Friday, November 30, 2007

Awfully Quiet in Nashville....12/4


I figure that they're actually beginning to realize what Hud saddled them with. One scenario:
He bought hospitals that no one else wanted, but looked good on paper, tried to run "the big con" ala the Sting, and with him gone, things will probably fall apart.

He could sell the idea that the hospitals weren't profitable while they were being renovated. That renovation would take years. And years to start. Meanwhile, he could acquire some actually good properties (Muskogee comes to mind, as well as Weatherford) and borrow against the idea that his corporation owned five hospitals that they were willing to put money into. Sort of how they got Paris.

Or:
He actually believed that he could package a working system that would make the 15-20% return that he forecasted from bankrupt hospitals.
Your choice.

Thursday, November 29, 2007

Small Businesses Going Global

Question: Why does the U.S. Small Business Administration, an independent domestic agency of the federal government, have an international trade mission?

Answer: Because doing business internationally is where future growth lies for many small businesses!

Read more here and be sure to get yourself a complimentary online copy of Breaking Into the Trade Game: A Small Business Guide to Exporting.

Separately, but related, be sure to check out our new Globe Tour (right side panel) on our blog!

Wednesday, November 28, 2007

RBN – Google Search Exploits

The Russian Business Network (RBN) has been busy again with a significant amount of loaded web search results which lead to malware sites as reported by Sunbelt.


The good news first is being able to precisely pin point the exploiters back to newer RBN core retail centers as previously exposed in this blog on Nov 8th 07 – i.e. iFramecash, myrdns, hostfresh, and AS 27595 i.e. Atrivo, Intercage, Inhoster. Also as reported this is the same end route as the Bank of India hack, fake anti-spywares and fake codecs.


The bad news is, as predicted and one of the probable reasons for dropping their RBnetwork IP ranges , the RBN is increasingly using botnet based fast-flux techniques (see Wikipedia) to hide the initial delivery sites behind an ever-changing network of compromised hosts i.e. "double-flux" nodes within the network registering and de-registering their addresses as part of the DNS SOA (start of authority) record list for the DNS (domain name server). This provides an additional layer of redundancy and survivability within the malware network as seen in the case of the fake codecs.


This particular web search exploit for the unfortunate end user can be shown as:




From investigation into the actual Trojan downloads this shows the use of the newer undistributed till now edition of MPack which includes a host of exploits including the scam.Iwin, keyloggers, DNS changers, etc. Despite the difficulty of tracking botnet fast-flux usage by detailed investigation of the specific domain name servers the details are as follows, with this information Google and other search engines should easily eliminate such a threat, and hopefully provides law enforcement with further evidence:



1 – The web search “fake” sites.


All researched in this exploit all these fake web search sites emanate from 2dayhost.com an apparent botnet based at AS8001 Net Access Corporation 1719 Route 10 Suite 318 Parsippany, NJ 07054. In the following sample of the domains and name servers involved at this stage: feidqaadppta.cn - igekqzeabkwz.cn - luewusxrijke.cn - zhvmizyycuzz.cn All were registered very recently on Nov 25th 2007 under Name Server: ns1.erik-kartman2.com and Name Server: ns2.erik-kartman2.com – also based at 2dayhost.com / AS8001 Net Access Corporation (please note despite the .cn the domains and registrant have nothing to do with China).


Figure2 – Fake search site map



2 – Victim Reception sites.

As mentioned earlier the “usual suspects” of iFramecash, myrdns, hostfresh, and AS 27595 i.e. Atrivo, Intercage, Inhoster, are responsible. The following 3 figures show the relationship (click on the pic to see full size):



Figure 3. Victim reception A




Figure 4. Victim reception B



Figure 5. Victim reception C

Tuesday, November 27, 2007

Hoping to Grow Global in 2008?

Better start planning now.

Essent should keep community informed....12/7

This is the first time I've seen the Paris News take a chunk out of the hospital:
Staff reports
The Paris News

Published November 26, 2007

Officials at Essent Healthcare, the parent company of Paris Regional Medical Center, need to keep this community informed of events such as a change in leadership at the top as happened earlier this month in Nashville, Tenn.

The Paris News became aware through a third party, and almost a week later, the companys founder, Hud Connery, had been forced to step down as chief executive officer by the companys board of directors and that Mike Browder had been named acting chief executive officer.

Essent public relations specialist David Jarrard did respond to a request for information for a Nov. 19 story, but an e-mail communications problem prevented us from receiving a response in time for that days edition.

Jarrards response was brief, stating the board of directors has a commenced a search for a permanent chief executive officer. He also said in the written statement that Browder joined Essent in 2001 as chief financial officer and that he served in a similar post for TMC HealthCare. From 1993 to 1999, Browder served as vice president of finance operations for Health Management Associates, Inc., where he was responsible for financial operations at 32 hospitals.

