|
Spam, DDos and the RBN nazis
|
|
02-26-2008, 08:56 PM
(This post was last modified: 02-27-2008 02:33 AM by LoopRadar.)
Post: #1
|
|||
|
|||
|
Spam, DDos and the RBN nazis
In light of the recent ddos attacks and the continual problem with spam in the forum I thought I would share some basic info on who these forces are.
Indeed this is highly organized and professional criminals with some nasty political stances. This is a brief introduction, but it might be expanded upon later. (Input is welcome.) First, what is dos/ddos?: ddos stands for "Distributed Denial of Service" http://learn-networking.com/network-securi...service-attacks (Scroll down to the DDoS section in particular.) Most of the spam and ddos attacks we see today comes from botnets like 'Storm': http://en.wikipedia.org/wiki/Storm_botnet One of the most famous ddos attacks to date was the attack on Estonia in May 2007 in which most of the countries internet and networking capabilities was disabled. Recently 'Prolexic technologies' reported an upwards of 7000 attacks daily. The anti-spam org. spamhaus.org has also been targeted as has various 'Honeypot' Projects. Other popular attack-vectors used by spammers include the "Profile Spam", the "Bot" or the "Referrer" approach. Though it should be noted that these are not at the same level of intensity or sophistication, but might still originate from the same sources. The botnet is maintaned by spreading rootkits or 'Trojans', mainly via spam e-mail and social engineering thechniques. Once launched the rootkit takes control over essential network functions on the victims computer which then becomes a 'node' in this wast botnet: http://www2.gmer.net/mbr/ (And remember kids, MBR runs on Microsoft PC's ONLY. However, the press likes to ignore this fact.) A good resource for dealing with a suspected infection: http://www.gmer.net/index.php (I would recommend all 'Windows' users to consider using 'Gmer'.) Storm was created, and is run and maintained by the 'Russian Business Network' (RBN): http://en.wikipedia.org/wiki/Russian_Business_Network They even rent their services, also known as "ddos reselling", to third parties who in turn can use the (Storm) botnet to attack or extort anyone they feel like. E.g: http://www.talkgold.com/forum/showthread.php?t=205589 Quote:am a long standing and respected member of TalkGold who feels itand: http://www.hothyips.com/details/Golden+Pat...nvest.6498.html (Yeah, souns like a good "investment", doesn't it?) Quote:February 19, 2008 (Computerworld) The Russian Business Network, a notorious hacker and malware hosting network, runs a protection racket that extorts as much as $2,000 a month in fees for "protective Web services" from borderline sites, a researcher alleged today.Backed by high-level russian politicians they don't have much to fear and can continue to act as they please. Quote:ACCORDING to VeriSign, one of the world's largest internet security companies, RBN, an internet company based in Russia's second city, St Petersburg, is "the baddest of the bad". In a report seen by The Economist, VeriSign's investigators unpick an extraordinary story of blatant cybercrime that implies high-level political backing.Source HERE It it obviously very capable individuals behind this. Quote:So what is new? Well the exploit sites are now using a fast-flux P2P botnet and the exploit is polymorphic i.e. the ability to alter its form and mutate.Source HERE 'RBN' is also known for their "bulletproof" hosting of, among other, drug-selling and child pornography sites. Not only that, several major Internet providers such as Tiscali.uk, SBT Telecom, Aki Mon Telecom and Nevacon LTD. have been called on providing services to RBN. So not only does Microsoft provide a level of security that is laughable to it's customers, but the ISP's are also complicit in this crimewave. Microsofts shady business practice as a whole has been well documented all over the web, so I'll suffice to say they are not worth your time, your money or your peace of mind. Quote:...was the case with the recent attack against the Bank