http://blog.wired.com/sterling/2007/11/russian-busines.html The notorious Russian gang has shut down its St. Petersburg IP addresses, moving to China and elsewhere to evade network IP blocks. The notorious Russian Business Network ((("the baddest of the bad"))) has suddenly picked up from its St. Petersburg digs and diversified, spreading its unwholesome activity to new chunks of IP addresses, with RBN-like activity almost immediately appearing on newly registered blocks of Chinese and Taiwanese IP addresses, according to security company Trend Micro. (((Great locale for a proxy Estonian webwar attack -- "The CHINESE are launching cybarmageddon!"))) The Internet presence for the RBN-a Russian ISP that's infamous for hosting shady and criminal businesses-blinked off at about 7 p.m. PST on Nov. 6, security researchers at Trend Micro reported the following day. The RBN's IP addresses can no longer be reached, since the routing for them no longer exists as of Nov. 8. In a posting, Trend Micro's Feike Hacquebord conjectured that the RBN's upstream providers may have yanked Internet connectivity services temporarily or even permanently. For a few moments, Trend Micro researchers imagined the Internet had become, even fleetingly, a tad safer. That hope didn't last long, however. Paul Ferguson, a network architect for the company, told eWEEK that Trend Micro has noticed RBN-like activity on blocks of IP addresses that were registered in China and other locations shortly before the RBN closed down the routes to its St. Petersburg addresses. Although it's hard to put a finger on who's behind the activity, it's "strikingly similar" to what the RBN was doing, Ferguson said, including malware proxying for drive-by downloads. Calling cards for the RBN, for example, have included the MPack and Icepack exploits: malware hosted at third-party locations that serve up sophisticated binary Trojan downloaders. These downloaders are top-notch professional badware that determine what operating system their prey is running, on what browser, as well as what vulnerabilities are available for exploit. They have long been associated with the RBN, and now Trend Micro is detecting their use at the new Chinese IP digs. Trend Micro was tipped off by a path that seems to lead back to the RBN and that has been laid in various sites that have had their HTML compromised. The path leads to domains with the recently registered Chinese IP addresses. Some of those domain registries have overlapping IP addresses on the back end, with the same name servers and similar functionality, all bearing the fingerprints of the RBN, Ferguson said. Trend Micro believes that increasing publicity about the criminal gang is the rationale behind the move-to "fly a little lower under the radar, just to be a little sneakier," Ferguson said. Not that Russian authorities have been particularly energetic about shutting the RBN down, publicity or no. The RBN is a highly segmented, loosely affiliated criminal organization that specializes in virtually every aspect of online crime, with specialized work being handed out piecemeal to guns for hire, whether it's money laundering, money mule activity, child porn site hosting, search engine optimization for raising page rankings, bulletproof hosting, credit card information theft or raiding of bank accounts. Ferguson has tracked RBN foot soldiers worldwide, to locations such as the West Coast of the United States and to southern India.... -----Original Message----- From: alac-bounces@atlarge-lists.icann.org [mailto:alac-bounces@atlarge-lists.icann.org] On Behalf Of Adam Peake Sent: Friday, November 09, 2007 2:16 AM To: shahshah@irnic.ir; Nick Ashton-Hart Cc: At-Large Worldwide Subject: Re: [At-Large] McAfee Study on Safety Risks in most-popular TLDs At 9:10 AM +0330 11/9/07, Siavash Shahshahani wrote:
Very interesting but the site does not give a link or reference to the full report. Do you know where that can be found?
<http://www.siteadvisor.com/studies/map_malweb_mar2007.html> Adam
Thank you Siavash
I thought a number of you might be interested in a recent study by McAfee of the 25 most popular TLDs which was passed along to me. It rates McAfee's view of the security risk posed from browsing in a TLD
in various ways.
The study can be accessed at
http://www.securitysoftwarezone.com/online-safety-risks-revealed-by-mc afee-siteadvisor-review271-7.html -- Regards,
Nick Ashton-Hart Director, At-Large ICANN Main Tel: +33 (450) 40 46 88 USA Tel: +1 (202) 657-5460 Fax: +41 (22) 594-85-44 Mobile: +41 (79) 595 54-68 email: nick.ashton-hart@icann.org Win IM: ashtonhart@hotmail.com / AIM/iSight: nashtonhart@mac.com / Skype: nashtonhart Online Bio: https://www.linkedin.com/in/ashtonhart
_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/alac_atlarge-lists.ic ann.org
At-Large Official Site: http://www.alac.icann.org ALAC Independent: http://www.icannalac.org
------------------------------------------------- IPM/IRNIC P.O.Box 19395-5564, Shahid Bahonar Sq. Tehran 19548, Iran Phone: (+98 21) 22 82 80 80; 22 82 80 81, ext 113 Cell: (+98 912)104 2501 Fax: (+98 21) 22 29 57 00 Email: shahshah@irnic.ir, shahshah@nic.ir -----------------------------------------------
_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/alac_atlarge-lists.ican n.org
At-Large Official Site: http://www.alac.icann.org ALAC Independent: http://www.icannalac.org
_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/alac_atlarge-lists.icann .org At-Large Official Site: http://www.alac.icann.org ALAC Independent: http://www.icannalac.org *** Scanned