We should have received that information as soon as an event of this magnitude took place, not a week later and only at our request.

Members of our community should be kept abreast of what is going on with Essent. Paris Regional Medical Center is one of this communitys largest employers and serves the medical needs of the majority of our residents. In the past this newspaper has been supportive of our local hospital, but being left out in the cold about major events does little to help a relationship. After all, it is the responsibility of this newspaper to keep residents informed. A change in Essent leadership certainly warranted an immediate notification.
Actually, Hud's change in status happened in October. I posted the news on the 9th of November.

Monday, November 26, 2007

What If....12/8

Dux has been more than willing to say that he wants to get rid of those elements that Bitch, Piss and Moan at the hospital, but let's look at that....


His definition of bitching, pissing and moaning might be a bit different than ours. For one thing, those that are recognizing problems, and suggesting solutions are the ones that aren't saying, "That's not my job." Maybe administration would prefer that they were, but patients don't.


Housekeeping used a wax that was softened by the cleaning solution they used to mop it. It produced a sensation of sticking to fly-paper as you walked. Solution: Change the wax, or change the cleaner. The extra money spent would be paid back in public perception almost immediately.

An effective suggestion program can make the difference between red and black ink, but the opinion is anyone that doesn't believe that the moon is made of green cheese (admin's view), is a troublemaker.

Toyota is often cited as having one of the best suggestion programs of any corporation. They also had not laid off any employees since 1950 (not sure if that still holds true, but probably so.)

When you feel that your ideas do not fall on deaf ears, you are far more likely to feel appreciated for your efforts. As admin has found, complaints that you hear are backed 10 to 1 with those you don't. This blog could be a demonstration of that.

Complaints are opportunities (ironically, the link is about Vandy.) And the first part of a problem-solving process is to identify the problem. Those that don't appreciate that fact are doomed to failure.

Say the hospital did get rid of all those who have read or commented to the blog. Can you say, Ghost Town?

Saturday, November 24, 2007

Best Countries for Global Business

The World Economic Forum (WEF) each year handicaps the economic-development race. The Global Competitiveness Report tallies 113 factors that contribute to an economy's competitiveness -- a buzzword that roughly boils down to how well a country is positioned to squeeze efficiency out of its businesses and attract companies and investment from abroad.

Components of the resulting Global Competitiveness Index range from the quality of a nation's roads to the independence of its judiciary to the incidence of tuberculosis to how easy it is to hire an engineer. Parts of the index are culled from official data; many others are drawn from a survey of 11,000 international business executives. This year TIME partners with the WEF to bring you in-depth data on 37 key countries at time.com/globalbusiness.

Note, this is different from what we reported October 10, 2007 on the World Bank's Doing Business 2008.

Friday, November 23, 2007

Rumors and Propaganda....11/26

Not quite the latest rumor, but it is said that former CEO W. Hudson Connery Jr. was walked from Essent by security and that he is under investigation for embezzlement (a possible criminal charge, forthcoming?) I'd say that it qualifies as not "not unfriendly". What do you think? I can't say that this is first, or second, or third-hand (can you say anonymous?), but you never can tell.

Remember, this is dealing with a capitalization of over $200 million dollars. How tight is the cookie-jar lid? (Note: The real financials from Crossroads were never made available to the CT officials when they were considering Essent's purchase of Sharon Hospital. That was mentioned in the decision summary.)


An aside: In searching for records on Connery and CT, I ran across a house owned by Hud and an Ann Moore. It would appear that Ann Moore used to be in the clique of former Governor John G. Rowland, who pleaded guilty to a corruption charge (his administration approved the Sharon conversion from not-for-profit to for-profit, first in CT). I can follow Ms Moore's career through the CT governmental positions she held, as a lobbyist, and to a law firm (UPDIKE, KELLY & SPELLACY, P.C), after which she disappears (career-wise), apparently not practicing. They even hired an attorney to prepare a variance for submission on the house.
Looking at Hud's replacement, Mike Browder's duty description caused another series of questions, see if you can find and answer them:
"Michael Browder joined Essent in 2001, and is responsible for all traditional corporate financial functions including routine reporting and capital structure development. In addition, he is responsible for information systems development, corporate risk management/insurance and detailed acquisition support functions, including due diligence."
Did you see? Corporate risk management, insurance, and due diligence. Responsibility for due diligence puts him in the hot seat for failing to recognize PRMC's shortcomings, insurance for the gay couple's lawsuit, and risk management for the go ahead on the actual Essent-Doe lawsuit. You wonder why he wasn't out the door before Hud....

Wednesday, November 21, 2007

The ABCs of Foreign Trade Zones

Manufacturers familiar with foreign-trade zones know the obvious benefits, namely no duties on goods exported from the foreign-trade zone (FTZ) and the deferral of duties until goods are moved outside the FTZ. But, according to Greg Jones, corporate secretary and senior consultant with Foreign-Trade Zone Corp., there are other key points to consider.

