Sunday, December 6, 2009

RBN Assists Global Iranian Crackdown

Research Center of Islamic Republic of Iran Broadcasting operating in RBN IP space

The Iranian government has launched a "Global Crackdown" against their opposition in actions consequent to their monitoring of Facebook and other social media. Note the Slashdot post referring to The Wall Street Journal article:

Slashdot post: Iranian Crackdown Goes Global
http://politics.slashdot.org/story/09/12/05/2044243/Iranian-Crackdown-Goes-Global

Wall Street Journal article: Iranian Crackdown Goes Global
http://online.wsj.com/article/SB125978649644673331.html

"Tehran's leadership faces its biggest crisis since it first came to power in 1979, as Iranians at home and abroad attack its legitimacy in the wake of June's allegedly rigged presidential vote. An opposition effort, the 'Green Movement,' is gaining a global following of regular Iranians who say they never previously considered themselves activists. The regime has been cracking down hard at home. And now, a Wall Street Journal investigation shows, it is extending that crackdown to Iranians abroad as well. Part of the effort involves tracking the Facebook, Twitter and YouTube activity of Iranians around the world, and identifying them at opposition protests abroad. People who criticize Iran's regime online or in public demonstrations are facing threats intended to silence them."

Caught by surprise with the power of social media during the disputed election, Tehran has commissioned white paper studies by the Research Center of Islamic Republic of Iran Broadcasting (crspa.ir) to "study the role of social capital in knowledge sharing".

The crspa.ir web site has been assisted by the Russian Business Network at the well known RBN IP address 61.61.61.61, which is home to the many of the RBN's spam, scam, and malware DNS servers.

www.crspa.ir is a CNAME forward view entry to crspa.ir:
Research Center of Islamic Republic of Iran Broadcasting in RBN IP space
Research Center of Islamic Republic of Iran Broadcasting operating from RBN IP space: 5 December 2009

Warning: IP address 61.61.61.61 may damage your computer Warning: IP address 61.61.61.61 may damage your computer
http://safeweb.norton.com/report/show?url=new-look-at-life.ru&x=0&y=0
Norton Safe Web reports that new-look-at-life.ru installs the Infostealer virus, a keystroke logger used to steal identities and financial information.
http://www.siteadvisor.com/sites/holeuse.com
The McAfee SiteAdvisor reviewer notes that holeuse.com "is an Identity Theft and Credit Card Fraud ring."




There is also a CNAME entry at RBN IP address: 222.170.127.100
Research Center of Islamic Republic of Iran Broadcasting in RBN IP space
Research Center of Islamic Republic of Iran Broadcasting operating from RBN IP space: 6 December 2009

Warning: IP address 222.170.127.100 may damage your computer Warning: IP address 222.170.127.100 may damage your computer
http://www.siteadvisor.com/sites/sing-sing-sing.ru
The McAfee SiteAdvisor reviewer notes that sing-sing-sing.ru is spamming domain "responsible for millions of junk mails that can lead to malware, phishing sites, or exploits."
http://safeweb.norton.com/report/show?url=getyourpower.ru&x=8&y=5
Norton Safe Web reports that getyourpower.ru installs the Infostealer virus, a keystroke logger used to steal identities and financial information.





Third scummy RBN Server with CNAME forward view entry for www.crspa.ir:
Research Center of Islamic Republic of Iran Broadcasting in RBN IP space
Research Center of Islamic Republic of Iran Broadcasting operating from RBN IP address 58.218.250.107: 7 December 2009

Warning: IP address 58.218.250.107 may damage your computer Warning: IP address 58.218.250.107 may damage your computer
http://www.siteadvisor.com/sites/brownarea.com
The McAfee SiteAdvisor reviewer noted that brownarea.com are "Specialists in: credit-card fraud; hacking, hijacking, using viruses to get control of computers, that act as a zombie in botnets."

crspa.ir is a CNAME alias for www.rcirib.ir:
Research Center of Islamic Republic of Iran Broadcasting in Iranian IP space
Research Center of Islamic Republic of Iran Broadcasting in Iranian IP space

The Research Center of Islamic Republic of Iran Broadcasting owns two domains:
crspa.ir is Research Center of Islamic Republic of Iran Broadcasting
crspa.ir is Research Center of Islamic Republic of Iran Broadcasting

rcrib.ir is Research Center of Islamic Republic of Iran Broadcasting
rcrib.ir is Research Center of Islamic Republic of Iran Broadcasting

It will be interesting to see if the Iranian hacktivists target these RBN servers.

James McQuaid
emergingthreats.net
Most Recent Update: 7 December 2009