Tuesday, February 19, 2008

RBN – Extortion and Denial of Service (DDOS) Attacks

The Russian Business Network (RBN) has long been known for its bulletproof hosting and its control of botnets such as Storm. Apart from the obvious example of an RBN “hired gun” Distributed Denial of Service (DDos) attack on Estonia in May 2007 many have attempted to comprehend and link the RBN’s usage for botnets. Within this article we shed light via several documented examples extorting potential clients into the use of their “specialized” hosting services by the use of DDos, and a further example of RBN’s ecommerce.



For those who wish to understand how a DDos attack works via a botnet see figure 1.


Figure 2 shows the evolution of DDos over recent years based upon purpose and size currently at 17+ Gbps (gigabytes per second) and potentially 7,000 such attacks daily - courtesy of Prolexic technologies (click on the figs to see full size and see links below).




The business model RBN uses is quite simple and effective; its affiliates and resellers comb various niche market forums and discussion areas for webmasters using or discussing protective web services i.e. DDos prevention. Carry out a DDos attack on the website and then provide a third party sales approach to the webmaster to “encourage” a sign up for their DDos prevention services. The cost of this hosting service is $2,000 per month.



These niche markets for the RBN are usually within the Internet market sectors of pornography, and specialized grey areas, e. g. online pharmaceuticals, and HYIP (High Yield Investment Programs). This blog is not commenting on the legitimate purpose or otherwise of these web sites, the RBN is successful as most of these webmasters are not about to publically complain. However it does appear that legitimate hosting services offering a level of DDos prevention are vulnerable to the RBN’s monopolistic efforts, to capture and control this high income business. It further appears many such recruits are then encouraged to mitigate the costs by becoming resellers themselves of the hosting and other RBN services. It should be added that some of these resellers are unaware, or are happy to be ignorant; they are actually part of the RBN reseller community.



For sample details we can start at a HYIP forum “Talkgold” this is a fascinating knock-about discussion on RBN DDos extortion (see link below) and provides some useful clues for RBN exposure.



However, the clearest evidence can be seen within another forum “HotHYIPs” as we can see in figure 3 the details of RBN DDos reselling, figure 4 shows an example of grateful affiliates with a US based affiliate openly stating “Paid very fast. A very good return from a ddos attack.”



The prime sales link for the RBN hosting is via NEAVE LIMITED a UK registered company, but the actual core serving is ELTEL based in St. Petersburg RU, one of the core replacement servers for the RBN post Nov 08, with AS-peers: 30 and 67,584 IP addresses. This is listed within Spamhaus (see link below) “Botnet criminal Indian & .ru/.ua spammer host: NEAVE LIMITED” as of Jan 12th 08.



Eltel: IP range 81.9.8.0 - 81.9.8.255 AS20597, example site hosting; goldenpiginvest.com /.net – the canadianmeds.com – pharmacy-viagra.net



Already some of the notable blacklisted domains listed within the Spamhaus lasso have moved to other RBN utilized AS servers, also using the RBN’s recent blocking avoidance mechanism “*.badsite.com” for sub domains for example:



rxpharmacy-support.com - ns3.cnmsn.com - 204.13.67.108 - 204.13.64.0/21 AKANOC Solutions Inc - AS 33314 (US)



*.thecanadianmeds.com - 79.135.160.0/19 Sistemnet Telecom - AS9121 TTNet (Turkey)



officialmedicines.com - 79.135.165.0-79.135.166.255 AS9121 TTNet (Turkey)



psxshop.com - 66.197.0.0/17 - AS29748 Carpathia Hosting




To further add and demonstrate RBN connectivity “goldenpiginvest.net” links directly to data storage on Level3 Communications; box(dot)net, - see figure 5 - a service that provides the ability to collaborate and share files online. This was shown in an earlier RBN blog article concerning 365fastcash and the RBN’s Panama based servers (see link below). No doubt Level 3 will be able to (again) inform US authorities of the content of these data files, and terminate such services.






Figure 6 – IP diagram for *.thecanadianmeds.com






Links:

Prolexic technologies - DDos information - figures 1 & 2


RBN DDos extortion Talkgold forum discussion


HotHYIPS forum RBN reseller advertising and remarks


Spamhaus botnet lasso - NEAVE LIMITED / Eltel, St. Petersburg RU


Level3 Communications; box(dot)net; goldenpiginvest.net & 365fastcash common linkages

No comments:

Post a Comment