Read more here.

RBN – Fake Codecs

With the ongoing tracking of “fake” software websites related to the Russian Business Network (RBN) and their associates it is important to note the growth of the fake codec websites. A codec is a small program that's allows an operating system or a program to properly play audio or video in a particular format, e.g. MP3, WAV, Xvid, MPEG, Indeo and Cinepak.









Figure 1. Sample “fake” codec site - Gamecodec.com



This article is cumulative snapshot report based upon current and historical community reporting from; Zlob Watch (peki.blogspot), Sunbelt, and the excellent earlier work of Jahewi's Fake Codec Information (unfortunately last updated Jan 20th 07). The key issues are:


  • Currently shown here (see fig. 2 below) 53 active, with the 60 earlier reported mostly dormant domains (see fig. 3 below) provides for a total of at least 113 “fake” codec web sites operational over an 18 month period. It would appear many of the active domains alternate on a regular basis from being non resolvable (apparently offline) to online.


  • The prime exploits from these sites are (a) Zlob - shows fake error messages and silently installs fake anti-spyware products. (b) DNSChanger silently adds rogue DNS name servers to your PC or Mac. These name servers will resolve non-existing domains (typo-squatting) to IP addresses associated with the authors to generate revenue and could potentially re-routes traffic from legitimate web sites to other suspicious web sites. Ref peki.blogspot
Note: We should clarify that the Mac fake codecs are only for the DNS changing trojans and that not all the sites listed will spawn Mac stuff.



  • These exploits are designed for Mac and Windows users; with the attack vector similar to the “fake” anti-spywares however the technique is varied by constantly emerging new domains but mostly to a singular web landing page interface.


  • Most importantly all 113 domains are or were registered with Estdomains, similarly all of the active 53 domains in fig. 2 are hosted by AS27595 by Atrivo; AKA – Intercage, Inhoster, Cernal, etc. Also added should be AS 36445 a newer Autonomous Server apparently used by Cernal. For blocking purposes the following IP ranges should be incorporated:

64.28.176.0/20 AS27595 INTERCAGE
85.255.118.0/20 AS27595 INTERCAGE
85.255.112.0/20 AS36445 CERNEL











Figure 4 - Sample IP Map - Zerocodec

Sunday, November 18, 2007

RBN – PC Hijacking via Banner-Ads on Major Web Portals

The Russian Business Network (RBN) in one of its boldest PC hijacking exploits used conventional banner-ads to redirect web visitors to “fake” anti-spyware sites, this is a new attack vector but uses known RBN server routes and exploits. Malware based ads have been spotted on various legitimate websites, ranging from baseball's MLB.com, NHL.com, Canada.com and The Economist. Acting as a conventional Flash file, the exploit is via DoubleClick's DART program, DoubleClick acknowledges the malware, and says it has implemented a new security-monitoring system that has thus far captured and disabled a hundred ads.



How the exploit works, servers and locations (confirm Explabs):

Example for mlb.com ... mlb.com – to - ad.doubleclick.net - to - newbieadguide.com - to - fixthemnow.com - this calls to safetydownload.com for the “fake” download





Example for nhl.com ... nhl.com – to - 2mdn.net -to - ad.doubleclick.net – to - adtraff.com – to -blessedads.com and prevedmarketing.com - to - malware-scan.com, for the “fake” download.







Figure 3 – Secure Hosting Bahamas



As shown above the key servers involved in particular Secure Hosting based in The Bahamas has been utilized on other occasions by RBN. It should also be noted the four specific exploit servers and their AS (Autonomous Server) are:


  • AS15146 Cable Bahamas Ltd. (also AS26855 INTERNET BAHAMAS) - SECUREHOST.COM - IP range involved - 190.15.72.0/21

  • AS29131 RAPIDSWITCH Ltd - London UK - IP range involved - 87.117.192.0/18

  • AS33510 SETUPAHOST - Toronto Canada - IP range involved - 66.244.254.0/24

  • AS41947 WEBALTA / Internet Search Company - Moscow Russia - IP range involved - 77.91.224.0/21

Each of these servers houses many other questionable and other exploit based domains within the same specific IP as those specific domains utilized within this PC hijack exploit, figure 4 – shows those domains which include 23 domains as “fake” anti-spyware or rogue software based upon the same RBN exploits as “Winfixer”, “SpySheriff”, etc.





This important exposure is thanks to excellent CYBERINT work within the community, references:

Explabs - Wired.com - Sunbelt

Thursday, November 15, 2007

Can You Say: Sub-Prime?....11/24

$55 million term loan and $20 million revolving line of credit from GMAC-RFC
$80 million from Vestar Capital Partners of New York City
$50 million Thoma Cressey, plus another $10 million

So, with over $200 million invested, what do they get?
Two hospitals that are paddling in red ink.
One that has gone up and is headed down.
Two that are reasonably profitable. (However, nothing close to what was forcasted....) They're the ones absorbing the losses of the other two.

