Russia's SVR Seen Acting in Collusion with the Criminal RBN
Top ace Internet security researcher, Dancho Danchev, indicated late today that it was likely that the Russian Foreign Intelligence service (SVR) was behind the attacks on Georgia's communications infrastructure, "It smells like a three letter intelligence agency’s propaganda arm has managed to somehow supply the creative for the defacement of Georgia President’s official web site, thereby forgetting a simple rule of engagement in such a conflict - risk forwarding the responsibility of the attack to each and every Russian".
In his "Zero Day" column at ZDNet http://blogs.zdnet.com/security/?p=1670 and at his brilliant blog http://ddanchev.blogspot.com/ Danchev identified the RBN command and control servers acting on behalf of the Russian government. The RBN is at the crux of malware creation, child pornography, and financial crime on the Internet. The close relationship between these activities and the Russian government may shock soccer moms in the West, but Internet security professionals have long suspected as much.
Earlier this week, the West's top RBN expert Jart Armin http://rbnexploit.blogspot.com identified many of the routing details of the Russian attack on Georgia's communications infrastructure.
Since Danchev published those details 5 hours ago, the Russian mafia/SVR operation has sought to evade detection by changing the DNS servers (ns1.guagaga.net and ns2.guagaga.net) of their actual command and control location (a-nahui-vse-zaebalo-v-pizdu.com) from the Turkish Telecom IP address 79.135.167.22 to an IP address (210.145.102.19) in the Yamato Life Insurance Building in Japan (DNS server is ns1.srv.com). Meanwhile they have created two new DNS servers ns1.guagaga.net.guagaga.net and ns2.guagaga.net.guagaga.net, which they are preparing to bring online between 10:00 pm and 2:00 am EST to act as authoritative name servers for the other attacking command and control servers, domains and botnets.
A complete list of RBN IP addresses, domains, franchisees and affiliates is available at http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt.
Georgia, Ukraine and NATO should refer to Dancho Danchev's column for additional details and incisive analysis. Security professionals should DNS Blackhole all of the involved domains, as well as their DNS servers. Given their infamous history, compounded by events of the past several days, it is time that the RBN was officially designated as a terrorist organization by the government of the United States.
James McQuaid