of India, in which attackers compromised the bank's Web site using Mpack, a veritable Swiss Army knife of Web browser exploits. When Microsoft Windows users visits an Mpack-infected site with a browser or Windows installation that is not updated with the latest security patches, Mpack uses those flaws to silently install password-stealing software on visitors' machines.Source HERE Seriously, you don't need more. Just stay away from them. RBN's political/ideological connections to the russian nazi group '1488 RU' is also apparent, both in terms of hosting, protecting and possibly financing: "A violent, and very well financed Russian Nazi group. The 14 represents the 14-word slogan: "We must secure the existence of our people and a future for White children and 88 represents eighth letter of the alphabet, with HH standing for Heil Hitler." ![[Image: RBNexploit_jidov1488.jpg]](http://bp1.blogger.com/_SvDjzn4xfyE/R4J7dvPXcbI/AAAAAAAAALQ/6JXmH3nIkPA/s320/RBNexploit_jidov1488.jpg) Quote:(RU) Друзья, мы рады сообщить Вам, что теперь сайт 1488.ru доступен из доменной зоны Jidov.net . Развитие проекта идет полным ходом. Благодарим Вас за внимание к нашему ресурсу. Скоро мы сможем предложить Вам регистрацию доменов третьего уровня в наших доменных зонах (Ваш ник.1488.ru и Ваш ник.jidov.net). Так же, мы готовы предложить вам размещение банеров на страницах нашего ресурса.(Funny sidenote for the paranoid among us; Try searching for 'youtube' and '1488.ru' and see what comes up. :ouch:) 1488 are also linked to other ultra right wing groups and seem to be doing a lot of netwoking not only on-line. Hopefully this will help people realize the seriousness of the situation and make them take the appropriate steps to, at least, avoid aiding in the continued expansion and power of this criminal conspiracy. Beware of fake anti-spyware/anti-virus or "too-good-to-be-true" security software and fake codecs. And under any circumstance do not click on links in spam or e-mail from unknown sources or that does not contain a pgp signature. LR Note: Phrases or words contained within ' and ' are good for googling. :wink: Edit: Post updated and expanded. ![[Image: t_RBNexploitim_80ea8b4.jpg]](http://img01.picoodle.com/img/img01/4/2/13/t_RBNexploitim_80ea8b4.jpg) 88.255.90.0/24 and 88.255.94.0/24 - Abdallah Internet Hizmetleri/RBN nazi's |
|||
|
|
02-27-2008, 01:58 AM
Post: #2
|
|||
|
|||
Spam, DDos and the RBN nazis
Quote:thanks LR. using gmer now. you know you're shit for sure. many thanksThank you nik. I've updated the post with some more info and resources already. LR 88.255.90.0/24 and 88.255.94.0/24 - Abdallah Internet Hizmetleri/RBN nazi's |
|||
|
|
|
02-29-2008, 04:53 AM
Post: #4
|
|||
|
|||
|
Spam, DDos and the RBN nazis
I don't believe this shit sometimes. A bank gets ddos'd and does fuck all. If it were my bank, RBN's upstream provider would have a 100,000 $ dead or a live bounty on his head. I'd simply tell the fucker to drop RBN or prepare his will.
|
|||
|
|
|
03-10-2008, 10:58 PM
(This post was last modified: 03-11-2008 02:04 AM by LoopRadar.)
Post: #5
|
|||
|
|||
|
Spam, DDos and the RBN nazis
Important update (Ctrl et al, take note.)
Add to/make blocklist. Remember to update from: http://doc.emergingthreats.net/ and in particular: http://www.emergingthreats.net/rules/bleed...rbn-BLOCK.rules Quote:#Source HERE Also check THIS And: Quote:To cover traffic from the RBN's fake anti-spyware tools (partially within Spamhaus XBL):Source HERE The Neo-Nazi's march on. In particular note the new Chinese ip-ranges. The RBN have been busy bribing their way onto the Chinese ISP's. How they manage the registrars for domain management etc. is clouded in a misty shroud of, you guessed it, hard cash and/or bribery... (Child-pron exposé, anyone?) Watch the continued silence by the MSM and good luck. Thank's LR Edit: RBN's Chinese friends (i.e. domain reg/admin): http://china-channel.com/ 88.255.90.0/24 and 88.255.94.0/24 - Abdallah Internet Hizmetleri/RBN nazi's |
|||
|
|
|
03-11-2008, 12:41 AM
(This post was last modified: 03-11-2008 01:10 AM by LoopRadar.)