This, my friends, is called venture capital. They would have done better investing in liquor stores and pawn shops. With the bottom falling out of sub-prime real estate loans, one wonders if this is in the same catagory. Banks and lending institutions all over the country are feeling the pain--just look at the stock market.

But, don't worry, GE only lost $17 million of the $25 million they had in Arcon. (Source: Final Decision, Sharon Hospital.)

I really want to see how Michael Browder's vision for the company is going to pull this one out of the fire....

Global Ideas Come In All Shapes and Sizes

I had the great privilege and honor to participate in the world famous UPS Out-of-the-Box Small Business Contest and conference in Atlanta earlier this week. What an exciting time!

Congratulations to all the award winners! View their inspiring growth stories here.

And we will be posting highlights of the event over the next couple of weeks. Watch for YouTube videos, UPS Business Monitor Reports and more.

RBN – Russian Business Network - Faking its demise

Although it is true the Russian Business Network (RBN) as AS40989 RBN AS RBusiness Network has relinquished its IP addresses (not the related ‘peers’), this blog has never shown this as the core centre of RBN activity or particularly relevant to its commercial activity. To simply test the hypothesis of the demise of the RBN as in recent headlines in the press using phrases as “Mother of all cybercrime vanishes from the web”, or “RBN goes Poof” is to simple review one of the RBN’s major money earning retail activity.


HYPOTHESIS = Logically RBNs fake anti-spyware or rogue software should show major changes in serving and hosting over the last week or so, if the demise of the RBN is correct. Fortunately based on limited CYBERINT earlier we were able to show 57 well known ‘fakes’ and 34 of the top 40 being RBN related, below can be seen the specifics.


RESULT = With the exception of the loss of replacement of AS40989 secondary name servers there has been little or no change to the core IP addresses.

(a) For example; Antivirgear shows a current Alexa Trend/Rank: #5,473 (out of an estimated 60 million web sites) improved over the last month. 397,296 U.S. visitors per month which is 10.7% of its traffic thus visitors worldwide = 3.7 million, this is just one of many ‘fake’ web sites.

(b) It does assist in highlighting the role of Intercage AS 27595 (AKA; Atrivo (US), Inhoster - xbox.dedi.inhoster.com - Ukraine, and Estdomains) as a fundamental part of the RBN from 2004 (see .





For the results Figure 1 shows an overview of the RBN’s / Atrivo share of the ‘fakes’ market. For completeness (click on the images to enlarge);

Figure 2 - shows the complete list of the 57 ‘fakes’ in alphabetical order.

Figure 3 - shows the complete list of the 57 ‘fakes’ ranked to specific hosts / servers.

N.B. – It should be noted the 6 ‘fakes’ listed as offline, this are currently dormant, historically this has happened before and such domains often come back to use.







Tuesday, November 13, 2007

Grow or Die

Interesting. The New York Times here talks about if you Google the expression "Grow or die" you get more than 11 million hits. Then they go on to suggest ideas to keep your company thriving.

How about if you Google "Go global or die?" See what comes up. I think they missed a HUGE opportunity in their story.

What do you think?

Essent's Future....11/25

I suggested to a person in the industry that there are only a few possibilities for Essent: Sell or turn into a kinder, gentler Essent--more of what they pitched to Paris in the courtship.


He replied:

Hud was the central focus of this whole thing. With him gone, the venture capital guys have to either expend a lot of effort to put a new team in place and hope that things improve or they can cut their losses, get what they can through a sale and move on to something else. I don't think any of them have a particular passion to manage hospitals. If the company were bigger, I could see them wanting to salvage things with a new management team. But with just 5 hospitals, I'm guessing they'll let someone else have them.

The sale might be compromised by the pending settlement with Hud, depending on the length of time it takes. Ironically, he might be the only winner in this mess, or the spoiler that will destroy the value for everyone. I'm betting on the petulant child.



What could that do for or to Paris? The biggest problem Paris has is the joining of the two hospitals. Too much property, too many duplicated services, and a lack of competition to make it work. If Hud holds out, it could force a fire sale, or, an actual bankruptcy that might split it up (how long have I been saying this?) Or, if he settles early, we're stuck with the status quo.

I can't see any progress on the new Heart Hospital. This was originally delayed until April from the new year. What is the projection now? If Essent is going to bluff it out, it almost has to get going with the plans to show that management hasn't slipped.


I'd say they're dancing on banana peels.

Monday, November 12, 2007

History Repeating....12/10

Looks like Hud has another lawsuit to deal with. When HCA merged with HealthTrust, Hud lost his stock compensation plan (it didn't pay 'til the year end)...and so these are the elements that lawsuits are made of.

