Sunday, September 21, 2008

Darkness At Dawn


Russian organized crime syndicates
      Russian organized crime syndicates


Darkness At Dawn can be read online at Google books http://books.google.com/books?id=i-t6jle71ToC. I strongly recommend that you read at least one chapter; it is absolutely riveting reading.

The problem of cybercrime and malware is inextricably linked with the rise to power of organized crime in post-Soviet Russia. The extent to which organized crime has been institutionalized in Russia is indeed shocking, and continues to today:

    "under Putin, organized crime — especially in St. Petersburg and Moscow — has been changing. Since he has consolidated power as president, Putin considers organized crime and Barsukov relics of a bygone era. Organized crime groups have, in short, been institutionalized — if not completely swallowed by politicians or legal institutions. For example, until recently, Barsukov worked legally as vice president of the Petersburg Fuel Co. The Tambov group’s control over the four ports it once claimed also has changed; the group still receives large kickbacks on imports and exports, but it does not own the ports and is instead considered port “security.”

    - Stratfor

    http://www.stratfor.com/russia_kremlin_strikes_tambov_group

In Darkness At Dawn, David Satter explains in vivid detail reminiscent of an early Tom Clancy novel, how this took place, and the terrible price the Russian people have paid. Satter's book provided me with some insight into factors which produced the extreme nationalist mania now gripping Russia.

Anticipating a new dawn of freedom after the disintegration of the Soviet Union, Russians could hardly have foreseen the reality of their future a decade later: a country impoverished and controlled at every level by organized crime. This riveting book views the 1990s reform period through the experiences of individual citizens, revealing the changes that have swept Russia and their effect on Russia’s age-old ways of thinking.

“The Russia that Satter depicts in this brave, engaging book cannot be ignored. Darkness at Dawn should be required reading for anyone interested in the post-Soviet state.” — Christian Caryl, Newsweek

“Satter must be commended for saying what a great many people only dare to think.” — Matthew Brzezinski, Toronto Globe and Mail

“Humane and articulate.” — Raymond Asquith, Spectator

“Vivid, impeccably researched and truly frightening. . . . Western policy-makers, especially in Washington, would do well to study these pages.” — Martin Sieff, United Press International

More details:
Darkness at Dawn: The Rise of the Russian Criminal State
By David Satter
Published by Yale University Press, 2004
ISBN 0300105916, 9780300105919
326 pages

Monday, September 8, 2008

The RBN Operatives: Part II

In mid-August, I wrote that I suspected that long time RBN operatives Alexandr Boykov and Sergey Smirnov were the individuals most likely responsible for the cyber first strike against Georgia's Internet infrastructure, which preceded Russia's invasion of that country. Given their historical domination of CNet 76.135.167, I continue to hold this view. However, after many hours of investigative work, I have uncovered additional, specific information regarding the lessee of the IP space involved.

What I now know is that sometime between July 18 and July 31, 2008, a Russian cyber criminal named Sergey Astakhov deployed the botnet command and control domains involved in the DDOS attack to 76.135.167.22. Using a fairly advanced RBN DNS obfusication method, Mr. Astakov created a multiheaded DNS typology in an attempt to elude discovery. Mr. Astakov's DNS server, judex.cn located at IP address 210.145.102.19 also bore an A record address of 79.135.167.22. The domains at 79.135.167.22 used a fast flux DNS method with a twist: most of the time in which one ran a DNS query against them, ns1.guagua.net would be returned. Rarely, ns1.srv.com (located at 210.145.102.19) would be returned as a result of a DNS query. I had noted this as early as 11 August, but the DNS topology of ns1.srv.com led nowhere. Similarly judex.com was a dead end.

The following diagram portrays Mr. Astakhov's control over the botnet command and control servers utilized in the cyber first strike:


A twisted DNS topology


The sophistication of the methods used to cloak Mr. Astakhov's identity are remarkable. Combined with the use of privacy protect type services, they could be used to create truely stealthed Internet attack systems, which would make attribution of criminal activity difficult to impossible. In this case, we are fortunate that Mr. Astakhov used his actual name in the WhoIs recod for judex.cn.