Post: #6
|
|||
|
|||
Spam, DDos and the RBN nazis
Quote:I don't believe this shit sometimes. A bank gets ddos'd and does fuck all. If it were my bank, RBN's upstream provider would have a 100,000 $ dead or a live bounty on his head. I'd simply tell the fucker to drop RBN or prepare his will.http://sunbeltblog.blogspot.com/2007/09/up...k-of-india.html LR Edit: Not so simple... Quote:In order to exchange traffic, each network has to negotiate agreements with its peers so that they can communicate 88.255.90.0/24 and 88.255.94.0/24 - Abdallah Internet Hizmetleri/RBN nazi's |
|||
|
|
|
03-11-2008, 11:47 PM
Post: #7
|
|||
|
|||
|
Spam, DDos and the RBN nazis
Hello Turkey.
The Shadowserver Foundation Wrote:Saturday, 1 March 2008IP ranges: 88.255.90.0/24 and 88.255.94.0/24 For whatever it's worth...:smirk: LR 88.255.90.0/24 and 88.255.94.0/24 - Abdallah Internet Hizmetleri/RBN nazi's |
|||
|
|
|
03-14-2008, 07:22 AM
Post: #8
|
|||
|
|||
|
Spam, DDos and the RBN nazis
How does one use the rules from emergingthreats?
|
|||
|
|
|
04-04-2008, 04:16 AM
Post: #9
|
|||
|
|||
|
Spam, DDos and the RBN nazis
There is a high probability that RBN building is located at:
Russian Business Network 12 Levashovskiy prospect. 197110 Saint-Petersburg Russia (More on the individuals in charge of RBN to follow shortly.) LR 88.255.90.0/24 and 88.255.94.0/24 - Abdallah Internet Hizmetleri/RBN nazi's |
|||
|
|
|
04-04-2008, 05:00 PM
(This post was last modified: 04-04-2008 07:50 PM by LoopRadar.)
Post: #10
|
|||
|
|||
|
Spam, DDos and the RBN nazis
Here we go!
The people in charge: Nikolay Ivanov: Nikolay Ivanov is strongly involved into RBN. Indeed, he is or has been the registrant for most RBN entities domains (rbnnetwork.com, akimon.com and sbttel.com). It is possible that this personal website is the home page of the same Nikolay Ivanov: http://nikolay-ivanov.narod.ru Nikolay Ivanov seems to be liable for everything relating to RBN communication (support, whois record...). It is highly probable that Nikolay Ivanov use the pseudo nickname Tim Jarret to communicate with others. --- "We can't understand on which basis these organizations have such an opinion about our company," Jaret of the Russian Business Network told Wired in an e-mail interview. "We can say that this is subjective opinion based on these organizations' guesswork. -Jaret an RBN Spokesman --- Vladimir Kuznetsov: ![[Image: foto1.jpg]](http://kuznetsov.spb.ru/images/foto1.jpg) Vladimir Kuznetsov is very implicated in DNS registration for Datapoint/Infobox. Vladimir Kuznetsov is supposed to have been one of the leaders of RockPhish Group according to iDefense. Vladimir Kuznetsov has its own website: http://kuznetsov.spb.ru/ Domain names below may be his own: 6i.com 6ymuk.ru Afiha.com Agitmedia.com Angaragroup.com Canonis.com Cruiseflare.com Ellissexton.com Extremal.info Infobox.org Internetmediainvestmentgroup.com Iporcapital.com Iporussia.us Mediaheap.com Moskva.biz Over-d.com Ponochka.com Rurecord.com Rus-green.info Shoe-markets.com Spb.biz Sviaz.biz Sviaz.info Vladimirkuznetsov.com Webservicereview.com Yanzex.net Zabava-bar.com Zunuzin.com. --- It is now public knowledge that AbdAllah Internet Hizmetleri is under the control of RBN. - Spacequad AntiSpam Services --- Alexei Bakhtiarov: As Vladimir Kuznetsov, Alexei Bakhtiarov is one of the two most important members of Infobox. Alexei is also very involved in whois registration because we can find 100 domains where he is registrant. Whole Datapoint address range has been registered by Alexei Bakhtiarov. This guy may be the Datapoint CTO as we can see an interview from him