It appears that Hud has actually been out of the office for the last couple weeks--and the settlement between he and Essent is not amicable. Several million dollars worth of he said--you said, and wrangling about actual contractual obligations. Wonder if either will be able to use a Nashville law firm?

Anyway, Hud lost the first one, and its appeal. Wonder what happens to this one?? Stay tuned.

And, if anyone was wondering about Matt, I thought I would mention this:
One of the 'discussion groups' that he logs into also logs the IP address that he uses. I have a readout of his as well. And, a lot of his phraseology is the same. Tracking back his comments gave me his posted vocation (but all people lie, according to House). So, either he's Mattndallas, or a co-worker (that has picked up his manner of addressing issues) is. He just picked a poor mentor.

RBN – 76 Service Team, Loads cc, and their location

Although most report the Russian Business Network (RBN) has disappeared, this RBN watch-blog still follows its active domains, its “retail division”. In a follow up to an earlier article on 76 Service, Gozi, hang Up Team and US Hosting, same business just different location and an added common thread.



Fig 1. Common thread – the RBN’s slogan?


76 Service is now 76 Team.com (click on pic to see detail)

Fig2. Current 76 Service user landing page

As we can see although using a new domain it still displays the familiar RBN “76 Service” branding. Just to remind ourselves subscribers to 76 service can log in, pull down the latest drops, i.e. data deposits from the Gozi-infected machines they subscribed to, e.g. 3.3 GB one containing more than 10,000 online credentials (ID theft) taken from 5,200 PCs.




Loads.cc (click on pic to see detail)

Fig3. Loads.cc – Order page


As reported Loads.cc allows less technically proficient cyber-criminal affiliates to "cash in”, the site provides information on the availability and size of the botnet in real-time. Although it has been seen this method is different from that of other similar schemes, such as 76service whereas Loads.cc allows you to pay to infect computers.







Common Thread?

  • 76 Team (back1.76team. com or bavk1.76team.com) – IP = 208.72.170.189 = AS 26780 MCCOLO - USA
  • Loads.cc – IP = 212.24.53.4 AS 15756 CARAVAN ISP "CARAVAN" Moscow, RU
Although the two sites appear dissimilar we have to dig a little deeper , examine the next two figures


Fig 4 (a) 76 Service / Team Name servers (click on pic to see detail above)



Fig 4 (b) Loads cc Name servers (click on pic to see detail above)



The common thread is in two parts:

  • Loads.cc infects the PCs, 76 Service / Team sells the IDs from those same infected PCs.
  • Also as figs 3 & 4 show the common name servers i.e. orderbox-dns and optical jungle with corresponding IP ranges, both within AS30315 and AS31898. These two domain ranges are part of Resellerclub and Logic boxes, which in turn is owned by Directi.com.


Directi is a very fast growing web hosting and reseller based in India. From its own literature it places a value of $300 million. The slogan in Fig1 is from Directi, and we hope does not reflect the RBN’s constant aim.

Infrastructure:
  • Directi has offices in India and UAE
  • The new Directiplex, being designed by Hafeez Contractor, a $25 million facility with a capacity of 1700 people, will be ready by December 2007
  • Directi has also opening two offices in China - Beijing and Xiamen
  • Directi has partnerships with several datacenters worldwide and operates hundreds of servers worldwide for its various businesses

This blog is not suggesting anything more (at this time) than Directi have joined the ranks of the RBN host / name server “stooges”. Hopefully Directi will respond to the related abuse communications promptly.



Fig5 Directi Ops




It is reasonable to draw the following quantitative conclusions from the above and related:

  1. 76 Service / Team and Loads.cc are synonymous RBN retail operations, working both sides of botnet operations and exploiting personal IDs.
  2. They are both now operational via Indian web space and elsewhere via Directi
  3. The community and this blog as a whole have helped to force the RBN from their own servers, the original 76 Service base within Noc4 Hosts, The Planet, and elsewhere, due to publicity and improved CYBERINT and blocking. This not the time to belive in the demise of the RBN, for historians the first time was in 2004.

References:

Original disclosure on 76 Service Recent article on Loads.cc

Sunday, November 11, 2007

The New Year of the Tiger

With a population of 1.3 billion whose per capita income is expected to double over the next 10 years, and a consumer market that is expected to grow to $14 trillion by the year 2025, it's no wonder foreign companies are investing billions to reach today's Chinese consumer. Research reveals a growing demographic of generally younger, affluent, urban Chinese consumers who are willing to consider foreign brands.
Think you can translate your brand for the savvy Chinese shopper?

Find out more here.

Friday, November 9, 2007

Connery forced out at Essent Healthcare....12/1

According to the Nashville Post, W. Hudson Connery has been forced out of Essent. The former CFO Michael Browder has been named to take his place.

The irony is, he might make out better by that happening than by captaining it into the rocks. If there is a corporate buyout of his stock, it might save his nest egg.

