.com
    secure.cybertvpartner.com
    secure.marketengines.com
    secure.recordspartner.com
    secure2.cybertvpartner.com
    secure2.marketengines.com
    secure3.cybertvpartner.com
    secure3.marketengines.com
    secure4.cybertvpartner.com
    secure4.marketengines.com
    security-review.info
    securitybundles.com
    securitypacks.com
    sexoffender-registry.com
    sft.marketengines.com
    skypephonepackage.com
    smtp.interactivebrands.com
    smtp.marketengines.com
    smtp.upclick.com
    soft-tv.com
    software-2008.com
    software-torrent.com
    softwarehq-2008.com
    softwarehq2008.com
    spybot-search-n-destroy.com
    spyerazer-pkg.com
    spyerazer.com
    spywaretech.net
    sqlgt.marketengines.com
    sqlop.marketengines.com
    sqlprod.marketengines.com
    sqlrep.marketengines.com
    ssl-a.upclicksolutions.com
    ssl-b.upclicksolutions.com
    ssl-c.upclicksolutions.com
    ssl-d.upclicksolutions.com
    stage.build-myspace.com
    stage.myspace-reactor.com
    stage.myspacemembersarea.com
    stage.myspacereactor.com
    tele-enligne.tv
    tele-envivo.com
    telechargements-fr.com
    teleenlinea.com
    teleenvivo.com
    teleparinternet.com
    thecopydvd.com
    themusicsmembersarea.com
    thenuker.com
    thesoftwaremembersarea.com
    thetvmembersarea.com
    to-pdf.com
    tool.daurinaycesar.com
    tool.thesoftwaremembersarea.com
    tools.build-myspace.com
    top-free-downloads.com
    top-software-downloads.com
    topsoftware-reviews.com
    torentopia.org
    torenttopia.com
    torenttopia.org
    torrent-topia.com
    torrent-topia.org
    torrentfreebie.com
    tunovelas.com
    tv-4-free.com
    tv-4-pc.com
    tv-par-internet.com
    tv-su-pc.com
    tv-sur-pc.com
    tvparapc.com
    tvsupc.com
    tweekspace.com
    ultimatemoviedownload.com
    ultimatemusicnetwork.com
    ultimatesoftwaredownload.com
    ultimatesoftwaredownloads.com
    ultimatetvshow.com
    ultra--downloads.com
    ultra-download.com
    universal-music-downloads.com
    unlimitedgamesdownload.com
    unlimitedmovienetwork.com
    upbill.com
    upclk.com
    upclkcorp.com
    us-federalrecords.com
    usa-lostandfound.com
    version-2008.com
    version-2k8.com
    version-officielle.com
    version2008.com
    version2k7.com
    version2k8.com
    virusscan2007.com
    virusscan2k7.com
    virusscan2k8.com
    virusscanxp.com
    watch-tv-live.com
    watchonline.tv
    web-sports-tv.com
    web-tv-interactive.com
    webmail.upclick.com
    website-2008.com
    webtvinteractive.com
    weprotect-u.com
    winmx-uk.com
    winmx-usa.com
    winzip-10.com
    wordtopdf.net
    worldtv-online.com
    ws1.marketengines.com
    wsdmks.marketengines.com
    wservices.cashengines.com
    wservices.marketengines.com
    wsoplogin.cashengines.com
    wspaysystem.marketengines.com
    wstrack.cashengines.com
    www.free-2008.com
    xp-secure.com
    xtrarevenues.com
    youbikini.com
    your-tv-online.com
    yourwebdownloads.com
    yousearchandwefind.com

    Block by IP range and by name. The hosts files for Smoothwall 3.0 in the Snort Config Samples Project at emergingthreats.net blackholes these domains.

    Dancho Danchev's blog of March 20th also reports on this criminal group:
    http://ddanchev.blogspot.com/

    James

    Saturday, February 2, 2008

    Snort Config Samples Project

    The Russian Business Network has migrated with Matt Jonkman from bleedingthreats.net to emergingthreats.net. The project provides instructions, ready to use files and information for those who wish to quickly learn to use Snort Inline and Smoothwall to protect their home network.

    You can easily:
    • use Snort rules to block unknown viruses and trojans before they reach your home computers
    • block 109,000 known hostile domains
    • block attackers by IP address
    • protect your family from targeted attacks
    • employ super smart firewalling that no router/appliance can offer

    Point your browser to http://doc.emergingthreats.net/bin/view/Main/SnortConfSamples to get tips, tricks and ready to use files.

    james mcquaid



    Multi-Layered Network Defense with Snort Inline and Smoothwall