about a DDOS attack: http://www.spiegel.de/international/world/...,497841,00.html Stepan Kucherenko: Stepan Kucherenko is supposed to be the technical guy. He may lead the IT staff. He has also be mentioned in the network whois of TwoCoinsSoftware (81.95.144.0/22). He may be one of the RBN leaders. Stepan Kucherenko may also have some personal relations into Peterstar that are used to get easier Internet access. Flyman: According to iDefense/Verisign, flyman is the main RBN leader. http://www.theage.com.au/news/business/fro...5043032049.html He could be the real brain of this complex organization. He is well known by law enforcement because of child pornography. Although pursues have already been attempted against him, he has very strong political protection that can offer him to continue to develop its traffic without being worried by polices. http://www.guardian.co.uk/technology/200...news.crime Wrote:It is thought that the RBN's leader and creator, a 24-year-old known as Flyman, is the nephew of a powerful and well-connected Russian politician. Flyman is alleged to have turned the RBN towards its criminal users. (The above as opposed to the following fake/goosechase info: RBN (81.95.144.0) role: RBusiness Network Registry address: RBusiness Network address: The Century Tower Building address: Ricardo J. Alfari Avenue address: Panama City address: Republic of Panama phone: +1 401 369 8152 person: John Kerch address: Republic of Panama e-mail: ripe@rbnnetwork.com phone: +1 401 369 8152 mnt-by: RBN-MNT person: Joseph Igopolo address: Republic of Panama e-mail: support@rbnnetwork.com phone: +1 401 369 8152 mnt-by: RBN-MNT NEVACON (194.146.204.0/24) person: Josh Buslow address: Republic of Panama phone: +1 505 559 4493 e-mail: ripe@nevacon.net mnt-by: NEVSKCC-MNT person: Tony Root address: Republic of Panama phone: +1 505 559 4493 e-mail: support@nevacon.net mnt-by: NEVSKCC-MNT SBT-TELECOM (81.95.156.0/22) person: Kisho Kato address: Seychelles, Victoria phone: +1 203 903 0125 e-mail: kisho@sbttel.com mnt-by: SBT-MNT person: Malik Sasho address: Seychelles, Victoria phone: +1 203 903 0125 e-mail: malik@sbttel.com mnt-by: SBT-MNT ....) Further possible affiliates and associates (compare to list(s) above, pending further investigation/confirmation): Akimon (81.95.152.0/23) (Akimon is veryfied RBN.) person: Sergey Startsev address: Russia, St.Petersburg phone: +7 903 0983277 e-mail: ripe@akimon.com mnt-by: AKIMON-MNT person: Nikolay Obraztsov address: Russia, St.Petersburg phone: +7 903 0983306 e-mail: support@akimon.com mnt-by: AKIMON-MNT SilverNet (89.223.88.0/21) (SN is veryfied RBN.) address: 7/5 address: Bogatyrsky pr. address: 197341 Saint-Petersburg address: Russia phone: +7 812 4381058 phone: +7 812 4485354 fax-no: +7 812 4381058 person1: Pavel Sokolov address: 7/5 address: Bogatyrsky pr. address: 197341 Saint-Petersburg person2: Vladimir Manov address: 7/5 address: Bogatyrsky pr. address: 197341 Saint-Petersburg Online Invest group LLC (195.64.162.0/23) (DDos/extortion/money-laundering) address: 17653 St. Petersburgh Russia address: pr. Metallistov 12 of. 32 e-mail: admin@domhost.com.ru mnt-by: onlineinvest-mnt person: Main Technichal Account address: 17653 St. Petersburgh Russia address: pr. Metallistov 12 of. 32 phone: +78129486712 Credolink (80.70.224.0/24) address: 28/2, Komendantskiy pr. St.Petersburg, 197372, Russia phone: +7 812 4384600 fax-no: +7 812 4384602 remarks: SPAM issues - abuse@mns.ru Mail and News issues - postmaster@mns.ru Customer support - support@mns.ru Hosting issues - hosting@mns.ru e-mail: noc@mns.ru Delta Systems (193.93.232.0/22) address: 