It doesn't mean it's over, folks. Maybe just starting....frank


NashvillePost.com has learned that Essent Healthcare founder and 30-year industry veteran Hud Connery has been forced to step down as CEO by the company’s board of directors.

According to NashvillePost.com sources, the hospital operator’s CFO Mike Browder has been tapped to serve as the acting CEO and, they claim, is a candidate for to take the helm of the company permanently.

The board, led by investors from Thoma Cressey, has not announced the change, even to the Essent’s staff, as the shift, apparently, is not an amicable one. Allegedly, Connery and the board are currently at odds over a severance package and that his options in the company could total several million dollars.

Sources went on to claim that the board and a number of Essent’s investors would like to sell company.

Connery launched Essent in 1999. The company’s first hospital was purchased in April of 2000. Prior to that he was the leader of the now defunct Arcon Healthcare. That company, which was based on a “hospitals without beds'' concept filed for chapter 11 in 1998.


I'm going to add as needed to the original post (one has to be flexible....) just for continuity of the thought. The latest:

[Update, 2:26 p.m. Monday:]
Following the posting of this article on Friday, David Jarrard, a spokesman for Essent, sent an email to NashvillePost.com confirming the departure.

Jarrard disputed NashvillePost.com’s characterization of the shift saying, “the transition is not unfriendly.”

In the e-mail, Jarrard also said that “Connery has no options with Essent,” and “Essent staff were informed of the transition earlier [last] week.” While repeated attempts to contact Jarrard seeking clarification have so far gone unanswered, NashvillePost.com was informed that Connery does in fact have a sizable equity interest in the company, though the use of the word "options" was technically incorrect. Further, NashvillePost.com has been told that despite some staff’s having been informed, as of Friday afternoon the vast majority of Essent’s employees were unaware of the move.

According to Jarrard, discussions of a possible sale have been tabled for the time being noting that “every Essent hospital is profitable and growing in their markets."

Last thing first: Merrimack Hospital is sitting at $-1,498,033 for last period listed, according to American Hospital Directory (AHD.com).
Southwest Regional Medical Center -- $-212,615, and with a net of $860,296, Nashoba Valley Medical Center (57 beds) is over twice as profitable as this (PRMC) hospital (228 beds listed, what happened to the other 100 or so?).

Not "unfriendly"??? What, we haven't dug out the squirrel guns yet? The board has back-doored at least two offers that fell through and finally pitched Hud out. They aren't selling because there are no buyers. What kind of value does that ascribe to Essent??? You do the math:
Zero!


No wonder Hud wants to take his money and run.....

Thursday, November 8, 2007

RBN – Russian Business Network, Chinese Web Space and Misdirection

There has been recent speculation concerning the Russian Business Network (RBN) and its increasing use of Chinese web space. By way of discussing this topic it is useful to quantitatively view this aspect via a practical example. We can kill 2 birds with one stone and do this via a requested update on “iFrame Cash”.

The iFrame Cash is an active RBN enterprise we call here part of the RBN “Retail Division”. Simply the RBN pays webmasters or small web hosts a commission for planting or injecting IFrame exploits on web sites, this is done via the web site iframedollars.com and others.

Iframedollars has recently changed its IP location as it has done regularly since 2004, joining the dots (NB. Click on the images to see the detail):


1. iframedollars.com

= 58.65.234.17, ns1.iframedollars.com = 58.65.234.17, ns2.iframedollars.com = 58.65.234.18, MX iframedollars.com (mail server) = 58.65.234.17

58.65.234.0/24 = HOSTFRESH Internet Service Provider Pacific Internet (Hong Kong) Limited (Customer Route) REACH (Customer Route) = China?



2. myrdns.com / hostfresh.com

ns1.hostfresh.com = 58.65.238.100, ns2.hostfresh.com = 58.65.238.101

For, myrns.com sharing IP records = us1core.hostfresh.com, jishuqi.cn, shippingnv.com



3. For us1core.hostfresh.com


4. AS27595 = Intercage






So at this time:


(A) iFrame dollars facts ;
Host = Hostfresh, ICANN registrar = Estdomains, IP address changes = 14 (2 years), Who is records = 44 (since 2004). Alexa rank = #605,524 up 62,752 in the last 3 months

(B) Hostfresh facts ;
Host = Myrdns, ICANN registrar – IP address changes = 5 (2 years), Who is records = 233 (since 2004). Alexa rank = # 361,013 up 387,6323 in the last 3 months


(C) Intercage facts:
As reported earlier Intercage = AKA; Inhoster (xbox.dedi.inhoster.com - Ukraine), Atrivo (US), Estdomains, (Note: also interestingly Broadwing Communications a backbone internet operation now owned by Level 3 Communications, Inc - NASDAQ: LVLT- appears to be the core mail carrier and mirrored hosting for AS 27595). This hosts or acts as a name server for at least 34 of the 40 RBN fakes.