WhoIs judex.cn



Shared analysis: judex.cn


The DNS record at judex.cn indicates that guagua.net uses it as a name server, but this information has not been available at guagua.net itself:

judex.cn DNS


Mr. Astakhov has a history of cyber criminal activity. Note the Artists Against 419 web site entry for Mr. Astakhov's alexexpress.com: http://db.aa419.org/fakebanksview.php?key=28770. Mr. Astakhov was previously noted as a Zlob trojan distributor at malwaredomainlist.com (and that data is still available in Google's cache). Mr. Astakhov's domain theworldnews5.com is known to install the RBN fake antivirus software xpantivirus 2009; note http://forum.hosts-file.net/viewtopic.php?f=9&p=4511.

I have previously determined that Alexey Vasiliev was responsible for the spam attack which besmirched the President of Georgia:

spam attacker

Saturday, September 6, 2008

BEHIND THE MAKING OF THE ATRIVO TAKEDOWN

By James McQuaid

As early as November 2007, I had corresponded regarding with several security researchers regarding the presence of former customers of the Russian Business Network ISP operating in Atrivo IP space. Over the next several months, as a part of my normal malware investigations, I noted the disproportionate amount of malware within Atrivo. During this time, I was publishing a list of RBN IPs at Matt Jonkman's emergingthreats.net, and also a blackhole DNS file for Smoothwall. To that end, in March 2008 I completed a survey of all class C networks within Atrivo and incorporated those domains into the Smoothwall blackhole DNS file. I also added all of Atrivo's IP space to the blacklist of RBN IP addresses.

My fights with the Russian mob had started several years earlier when I worked as a programmer at a web hosting firm (the earliest encounter preceded 9-11). The RBN had hacked the fully patched Windows IIS server of the firm's largest client. The network administrator was unable to expel the intruder, and the firm's owner tasked me with resolving the mess. After two days of tightening permissions, and command line combat, I nuked the box. Although I feared that I might be fired, the client subsequently insisted that I take over network administration of all of their servers. Thereafter, it would be a strict scorched earth policy against the RBN.

Over the next couple of years my tactics against the RBN were primarily defensive. By that, I mean that I blocked those IPs and domains that I encountered or read about. It was essentially an avoidance policy, and primarily reactive. This changed when Saint Petersburg black hats targeted the computer of one of my children. That machine was freshly loaded with Windows XP at Christmas, fully patched, and quite well locked down, and I had installed the Panda Platinum security suite (scans were scheduled daily). Within three weeks, the RBN had taken the machine, and installed Kuang II. The intruder had stored some particularly offensive Hentai images on the computer. It was then, in a moment of dizzying cold terror, that I realized that one could not avoid them, and that I needed to actively hunt them.

_________________________________________________________________________________________________________

It was then, in a moment of dizzying cold terror, that I realized that
one could not avoid them, and that I needed to actively hunt them.


_________________________________________________________________________________________________________


My initial step was to repartition the hard drives of and reload every computer in the house. This included reloading Microsoft Small Business Server 2003 with the open source firewall Smoothwall Express. I had not relied on SBS's firewall, although I employed it; SBS had been positioned behind a Netgear FVS-318 firewall router. With Smoothwall I was able to block IP addresses as well as, blacklist domains at the perimeter. Microsoft had made these capabilities unavailable in SBS 2003, and it had a ridiculous number of shares that were impossible to effectively secure. Smoothwall's blocking capability meant that I could perform reconnaissance against cyber criminals, and apply the data acquired, to my home defense. Thus I began to hunt them with the care that one employs when confronting any dangerous predator.

Flash forward to 2007 when I learned from the Internet Storm Center that Brian Krebs of The Washington Post wanted to interview someone who was blocking the Russian Business Network. I emailed Brian and he subsequently telephoned me. After his now famous articles on the RBN were published, the FBI pressed the Russian government, other networks quit routing their traffic, and the RBN ISP disintegrated. Consequently, the customers of the RBN ISP sortied and a virtual Diaspora of Russian cyber crime was created. We doggedly tracked them into Panama, Malaysia, China, the United States (Atrivo and Optical Jungle), and elsewhere.

