Meta tags:

Headings (most frequently used words):

rbn, blog, russian, business, network, subscribe, now, links, archive, note, hosting, ukraine, burnt, out, hostexploit, real, host, latvia, and, the, zeus, botnet, mccolo, farewell, to, estdomains,

Text of the page (most frequently used words):
the (88), and (50), rbn (25), this (18), for (17), 213 (17), 182 (17), 197 (17), com (15), from (14), network (14), botnet (14), #hosting (13), #hostexploit (13), russian (13), business (13), host (13), zeus (13), estdomains (12), malware (12), real (12), internet (11), are (10), icann (10), report (9), sites (9), with (8), spam (8), mccolo (8), here (7), that (7), domain (7), cyber (7), community (7), domains (7), money (7), mule (7), all (6), rbnexploit (6), any (6), which (6), will (6), was (6), see (6), not (6), ukraine (5), out (5), spamhaus (5), jart (5), armin (5), security (5), has (5), fig (5), over (5), fire (5), day (5), exploit (5), junik (5), web (5), ref (5), blog (4), 2010 (4), labels (4), crime (4), does (4), 000 (4), however (4), many (4), badness (4), software (4), also (4), hurricane (4), electric (4), net (4), clearly (4), just (4), one (4), cybercrime (4), newskyag (4), info (4), trojan (4), hosts (4), other (4), per (4), shows (4), may (3), 2009 (3), burnt (3), march (3), post (3), subscribe (3), issues (3), what (3), registrar (3), termination (3), based (3), safe (3), more (3), demise (3), within (3), few (3), atrivo (3), usa (3), ltd (3), block (3), example (3), end (3), but (3), there (3), drop (3), following (3), content (3), zeuesta (3), kit (3), iframe (3), recruiting (3), 229 (3), mac (3), good (3), credit (3), phishing (3), center (3), command (3), control (3), servers (3), exploits (3), patched (3), month (3), bad (3), their (2), research (2), only (2), address (2), cross (2), contact (2), gmail (2), work (2), under (2), september (2), october (2), november (2), december (2), august (2), washington (2), org (2), rosko (2), page (2), feedburner (2), now (2), posts (2), older (2), demonstrate (2), emboldened (2), recently (2), these (2), transfer (2), course (2), approximately (2), accredited (2), transition (2), name (2), formal (2), been (2), trying (2), inc (2), takes (2), them (2), again (2), even (2), brian (2), krebs (2), ceo (2), assume (2), below (2), scam (2), shown (2), used (2), criminals (2), yet (2), still (2), gblx (2), can (2), get (2), around (2), 128 (2), acting (2), effort (2), anti (2), spammers (2), operators (2), ongoing (2), war (2), beginning (2), 171 (2), 193 (2), favorite (2), spamcop (2), first (2), worldwide (2), while (2), another (2), who (2), major (2), botnets (2), estimated (2), rogue (2), affiliate (2), others (2), malwareurl (2), spack (2), flash (2), pdf (2), dynamoo (2), related (2), being (2), 251 (2), phish (2), traffic (2), 249 (2), banking (2), barwellsgroup (2), investigation (2), information (2), were (2), operational (2), elements (2), old (2), had (2), barwells (2), group (2), websites (2), trading (2), card (2), paypal (2), bank (2), logins (2), warez (2), loading (2), rental (2), model (2), distributing (2), recruitment (2), pcs (2), including (2), fake (2), trojans (2), hours (2), trial (2), period (2), you (2), plus (2), commissions (2), salary (2), your (2), base (2), routing (2), google (2), browsing (2), as8206 (2), days (2), malicious (2), infected (2), currently (2), recent (2), times (2), centers (2), aka (2), zero (2), latvia (2), occurred (2), odessa (2), time (2), http (2), forthcoming (2), etc (2), trademarks, copyrights, owned, respective, owners, unless, otherwise, stated, opinions, expressed, entirely, blogspot, analyses, personal, edification, educational, purposes, dns, mentioned, derived, exhaustive, correlation, 3rd, parties, queries, note, licenced, creative, commons, licence, 2007, january, february, 2008, archive, wikipedia, isc, sans, mpack, idefense, analysis, 76service, links, atom, home, hopefully, become, besieged, listening, perhaps, could, persuade, allow, provide, solid, advice, abusive, before, made, interesting, happens, 281, names, management, registrations, sponsored, transferred, accordance, procedure, goes, say, goal, protect, registrants, unnecessary, harm, look, forward, amicably, resolving, arise, court, records, estonia, letter, available, download, ironically, fight, back, press, releases, such, next, step, combating, stating, once, would, like, interactive, ask, operation, make, clear, relevant, later, relating, today, issued, irrevocable, notice, vladimir, tsastsin, sordid, history, storied, superlative, site, have, source, registration, years, described, sunbelt, followed, wake, farewell, as26780, corporation, peered, as3549, global, crossing, unison, excellent, growing, involving, wide, section, researchers, journalists, when, considering, heart, soul, cidr, fraudcrew, reverse, as6939, our, coolwebsearch, hijackers, online, charts, live, result, focused, intercage, subsequent, actions, quantitative, temporary, concerted, consistent, concerned, commercial, safer, ensue, awareness, 30pm, est, pulled, plug, check, chart, yes, huge, hit, victory, against, alas, poor, knew, well, anyone, planet, receives, email, world, products, payment, systems, child, pornography, study, published, tracking, documenting, criminal, activity, sbl, 75831, abuse, iscsans, advisory, martin, references, installs, attackers, aren, hide, motives, previously, along, most, common, threats, hosted, social, vlkontacte, part, redirection, service, exchange, 