RBN (Russian Business Network) via Real Host Ltd. is a fairly blatant cybercrime and bullet proof hosting hub. Inhabiting AS8206 Junik based in Riga, Latvia, and is high on any watch list. (ref1 & ref2)
As Dynamoo points out ‘A real sewer’ (ref3), moreover this has all the hallmarks and operational elements of the apparently fragmented RBN, either as a resurgence or a clone of the RBN’s business model.
Fig 1 – Front page of installing cc – Zeus botnet rental & loading
Of more current interest, this is the base for distributing the new and as yet un-patched ‘Zero day Flash/PDF exploit’ (ref 4), Zero day MS e.g. Directshow – MS09-028, and a core center for the Zeus botnet C&C (command and control) the # 1 botnet in the US with an estimated 3.6 million PCs infected.
Also known but updated usage of RBN methodologies:
# Rock Phish – which originally introduced the Zeus (aka WSNPOEM) Trojan.
# ZeuEsta (a mix of the ZeuS crimeware and the El Fiesta Exploit Kit). However, since April 17 2009 ZeuEsta in combination with SPack Exploit Kit (ref 5)
Fig 2 – iSell.cc – Stolen: Bank logins, credit cards, PayPal Sales and IDs – On Real Host
Fortunately in more recent times there are several good sources within the Open SEC community of up-to-date information as to malware domains, spam centers, botnets, to select a few:
- Spamhaus – SBL75831 – lists the net block for Phishing and Malware hosting. (Ref 6.)
- Fire – shows up to 9 complete malware servers over recent times. (Ref 7.)
- MalwareURL – shows currently 199 domains hosting amongst other badness; 18 trojans, 25 redirects to exploits and rogue anti-virus, 6 Botnet C&C (command and control) (Ref 8.)
- Google’s Safe Browsing – shows for AS8206 Junik in the last 90 days; 12 sites providing malicious software for drive by downloads, 102 sites acting as intermediaries for the infection of 11,810 other web sites. Finally it found 161 websites hosting malware that infected 20,681 other web sites.
- Google’s Safe Browsing – as an example for just one of the domains – 71.speed.info – 32 scripting exploits
The Results of Investigation and Reporting the Issues
Fig 3 – Real Host Routing – as of 073109
Fig 4 – Real Host Routing – as of 080309
Money Mule sites – the Barwells Group and NewskyAG reveals the following:
‘During the trial period (1 month), you will be paid 2,000 USD per month while working on average 3 hours per day, Monday-Friday, plus 5 commissions from every transactions or task received and processed. The salary will be sent in the form of wire transfer directly to your account. After the trial period your base pay salary will go up to 3,500USD per month, plus 5 commissions.’
Clearly this is a money mule recruitment program. Sounds pretty good for 3 hours work per day!
Not only does this domain operate a money mule scam, it also ran a Zeus C&C server. What is scary is that people actually fall prey to this scheme as shown by this quote from yahoo answers:
In summary Real Host from within Junik serves;
- exploits including un patched (or soon to be patched) 0days
- Payloads to drop on victim PCs including: fake codecs, banking trojans, spambots, fake antivirus, down loaders and even a Mac trojan
- phishing sites,
- money mule recruitment sites;
- Zeus botnet Command and Control servers
- Distributing licensed software (Warez),
- Illegal porn content
Added to which is a center for the RBN cybercrime business model;
- botnet rental,
- botnet loading,
- iFrame exploit affiliate,
- credit card trading forums,
- openly selling credit card, PayPal accounts and bank logins, over 10,000 ‘newly harvested’
So who is Real Host Ltd.?
To start with the net block is leased from Junik by Alex Spiridonov, Abay Street 2a, Almaty, Kazakhstan. However, here are just a few other tell tale signs:
- Many of the domains are ex-Estdomains.
- All of the websites are in Russian or for the trading arm Russian / English.
- Older entities which many had thought were dead and gone are here; Barwells Group, Newsky, Web-Alfa, and good old Botnet.Su
All of these were operational elements of RBN (Russian Business Network). So this may not be a reincarnation of the RBN but are clearly Russian organized cyber criminals, in the same vein and at least headed by someone from the old RBN school.
Further manual investigation led to the following information on domains supplied by Real Hosts:
IP Domain Purpose
184.108.40.206 yourgoogleanalytics.us Money Mule Recruiting
220.127.116.11 barwellsgroup.cn Money Mule Recruiting
18.104.22.168 Vikd3jj-3.com Malware
22.214.171.124 2k90.cn Malware
126.96.36.199 Mac-videos.com Mac Trojan
188.8.131.52 71speed.info Banking Trojan – Silent Banker
184.108.40.206 bestxvids.info Zlob
220.127.116.11 traffic-searches.cn Botnet C&C
18.104.22.168 1gigabayt.com Zeus C&C
22.214.171.124 iframepartners.com iframe sellers
126.96.36.199 Chlenopopik.com Zeus C&C
188.8.131.52 Megavipsite.cn Malware
184.108.40.206 Traffcount.cn Malware
220.127.116.11 Newskyag.com Money Mule Recruiting & Zeus C&C
18.104.22.168 Traffic-exchange.ru Part of iframe redirection service
22.214.171.124 vlkontacte.ru Russian Social Network Phish
126.96.36.199 Botnet.su Zeus C&C
The Botnet.su & related installs.cc domains, the attackers clearly arent trying to hide their motives on this one! This domain was previously used by the RBN along with NewskyAG and others. Zeus is of the most common threats being hosted from Real Hosts network.
5. Abuse CH ZeuEsta & SPack kit