(D) IMPORTANT NOTE;
58.65.239.66 was also one of the 2 domains involved in the Bank of India hack.


In conclusion; 58.65.232.0 - 58.65.239.255 = HOSTFRESH = Hong Kong (PRC) / China?

This is Intercage again, to restate, many forum and other Internet user complaints dating back to 2004, and blacklisted by Spamhaus. However such blacklists are predominately used to block access “from” e.g. spam, we need a CYBERINT system to prevent access to. Currently only systems such as McAfee’s Site Advisor provide a web users guide and this is not perfect.




Also hopefully this example demonstrates that when watching the RBN because an IP address shows a Hong Kong / Chinese / Russian registrant or has Chinese or Russian writing does not mean it is actually based and hosted there.



Simple observation, just assume anything associated with the RBN is based on misdirection in the first place.

RBN – The Russian Business Network Has Closed Shop?

Russian Business Network (RBN) watching requires healthy cynicism and two simple tricks i.e. (1) View their actions as you would an illusionist or as a stage magician, look for the misdirection, (2) Observe a historical perspective.

The good news is the publicity shy RBN does appear to have responded or is being forced to respond to being under the microscope as reported by Brian Krebs of the Washington Post. The bad news is the RBN IP ranges reportedly withdrawn are not the current RBN IP ranges utilized in current exploits. The excellent work of Geoff Huston and his cidr-report provides great information for those interested in the AS (Autonomous Systems) side of the Internet. This shows the following:

Prefixes withdrawn by this origin AS in the past 7 days = AS40989 (RBN)

- 81.95.144.0/22 = Withdrawn

- 81.95.148.0/22 = Withdrawn

- 81.95.154.0/24 = Withdrawn

- 81.95.155.0/24 = Withdrawn

However, as shown here and elsewhere the recent RBN based PDF exploit utilized 81.95.146.130 and 81.95.147.107, further many of the RBN “fake” anti-spyware and anti-malware websites use 81.95.145.186 as one of the many Internet “name servers”. Therefore one can only conclude

- 81.95.145.0/22 = Still active

- 81.95.146.0/22 = Still active

- 81.95.147.0/22 = Still active

Historically there have been many welcome reports of the demise of the RBN and their acolytes stretching back to 2004. Without any political bias it is reminiscent of being told the war in Iraq, is over circa 2003. To maintain a focused watch on the RBN as an organically growing organization is one of the main reasons a few of us created this blog in 2007.

This blog can only repeat the RBN as an organization uses many; guises, name servers, routes, stooges, etc., to operate under the radar and confuse. The excellent recent publicity through the many blogs, e-zines, and newspapers currently must only assist in gaining the necessary attention required. If only for the current 4 million plus and growing Internet users who will visit the RBN fake sites this month, and the many more who will suffer due to iFrame injections, Mpack and more. It is appropriate for a cynical view of any RBN related actions, and even more importantly maintain our vigilance.

There will be a detailed follow up article which will show a current example of the RBN and the "apparent" use of Chinese web space.

Wednesday, November 7, 2007

In Need....11/9

There have been a few requests for publicity sent to me, generally for a good cause, and that brought forth an idea. Normally a blog on blogspot is filled with ads for a variety of less than desirable products.



I'd suggest that I can do some local good with announcements for fundraisers/benefits/non-profit affairs. The blog does get a fair amount of attention, and if the cause is a good one, send it in.... I'm going to play with some html tags and see if I can put some of the unused space to a better purpose.



This in no way suggests that the organizations are supporting the blog. This just means that some of the people that read the blog support the organizations.



With some of the limitations on soliciting for even good causes, maybe you can make a difference. 'tis the season....

Tuesday, November 6, 2007

What's Ahead in Our Brave New Cyberworld

Here's a post I did for the Small Business Trends blog which focuses on social media tools, globalization and what's ahead in our brave new cyberworld.
... My interest has always been to track trends before they affect us. I like to be way out in front, and that’s why I follow closely anything that has to do with global small business trends.
Let me know what you think. Direct link here.

Monday, November 5, 2007

Alternatives....11/6

You might ask yourself: What could one state representative....one of 140.....not to mention the 31 state senators do that would affect this case one way or the other?

They can't. They are going to have to legislate for the next incident that might show up on the horizon. I suppose Essent could refile, maybe better thought out, but that's another case, not this one.

The appeals court has a bit of a problem. And second guessing might not be my strong suit here: If they rule strictly on the basis of law, the case is finished, and Essent stews in its own juices. But there is a gap that needs to be plugged. Will the legislative body move with haste to plug it?

If they feel that it wouldn't, do they rule against the rule of law? There is a lot of interest in this case on a national level.

This is where one (or more) of the representatives steps up and proposes legislation to fill the gap. And it truly is an issue that should be bipartisan.

I should imagine that there is cross-channel communication between the branches, and this might be an issue that is approached in that fashion.