235, traffcount, megavipsite, chlenopopik, 228, sellers, iframepartners, 1gigabayt, 237, searches, zlob, bestxvids, silent, banker, 71speed, 236, videos, 2k90, vikd3jj, yourgoogleanalytics, purpose, further, manual, led, supplied, reincarnation, organized, same, vein, least, headed, someone, school, entities, thought, dead, gone, newsky, alfa, arm, english, start, leased, alex, spiridonov, abay, street, almaty, kazakhstan, tell, tale, signs, openly, selling, accounts, newly, harvested, forums, added, illegal, porn, licensed, payloads, victim, codecs, spambots, antivirus, down, loaders, soon, 0days, summary, serves, operate, ran, server, scary, people, actually, fall, prey, scheme, quote, yahoo, answers, program, sounds, pretty, during, paid, usd, working, average, monday, friday, every, transactions, task, received, processed, sent, form, wire, directly, account, after, pay, 500usd, reveals, 080309, 073109, results, reporting, speed, scripting, last, providing, drive, downloads, 102, intermediaries, infection, 810, finally, found, 161, 681, 199, amongst, redirects, virus, complete, sbl75831, lists, fortunately, several, sources, open, sec, date, select, isell, stolen, cards, sales, ids, mix, crimeware, fiesta, since, april, combination, rock, originally, introduced, wsnpoem, known, updated, usage, methodologies, current, interest, new, directshow, ms09, 028, core, million, front, installing, points, sewer, ref3, moreover, hallmarks, apparently, fragmented, either, resurgence, clone, via, fairly, blatant, bullet, proof, hub, inhabiting, riga, high, watch, list, ref1, ref2, figure3, disconnected, 381, tested, past, 291, served, resulted, downloaded, installed, second, floor, factory, dal, nic, local, evening, 27th, watcher, official, explanation, cause, as41665, national, provider, uawith, 144, 384, addresses, asns, autonomous, compared, serving, although, top, demonstrated, some, improvement, quarter, main, data, offline, due, everything, wanted, know, about, enterprises, rbnnetwork, rbusinessnetwork, exploiters, phishers, hacks, feeds, russianbusinessnetwork, regular, updates, язык, русским, соединениям, send,

Text of the page (random words):
russian business network rbn russian business network rbn everything you wanted to know about the rbn and related enterprises aka russian business network rbnnetwork rbusinessnetwork the internet community s favorite exploiters phishers hacks spammers etc etc see spamhaus org rosko subscribe here http feeds feedburner com russianbusinessnetwork for regular updates язык к русским соединениям send info and contact rbnexploit at gmail com hosting ukraine burnt out hostexploit hosting ukraine burnt out hostexploit hosting ua in odessa one of the main data centers and hosts in ukraine is offline due to a major fire as41665 hosting as national hosting provider uawith 144 384 ip addresses and was 4 on the hostexploit bad hosts report in december 2009 out of 34 000 asns autonomous servers hosts compared for serving badness on the internet although in the forthcoming hostexploit top bad host report hosting ua had demonstrated some improvement over the first quarter 2010 see forthcoming hostexploit bad host report march 2010 the fire that occurred on the second floor business center factory of business st dal nic ka 46 odessa occurred at around 10 00 pm local time on the evening on march 27th 2010 http watcher com ua at this time there has not been any official explanation as to the cause of the fire figure3 shows currently hosting ua disconnected from the internet of the 5 381 web sites tested on this network over the past 90 days 291 of the web sites served content that resulted in malicious software being downloaded and installed labels hostexploit hosting ua jart armin rbn ukraine rbn real host latvia and the zeus botnet rbn russian business network via real host ltd is a fairly blatant cybercrime and bullet proof hosting hub inhabiting as8206 junik based in riga latvia and is high on any watch list ref1 ref2 as dynamoo points out a real sewer ref3 moreover this has all the hallmarks and operational elements of the apparently fragmented rbn either as a resurgence or a clone of the rbn s business model fig 1 front page of installing cc zeus botnet rental loading of more current interest this is the base for distributing the new and as yet un patched zero day flash pdf exploit ref 4 zero day ms e g directshow ms09 028 and a core center for the zeus botnet c c command and control the 1 botnet in the us with an estimated 3 6 million pcs infected also known but updated usage of rbn methodologies rock phish which originally introduced the zeus aka wsnpoem trojan zeuesta a mix of the zeus crimeware and the el fiesta exploit kit however since april 17 2009 zeuesta in combination with spack exploit kit ref 5 fig 2 isell cc stolen bank logins credit cards paypal sales and ids on real host fortunately in more recent times there are several good sources within the open sec community of up to date information as to malware domains spam centers botnets to select a few spamhaus sbl75831 lists the net block for phishing and malware hosting ref 6 fire shows up to 9 complete malware servers over recent times ref 7 malwareurl shows currently 199 domains hosting amongst other badness 18 trojans 25 redirects to exploits and rogue