190000, 39 Kazanskaya st. address: St. Petersburgh Russia e-mail: admin@deltasys.ru RusTelecom (195.114.8.0/23) address: Volodarskogo str. 21 Sestroreck , Russia e-mail: info@rustelecom.net mnt-by: RUSTELECOM-MNT person: Main Technichal Account phone: +79217872403 nic-hdl: RUST2-RIPE DATAPOINT (85.249.128.0/20) person: Vladimir E Kuznetsov address: 29, Viborgskaya nab., address: 198215 Saint Petersburg, Russia phone: +7 812 3312999 fax-no: +7 812 3312999 e-mail: abuse@infobox.ru e-mail: vova@kuznetsov.spb.ru person: Rustam A Narmanov address: 29, Viborgskaya nab., address: 198215 Saint Petersburg, Russia phone: +7 812 3312999 fax-no: +7 812 3312999 e-mail: rustam@infobox.ru --- All letters, postcards and «gift-wrapped» items to be shipped to the following address: Russian Business Network 12 Levashovskiy prospect. 197110 Saint-Petersburg Russia Thank you. LR Sources, tools and references: David Bizeul (provided the names first; verified!) The Shadowserver Foundation trendmicro.com research.sunbelt-software.com http://blog.washingtonpost.com/securityfix...business_n.html http://www.spacequad.com/article.php/open_letter http://www.securityzone.org/?p=26 http://www.theregister.co.uk/2007/11/08/rbn_offline/ http://www.joewein.net/fraud/host-abdallah-internet.htm http://ddanchev.blogspot.com/2007/11/sca...ystem.html http://www.bobbear.co.uk/progoldinvestments.html http://ddanchev.blogspot.com/2007_10_01_archive.html (google cached documents now expired) http://www.bobbear.co.uk/happykids.html http://boardreader.com/tp/phishing+report.html http://getpaidforum.com/forums/index.php?s...8560&pid=48 99207&st=0&#entry4899207 (Interesting...!) http://www.threatexpert.com/report.aspx?ui...65-3ea604cf7857 http://64.233.167.104/search?q=cache:WlwSG....90.170&hl= http://www.bobbear.co.uk/ultragame.html http://blog.wired.com/27bstroke6/2007/10/c...oversial-r.html http://news.netcraft.com/ http://www.siteadvisor.com/ http://cidr-report.org/ http://iptoolbox.fr/ hostip.info robtex.com asn.cymru.com/ centralops.net/co/ traceroute.org http://relcom.net/INFO/NOC-IP/lg/lg0.html ripe.net http://www.domaintools.com http://www.google.com http://c.asselin.free.fr spamhaus.org http://www.cio.com/article/135500/ http://labs.idefense.com/intelligence/re...papers.php http://badmalweb.com/ http://rbnexploit.blogspot.com/ (All info gathered from sources above, veryfied and confirmed by my own reaserch.) Edit: Forgot some obvious sources. Added at the end of the list above. (Credit to, where credits due.... Sorry.) :smile: Edit 2: Added pic of Kuznetsov. Edit 3: Added quote from 'guardian' on Flyman. 88.255.90.0/24 and 88.255.94.0/24 - Abdallah Internet Hizmetleri/RBN nazi's |
|||
|
|
|
04-04-2008, 08:08 PM
(This post was last modified: 04-04-2008 08:11 PM by LoopRadar.)
Post: #11
|
|||
|
|||
|
Spam, DDos and the RBN nazis
:RTFM:
And I'm off for a pint and real-humans-beans-interaction... :tongue: LR P.S. No I'm not answering e-mails on this. (Well, not stoopid ones, anyways...) Edit: *mumbles to self*: "paranoid bloody fools. Imma get a new e-mail acc. soon..." 88.255.90.0/24 and 88.255.94.0/24 - Abdallah Internet Hizmetleri/RBN nazi's |
|||
|
|
|
04-05-2008, 02:49 AM
Post: #12
|
|||
|
|||
Spam, DDos and the RBN nazis
Quote::RTFM: There aren't two O's in STUPID. Sorry you bloody fool, I couldn't resist. :tongue: |
|||
|
|
|
04-05-2008, 03:18 AM
Post: #13
|
|||
|
|||
Spam, DDos and the RBN nazis
Quote::scream:HAHAHA!Quote::RTFM: LR 88.255.90.0/24 and 88.255.94.0/24 - Abdallah Internet Hizmetleri/RBN nazi's |
|||
|
|
|
« Next Oldest | Next Newest »
|
User(s) browsing this thread: 1 Guest(s)