When I met the StopBadWare team at Harvard Law's Berkman Center for the Internet and Society for the Berkman@10 Conference in May 2008, I was impressed with StopBadWare's unequivocal attribution of the problems on the Internet to organized crime. It was a fact with which I was well acquainted, but few had been willing to say as much. Jonathan Zittrain also impressed me with his discussions of the power of the generative Internet. Over the Christmas 2007 holiday, Russian cyber criminals had created several thousands of exquisitely social engineered Blogspot pages. Google and StopBadWare had been fighting them since. The attempt to poison Blogspot was a direct threat to the generative Internet, and threatens to seriously diminish the value of the Internet to the entire world. Fortunately, Russia's high profile cyber attacks against Estonia and Georgia seem to have awakened the governments of the democracies that the problem of cyber crime is serious, and can no longer be ignored.

Over the months of painstakingly investigating Atrivo, we found that cyber crime was no longer merely a cottage industry of Russian ultra nationalists, but had morphed into a multinational enterprise involving large corporations. Please download the PDF of our report, Cyber Crime U.S.A. You will find it engaging reading. Since its release a week ago, and Brian Krebs' articles about it in The Washington Post, Atrivo has given the appearance of being on the ropes. Est and Atrivo are taking down a number of fake anti-virus sites, but not all, and new ones have been introduced. We expect that they will continue to distribute malware through bogus search sites as well as, sociopathic porn sites in hopes of going unnoticed. The current activity is an attempt to avoid prosecution, but it does not alter their fundamental economic model, or long-standing contractual obligations and relationships. We will continue to evaluate and scrutinize reports of malware across their networks.

The time for action is now, as the future of a generative Internet hangs in the balance. If the telecommunications industry does not cease routing the traffic of criminal networks, government must step in with physical take downs and prosecutions.



Notes:

Cyber Crime U.S.A.:
http://hostexploit.com/index.php?option=com_content&view=article&id=12&Itemid=15
http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html
http://voices.washingtonpost.com/securityfix/2008/09/scam-heavy_us_isp_grows_more_i.html

Support for Cyber Crime U.S.A.:
http://www.avertlabs.com/research/blog/index.php/2008/09/04/the-darksides-domains/
http://www.spamhaus.org/news.lasso?article=636
http://msmvps.com/blogs/hostsnews/archive/2008/09/03/1646589.aspx
http://www.theregister.co.uk/2008/09/03/cyber_crime_reports/
http://blog.stopbadware.org/2008/08/28/report-calls-out-atrivo-intercage-and-affiliates
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080906
http://www.circleid.com/posts/89610_cyber_crime_an_economic_problem/

On 13 October 2007,
The Washington Post published Brian Krebs' excellent articles on the Russian Business Network:
http://blog.washingtonpost.com/securityfix/2007/10/mapping_the_russian_business_n.html
http://blog.washingtonpost.com/securityfix/2007/10/taking_on_the_russian_business.html
http://www.washingtonpost.com/wp-dyn/content/story/2007/10/12/ST2007101202661.html?hpid=moreheadlines
http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101201700.html?sub=new

With respect to events since October 2007, note "The Russians Go Chinese":
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7829

and "Russian Business Network: Down, But Not Out":
http://blog.washingtonpost.com/securityfix/2007/11/russian_business_network_down.html

The following sources have provided timely information:
Jart Armin research: http://rbnexploit.blogspot.com

Dancho Danchev research: http://ddanchev.blogspot.com

David Bizeul research: http://isc.sans.org/presentations/RBN_study.pdf

Shadowserver research 'Clarifying the "guesswork" of Criminal Activity':
http://www.shadowserver.org/wiki/uploads/Information/RBN-AS40989.pdf

Utilize the Emerging RBN Rules:
http://docs.emergingthreats.net/bin/view/Main/RussianBusinessNetwork

Other Resources:
http://www.bytecrime.org/
http://www.fbi.gov/cyberinvest/cyberhome.htm
http://cyber.law.harvard.edu/
http://cyber.law.harvard.edu/events/berkmanat10
http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples
http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork