Taking on the Russian Business Network

The text below was originally included as part of the story The Washington Post ran today on the Russian Business Network. The content below was cut for space reasons, but I thought the anecdote was interesting and timely enough to include here in the blog.

It deals with a security administrator at a mid-sized U.S. based Internet service provider who decided to block RBN from reaching his customers. John declined to use his full name for a stated fear of physical and/or digital reprisals by RBN's clients against him and his employer.

John decided to completely block RBN from traversing his network in June, roughly a year after noticing a huge uptick in the number of his customers infected by computer worms, viruses and information-stealing programs that through one route or another fed stolen data back to networks hosted on RBN.

"We played Whak-a-Mole with RBN for about a year, until I got tired of shutting down or cleaning up customers who were compromised after visiting one of these Russian addresses," John said.

In most cases, John's users were being compromised by one of two malicious computer programs whose authors have rented significant Web server space on RBN. The most prevalent invader was the "Storm worm" -- an e-mail borne contagion that criminals have used to enlist infected machines in all manner of cyber crimes, from hosting online scam Web sites to blasting out spam.

Estimates of the number of computers running Microsoft Windows that are currently infected with Storm range from 1 million to 10 million globally, depending on which anti-virus company is doing the estimating. Most infected machines corralled by criminals into "botnets" are used to anonymously relay junk e-mail, or to serve as a conduit for routing stolen financial data back to organized criminals.

Another invader John had to contend with was the result of customer infections from "Mpack," a virus creation tool that is sold on RBN sites for anywhere for $500 to $1,000, a price that includes personal tech support from the software developers. Mpack is a toolkit designed to create unique infectious programs that exploit known software security holes in several different kinds of Internet browsers.

Attackers typically stitch malicious programs created with Mpack into the fabric of legitimate Web sites that they have hacked. When a visitor arrives at such site with a Web browser that is not equipped with the latest software security updates, the site silently installs a password-stealing program on the visitors computer. The victim's stolen data is then regularly forwarded on to a "drop site" pre-arranged by the attackers -- in the case of the Mpack authors, a set of Web servers residing on RBN.

The latest victim of this attack was among the largest financial institutions in India. In late August, the Web site of the Bank of India was compromised by an Mpack-created virus, which forwarded purloined financial data to drop sites at RBN's network, Trend Micro's Paul Ferguson said.

Suddenly, late this summer, the respective authors of Storm and Mpack began attacking each other for control over infected computers. The flare up resulted from the fact that each group had begun instructing their armies of infected machines to uninstall preexisting installations of the other's software.

The two hacker groups were hitting each other's networks with so-called "distributed denial-of-service attacks," which involve forcing thousands of infected machines to heave so much bogus Internet traffic at an online target that it becomes unreachable. Normally, criminals use such attacks to extort money from commercial Web sites that often find it more expedient to pay a ransom demand than to lose potential sales from legitimate visitors.

It was at the height of this turf war between the warring virus writing factions that John decided to bar RBN traffic from traversing his company's network. Many of his customers' machines had been used as foot soldiers in that attack, which had chewed up huge amounts of Internet bandwidth in a very short amount of time. As a result, John's company was forced to pay upstream Internet providers handsome surcharges for the excess bandwidth consumed in the attacks.

But within a few months of blocking RBN, John said, his employer had more than made up for the DDoS expenditure, mainly by spending far fewer hours supporting customers with virus infected machines, or taking down online scam sites or spam-spewing PCs.

"Our instances of spam and infected machines dropped exponentially," he said. Prior to the RBN blockade, John's employer was receiving between 30 to 40 alerts each week from other ISPs complaining about phishing sites hosted by machines on his company's network. In the past two weeks, John has received a total of just three complaints of phishing sites on his network.

By Brian Krebs |  October 13, 2007; 12:01 AM ET Fraud , From the Bunker , Misc.
Previous: Microsoft Changes Tune on IE7 Vulnerability | Next: Mapping the Russian Business Network

Posted by: IainB | October 14, 2007 01:08 AM

Name:

Comments: