.

Finjan: Chinese Fill Void Left by Russian Business Network (RBN)

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Dec 20, 2007 3:20 pm

Finjan: Chinese Fill Void Left by Russian Business Network (RBN)

Nice little write-up by Jim Carr, SC Magazine’s west coast bureau chief:

An intricate network of servers operated by Chinese criminals has moved into the void created when the notorious Russian Business Network (RBN) shut down, according to a report from anti-crimeware vendor Finjan.

December's "Malicious Page of the Month" report from Finjan's Malicious Code Research Center (MCRC) notes that the RBN “has suddenly picked up from its St. Petersburg digs and diversified…spreading its activity to new chunks of IP addresses, with RBN-like activity almost immediately appearing on newly registered blocks of Chinese and Taiwanese IP addresses."

Iftach Amit, director of security for the MCRC, told SCMagazineUS.com that the Chinese group's activity is “an evolution of the Russian Business Network."

“All of the criminal activity over the internet has financial gain behind it, and if you shut down one part of the system, it's bound to bounce back because of market forces,” he said.

The report also noted that MI5, the United Kingdom's counter-intelligence agency, warned 300 U.K. chief executives and security experts of an increased risk from Chinese hackers following an attack on government servers.

Amit said Chinese cybercriminals scan the internet searching for vulnerable U.S. and European hosts at universities and government offices. The hackers then take advantage of misconfigured or unpatched systems, infecting them with IFRAME or JavaScript code, Amit said. The victim is then redirected to a series of sites containing IFRAMEs, including those belonging to the Chinese network.

Other trojans are then downloaded to the victim's compromised PC and another IFRAME sends personal data, such as banking authentication credentials, to the network of Chinese servers. That information is used for tracking and statistics, as well as online transactions, without user knowledge, said Amit.

"It's very sophisticated," he said. "They are able to circumvent many of the security measures the banks have taken."


Original SC Magazine story HERE.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

shawal

Jr. Member
Jr. Member

Posts: 88

Joined: Mon Mar 10, 2008 1:24 pm

Post Tue Mar 11, 2008 4:16 pm

Re: Finjan: Chinese Fill Void Left by Russian Business Network (RBN)

Nice, the article is 3 months old, he did not present enough facts, just becuase RNB site is down that does not mean that they are out of biz. according to the wikipedia article there are still some reports till last month. that does not mean there will be no other underground networks surfacing. all i am saying as long as there are botnets, phising, vhising,  farming, and harvesting scams, most likely these networks are behind them as means of renting attackes, and leasing computer resources time

Where would be the next sploits auction site?
RHCE, GIAC GCIH.
<<

dean

Post Tue Mar 11, 2008 10:20 pm

Re: Finjan: Chinese Fill Void Left by Russian Business Network (RBN)

shawal wrote:Nice, the article is 3 months old, he did not present enough facts, just becuase RNB site is down....


Well, it was posted 3 months ago.The article was written after the RBN changed netblocks. They moved to Chinese ISPs. They moved again soon after due to preassure from the Chinese Government.

Rather than explain the relationship between the RBN, botherders, spammers, etc... and how the RBN provides services to them or purchases services from them go here:

http://rbnexploit.blogspot.com/

dean
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Mar 12, 2008 10:38 am

Re: Finjan: Chinese Fill Void Left by Russian Business Network (RBN)

dean wrote:Rather than explain the relationship between the RBN, botherders, spammers, etc... and how the RBN provides services to them or purchases services from them go here:

http://rbnexploit.blogspot.com/


Nice link, think I'll be spending a bit of time studying that. Can't explain why as I've never had enough time to investigate to deeply but botnets and associated 'naughtiness' has always peeked my interest.
<<

shawal

Jr. Member
Jr. Member

Posts: 88

Joined: Mon Mar 10, 2008 1:24 pm

Post Wed Mar 12, 2008 11:01 am

Re: Finjan: Chinese Fill Void Left by Russian Business Network (RBN)

RoleReversal,

please share your finding with us. I am also interested, having the possible ability to control the largest computional resources worldwide amazes me, specialy when it is a very heterogenous environment spreading over the globe. the financial, and business (Mob) side of it is also interesting to follow up ( how can people get away with murder?  ??? )
RHCE, GIAC GCIH.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Mar 12, 2008 3:35 pm

Re: Finjan: Chinese Fill Void Left by Russian Business Network (RBN)

shawal,

the story that started my interest in botnet tracking was written by Steve Gibson of GRC.com. Basically it was a write-up of his investigations into a real life DDoS attack experienced by his company. Included the likes of detailed explanation of the attack experienced to writing a custom IRC bot to snoop on the attackers botnet command and control structure.

I've spent all afternoon trying to find a link to the story but everything I find points to a 404 error on the GRC site so it looks like it has been taken down for some reason. If you have as much luck as I did finding it PM me as I may have a saved copy on one of my works machines.

One of the botnet investigations I have undertaken myself was a an irc bot I cleaned from a client's server. Unfortunately I was unable to take the investigation as far as I would have liked as the c&c deactivated before it could be infiltrated. From packet traces obtained during the incident it appeared the bot was part of a spam sending network And wasn't very subtle, at random times of the day it would max out the server's 100Mb connection, made finding the issue childs play.

An aspect of the bot that I found rather amusing after pulling it's code apart is that it seemed to be programmed to throw random insults to the commandline. I am now the proud owner of a rather large file containing little more than insults about 'yo' mamma' ;)

In response to your question about people getting away with murder, from experience in situations like this is can be very difficult, if not impossible, to find the true 'botmaster'. Often the best you can do is clean-up, inform any parties that have been involved in the investigation and try to prevent a similar intrusion next time. Regularly, the only machines/IPs/people that you can identify are just regular users like yourself, all blissfully unaware or trying to deal with the same issue.

I recently attended a seminar on forensic investigations where one of the talks was given by a member of a police 'cyber-crime' department. Before the talk I believed that the police force would largely ignore these types of activities but was impressed by the level of interest and available resources. I now intend to pass all findings of future investigation to the relevant authorities, something that was actively encouraged during the event.

If you intend to delve deeper into these areas I would highly recomment both the SANs Readin Room and archived webcasts, as well as the Honeynet project. A good starting point in incident response basics is "Dead Linux Machines do tell tales" (http://www.sans.org/reading_room/whitep ... s/1491.php)

Hope this rather long rant is of some interest/use, and happy hunting ;)
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Mar 13, 2008 4:29 am

Re: Finjan: Chinese Fill Void Left by Russian Business Network (RBN)

Sorry for responding to my own post.

as if by fate I have just received an email informing me that there is a new update for the cyber-ta's bothunter package (www.cyber-ta.org/BotHunter). I havent' had a chance to get this app through the change control process at work to give it a run through, but from reading the site I definitely want to. If anyone has any real-world experience of the tool can you let me know if it lives up to the hype?
<<

dean

Post Thu Mar 13, 2008 6:50 am

Re: Finjan: Chinese Fill Void Left by Russian Business Network (RBN)

I would not consider it to be 'hype' but in answer to your question:

yes

dean

Return to /root

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software