Sunday, November 4, 2007

RBN - Fake Tools, Rogue software, Bank of India, PDF, and more – the common thread (3 of 3)


This blog primarily uses a quantitative organizational analysis as its core approach in the study of the Russian Business Network (RBN). To study a "soft" organization as the RBN look for; interaction with external entities, behavioral patterns, history of quantifiable actions, and common threads, with the aim to reduce the complexity the RBN hides behind. In the third in the series on the RBN “fake” or “rogue software” to begin - figure 1 demonstrates this simplicity.




From article 2 of 3 we were able to demonstrate at least 40 of about 57 well known fake anti-spyware / anti-malware / rogue software products originated from RBN sources. Also it is known the RBN was behind other recently publicized events such as; Bank of India hack, PDF exploit, so what is the common thread?

Firstly let us highlight a few key RBN “retail” exploit delivery methods:

a. Gozi/Ursnif/Snifula trojans = 76service, PDF exploit, etc.

b. Trojan Zlob + = Malware Alarm, AntiVirGear, etc.

c. iFrame = iFrame Cash, Bank of India etc.

To target the RBN (figure1) we compare the delivery methods with specific organizational elements, for simplicity it is based upon the AS (Autonomous System -- A collection of routers under a single administrative authority):

RBN (AS 40989) – Source and destination of a majority of RBN fakes, PDF exploit and the Bank of India Hack.


Estdomains (AS 27595) – The domain registration and has its own hosting for the majority of the RBN fakes, also X-TRAFFIC.BIZ was also one of the key domains used in the Bank of India hack, within Intercage.




Intercage (AS 27595) - AKA; Inhoster (xbox.dedi.inhoster.com - Ukraine), Atrivo (US), (Note: also interestingly Broadwing Communications a backbone internet operation now owned by Level 3 Communications, Inc - NASDAQ: LVLT- appears to be the core mail carrier and mirrored hosting for AS 27595). This hosts or acts as a name server for 34 of the 40 fakes, but also does carry IP address 58.65.239.66 also one of the 2 domains involved in the Bank of India hack.




The “5” stooges – are alternative hosts or carriers of many of RBN fakes and other RBN exploits. To be charitable it could be said these are just being duped, however noting the many complaints within security forums and blogs over some time this blog is not inclined to be charitable, they are:

CRONOS - AS 42773 (Latvia)

GLOBALTRADE - AS 39634 (RU)

PILOSOFT - AS 26627 (US)

STARHUB - AS 4657 (Singapore)

TIMEDOTCOM - AS9930 (Malaysia)


In conclusion:

It is important to recognize the scale of the RBN fakes i.e. over 4 million internet visitors per month

The same RBN organizational structure is responsible for a majority of the major internet and PC security threats and exploits seen over recent times, e.g. Bank of India hack, PDF spam exploit, Mpack, etc.

The “stooges” and other server operations that even unknowingly house RBN operations should act to prove they are not working in tandem with the RBN, not vice-versa.

For example this blog is housed by Blogger which is Google. As any organization does the RBN has elements which are not titled RBN, written in Russian, or physically based in St. Petersburg. So let us commence to be realistic i.e. AS 27596 - Intercage, Estdomains, et. al - IS A FUNDEMENTAL PART OF THE RBN!


References:

These 3 articles could not have been possible without the information, feedback and encouragement of many, in particular:

Dancho Danchev - Scott Berinato and Don Jackson - Symantec - McAfee’s Site Advisor -
Spyware Warrior - ISC Sans - ZDNet



Appx - Final list of the 57 fakes / rogue software- 40 specific RBN studied, 17 other lesser fakes;


RBN Top 40:
adprotect.com
adwareremover2007.com
antispyzone.com
antivermins.com
antiverminser.net
antiverminspro.net
antivirgear.com
antivirusgold.com
antivirusgolden.com
bravesentry.com
drives-cleaner.com
eprotectpage.com
magicantispy.com
malware-alarm.com
malwarealarm.com
malwarewipe.com
sigmacode.biz
spyaxe.biz
spydawn.com
spyheal.com
spylocked.com
spysheriff.com
spy-shredder.com
spyshredderscanner.com
spytrooper.com
spywall.net
spywarequake.com
thecleanersystem.com
thesafebar.com
thespyguard.com
virusburst.com
virusheal.com
virusprotectpro.biz
virusprotectpro.com
virusray.com
virusrescue.com
wildgadgets.biz
windowsafesurf.com
xmalwarealarm.com
xspy-shredder.com



Other 17:
1stantivirus.com
Adwarebazooka.com
adwaredelete.com
Adwarepunisher.com
Anti-virus-pro.com
Hitvirus.com
Innovagest2000.com
pesttrap.com
razespyware.net
Remedyantispy.com
Spycontra.com
spycut.com
Spydeface.com
spydemolisher.com
Spyiblock.com
spywareno.com
Virushammer.com