As early as November 2007, I had corresponded regarding with several security researchers regarding the presence of former customers of the Russian Business Network ISP operating in Atrivo IP space. Over the next several months, as a part of my normal malware investigations, I noted the disproportionate amount of malware within Atrivo. During this time, I was publishing a list of RBN IPs at Matt Jonkman's emergingthreats.net, and also a blackhole DNS file for Smoothwall. To that end, in March 2008 I completed a survey of all class C networks within Atrivo and incorporated those domains into the Smoothwall blackhole DNS file. I also added all of Atrivo's IP space to the blacklist of RBN IP addresses.
My fights with the Russian mob had started several years earlier when I worked as a programmer at a web hosting firm (the earliest encounter preceded 9-11). The RBN had hacked the fully patched Windows IIS server of the firm's largest client. The network administrator was unable to expel the intruder, and the firm's owner tasked me with resolving the mess. After two days of tightening permissions, and command line combat, I nuked the box. Although I feared that I might be fired, the client subsequently insisted that I take over network administration of all of their servers. Thereafter, it would be a strict scorched earth policy against the RBN.
Over the next couple of years my tactics against the RBN were primarily defensive. By that, I mean that I blocked those IPs and domains that I encountered or read about. It was essentially an avoidance policy, and primarily reactive. This changed when Saint Petersburg black hats targeted the computer of one of my children. That machine was freshly loaded with Windows XP at Christmas, fully patched, and quite well locked down, and I had installed the Panda Platinum security suite (scans were scheduled daily). Within three weeks, the RBN had taken the machine, and installed Kuang II. The intruder had stored some particularly offensive Hentai images on the computer. It was then, in a moment of dizzying cold terror, that I realized that one could not avoid them, and that I needed to actively hunt them.
_________________________________________________________________________________________________________
It was then, in a moment of dizzying cold terror, that I realized that
one could not avoid them, and that I needed to actively hunt them.
_________________________________________________________________________________________________________
My initial step was to repartition the hard drives of and reload every computer in the house. This included reloading Microsoft Small Business Server 2003 with the open source firewall Smoothwall Express. I had not relied on SBS's firewall, although I employed it; SBS had been positioned behind a Netgear FVS-318 firewall router. With Smoothwall I was able to block IP addresses as well as, blacklist domains at the perimeter. Microsoft had made these capabilities unavailable in SBS 2003, and it had a ridiculous number of shares that were impossible to effectively secure. Smoothwall's blocking capability meant that I could perform reconnaissance against cyber criminals, and apply the data acquired, to my home defense. Thus I began to hunt them with the care that one employs when confronting any dangerous predator.
Flash forward to 2007 when I learned from the Internet Storm Center that Brian Krebs of The Washington Post wanted to interview someone who was blocking the Russian Business Network. I emailed Brian and he subsequently telephoned me. After his now famous articles on the RBN were published, the FBI pressed the Russian government, other networks quit routing their traffic, and the RBN ISP disintegrated. Consequently, the customers of the RBN ISP sortied and a virtual Diaspora of Russian cyber crime was created. We doggedly tracked them into Panama, Malaysia, China, the United States (Atrivo and Optical Jungle), and elsewhere.
When I met the StopBadWare team at Harvard Law's Berkman Center for the Internet and Society for the Berkman@10 Conference in May 2008, I was impressed with StopBadWare's unequivocal attribution of the problems on the Internet to organized crime. It was a fact with which I was well acquainted, but few had been willing to say as much. Jonathan Zittrain also impressed me with his discussions of the power of the generative Internet. Over the Christmas 2007 holiday, Russian cyber criminals had created several thousands of exquisitely social engineered Blogspot pages. Google and StopBadWare had been fighting them since. The attempt to poison Blogspot was a direct threat to the generative Internet, and threatens to seriously diminish the value of the Internet to the entire world. Fortunately, Russia's high profile cyber attacks against Estonia and Georgia seem to have awakened the governments of the democracies that the problem of cyber crime is serious, and can no longer be ignored.
Over the months of painstakingly investigating Atrivo, we found that cyber crime was no longer merely a cottage industry of Russian ultra nationalists, but had morphed into a multinational enterprise involving large corporations. Please download the PDF of our report, Cyber Crime U.S.A. You will find it engaging reading. Since its release a week ago, and Brian Krebs' articles about it in The Washington Post, Atrivo has given the appearance of being on the ropes. Est and Atrivo are taking down a number of fake anti-virus sites, but not all, and new ones have been introduced. We expect that they will continue to distribute malware through bogus search sites as well as, sociopathic porn sites in hopes of going unnoticed. The current activity is an attempt to avoid prosecution, but it does not alter their fundamental economic model, or long-standing contractual obligations and relationships. We will continue to evaluate and scrutinize reports of malware across their networks.
The time for action is now, as the future of a generative Internet hangs in the balance. If the telecommunications industry does not cease routing the traffic of criminal networks, government must step in with physical take downs and prosecutions.
Notes:
Cyber Crime U.S.A.:
http://hostexploit.com/index.php?option=com_content&view=article&id=12&Itemid=15
http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html
http://voices.washingtonpost.com/securityfix/2008/09/scam-heavy_us_isp_grows_more_i.html
Support for Cyber Crime U.S.A.:
http://www.avertlabs.com/research/blog/index.php/2008/09/04/the-darksides-domains/
http://www.spamhaus.org/news.lasso?article=636
http://msmvps.com/blogs/hostsnews/archive/2008/09/03/1646589.aspx
http://www.theregister.co.uk/2008/09/03/cyber_crime_reports/
http://blog.stopbadware.org/2008/08/28/report-calls-out-atrivo-intercage-and-affiliates
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080906
http://www.circleid.com/posts/89610_cyber_crime_an_economic_problem/
On 13 October 2007,
The Washington Post published Brian Krebs' excellent articles on the Russian Business Network:
http://blog.washingtonpost.com/securityfix/2007/10/mapping_the_russian_business_n.html
http://blog.washingtonpost.com/securityfix/2007/10/taking_on_the_russian_business.html
http://www.washingtonpost.com/wp-dyn/content/story/2007/10/12/ST2007101202661.html?hpid=moreheadlines
http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101201700.html?sub=new
With respect to events since October 2007, note "The Russians Go Chinese":
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7829
and "Russian Business Network: Down, But Not Out":
http://blog.washingtonpost.com/securityfix/2007/11/russian_business_network_down.html
The following sources have provided timely information:
Jart Armin research: http://rbnexploit.blogspot.com
Dancho Danchev research: http://ddanchev.blogspot.com
David Bizeul research: http://isc.sans.org/presentations/RBN_study.pdf
Shadowserver research 'Clarifying the "guesswork" of Criminal Activity':
http://www.shadowserver.org/wiki/uploads/Information/RBN-AS40989.pdf
Utilize the Emerging RBN Rules:
http://docs.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
Other Resources:
http://www.bytecrime.org/
http://www.fbi.gov/cyberinvest/cyberhome.htm
http://cyber.law.harvard.edu/
http://cyber.law.harvard.edu/events/berkmanat10
http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples
http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork