07 November 2007, 20:19

"Baddest of the Bad on the Internet" isolated

Hardly anyone knows about it although it is involved in many cases of internet crime: the Russian Business Network (RBN). It now seems the RBN has become unavailable. We have yet to find out whether its peers shut down virtual connections deliberately or whether there is a technical problem.

The RBN is both a network provider and a web hoster. According to security experts, its purpose is to offer criminals an infrastructure for their illegal activities. Numerous servers in the RBN contain exploits which contaminate visitors' PCs or store malware accessed, for example, by trojan downloaders. The malware programmes then return the data they capture from compromised PCs to the RBN server.

In addition, the RBN also offers bullet proof domains which can be registered in complete anonymity and are very difficult to shut down. The latest exploit involved links in specially crafted pdf documents which link back directly to the RBN to retrieve malware from there. The Storm worm is another example of malware which is deployed from the RBN network on a regular basis.

Nearly all of the RBN's known autonomous systems (AS) have recently disappeared from the global routing tables: RBN-AS, SBT-AS, MICRONNET-AS, OINVEST-AS, AKIMON-AS, CONNCETCOM-AS and NEVSKCC-AS. CREDOLINK-ASN is the only remaining table entry, but its networks have also become unavailable.

The Trend Micro blog speculates that the Internet may have become a slightly safer place as a result. However, this will probably not be the case for long since the RBN is almost certainly working to resolve the problem and find new upstream providers. Futhermore, Trend Micro experts claim to have monitored RBN equivalents in Turkey and Taiwan in the last few weeks. So even if the RBN fails to find new Internet access points, RBN customers could switch to these new providers of criminal networks.