[ISN] Infamous Russian ISP behind Bank of India hack

From: InfoSec News (alerts@private)
Date: Tue Sep 04 2007 - 22:07:48 PDT


http://news.zdnet.co.uk/security/0,1000000189,39289057,00.htm

By Liam Tung
ZDNet Australia
04 Sep 2007

The notorious Russian Business Network has been identified as the ISP 
responsible for a recent information-stealing financial attack

Security firm Sunbelt, which recently discovered that the Bank of 
India's hacked website was serving dangerous malware, has said the 
infamous Russian Business Network an ISP linked to child pornography and 
phishing is behind the attack.

The service provider in question has developed a notorious reputation, 
with VeriSign classifying it as "the baddest of the bad" in the ISP 
world in June 2006.

According to VeriSign threat intelligence analyst Kimberly Zenz, the 
Russian Business Network (RBN) is different to other service providers 
because "unlike many ISPs that host predominately legitimate items, RBN 
is entirely illegal".

"A scan of RBN and affiliated ISPs' net space conducted by VeriSign 
iDefense analysts failed to locate any legitimate activity. Instead, 
[our] research identified phishing, malicious code, botnet 
command-and-control, denial-of-service attacks and child pornography on 
every single server owned and operated by RBN," Zenz wrote in a recent 
report.

Zenz added that RBN almost exclusively attacks non-Russian financial 
institutions and its leaders' family ties with a "a powerful St 
Petersburg politician" effectively offer it immunity from prosecution.

Patrik Runald, senior security specialist at F-Secure, said: "No one 
knows who the RBN is. They are a secret group based out of St Petersburg 
that appears to have political connections. The company doesn't 
legitimately exist. It's not registered and provides hosting for 
everything that's bad."

"Their network infrastructure is behind a lot of the bad stuff we're 
seeing and it has connections to the MPack Group [a well-known group of 
cybercriminals which used MPack software to steal confidential data]," 
said Runald.

Runald said that, in the case of the Bank of India's hacked website, RBN 
used an Iframe to launch another window which then pushed victims to a 
webpage containing malicious code.

"That page contained links to three other pages on other servers," said 
Runald. "At the time we started looking into it, two out of three URLs 
had been taken down. The one remaining was trying to use an exploit from 
2006 to affect systems with a Trojan downloader. Once infected, that 
downloader would go out and download another piece of malware, including 
other downloaders," said Runald.

The Trojans used in this case were designed to steal passwords from PCs 
and upload Trojan proxies in aide of developing a botnet.


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Tue Sep 04 2007 - 22:27:41 PDT