anti virus 6 botnet c c command and control ref 8 google s safe browsing shows for as8206 junik in the last 90 days 12 sites providing malicious software for drive by downloads 102 sites acting as intermediaries for the infection of 11 810 other web sites finally it found 161 websites hosting malware that infected 20 681 other web sites google s safe browsing as an example for just one of the domains 71 speed info 32 scripting exploits the results of investigation and reporting the issues fig 3 real host routing as of 073109 fig 4 real host routing as of 080309 money mule sites the barwells group and newskyag reveals the following barwellsgroup during the trial period 1 month you will be paid 2 000 usd per month while working on average 3 hours per day monday friday plus 5 commissions from every transactions or task received and processed the salary will be sent in the form of wire transfer directly to your account after the trial period your base pay salary will go up to 3 500usd per month plus 5 commissions clearly this is a money mule recruitment program sounds pretty good for 3 hours work per day newskyag not only does this domain operate a money mule scam it also ran a zeus c c server what is scary is that people actually fall prey to this scheme as shown by this quote from yahoo answers in summary real host from within junik serves exploits including un patched or soon to be patched 0days payloads to drop on victim pcs including fake codecs banking trojans spambots fake antivirus down loaders and even a mac trojan phishing sites money mule recruitment sites zeus botnet command and control servers distributing licensed software warez illegal porn content added to which is a center for the rbn cybercrime business model botnet rental botnet loading phishing iframe exploit affiliate warez credit card trading forums openly selling credit card paypal accounts and bank logins over 10 000 newly harvested so who is real host ltd to start with the net block is leased from junik by alex spiridonov abay street 2a almaty kazakhstan however here are just a few other tell tale signs many of the domains are ex estdomains all of the websites are in russian or for the trading arm russian english older entities which many had thought were dead and gone are here barwells group newsky web alfa and good old botnet su all of these were operational elements of rbn russian business network so this may not be a reincarnation of the rbn but are clearly russian organized cyber criminals in the same vein and at least headed by someone from the old rbn school further manual investigation led to the following information on domains supplied by real hosts ip domain purpose 213 182 197 229 yourgoogleanalytics us money mule recruiting 213 182 197 229 barwellsgroup cn money mule recruiting 213 182 197 249 vikd3jj 3 com malware 213 182 197 251 2k90 cn malware 213 182 197 13 mac videos com mac trojan 213 182 197 236 71speed info banking trojan silent banker 213 182 197 8 bestxvids info zlob 213 182 197 249 traffic searches cn botnet c c 213 182 197 237 1gigabayt com zeus c c 213 182 197 14 iframepartners com iframe sellers 213 182 197 228 chlenopopik com zeus c c 213 182 197 14 megavipsite cn malware 213 182 197 20 traffcount cn malware 213 182 197 229 newskyag com money mule recruiting zeus c c 213 182 197 235 traffic exchange ru part of iframe redirection service 213 182 197 10 vlkontacte ru russian social network phish 213 182 197 251 botnet su zeus c c the botnet su related installs cc domains the attackers clearly aren t trying to hide their motives on this one this domain was previously used by the rbn along with newskyag and others zeus is of the most common threats being hosted from real host s network references 1 martin security 2 hostexploit 3 dynamoo s blog on real host junik 4 iscsans advisory 0 day flash pdf exploit 5 abuse ch zeuesta spack kit 6 spamhaus sbl 75831 7 fire 8 malwareurl labels cybercrime jart armin rbnexploit real host russian business network zeus botnet rbn mccolo r i p rbn russian business network in the usa takes another hit and another victory in the war against internet badness alas poor mccolo i knew them well so does anyone on the planet who receives email spam mccolo was host to the world s major spam botnets an estimated 50 of spam worldwide malware rogue pc security products cybercrime affiliate payment systems and child pornography the study published by hostexploit com was based on tracking and documenting the ongoing cyber criminal activity of mccolo and others get the report here hostexploit report as a result of the first hostexploit cyber crime usa report which focused on atrivo intercage and subsequent community actions there was a quantitative drop of 10 of spam and malware worldwide while temporary it does clearly demonstrate that with a concerted and consistent effort by concerned commercial internet network operators a safer internet can ensue following hurricane electric s awareness of the report s content at approximately 4 30pm est 11 11 08 hurricane electric pulled the plug just to check on this see the chart from spamcop below yes a huge drop in spam as just one example spamcop charts live here of course not over yet fraudcrew com on ip 64 62 171 193 193 64 62 171 reverse mccolo com net 64 62 128 0 18 as6939 hurricane electric our favorite coolwebsearch hijackers are still online also as we see on the cidr report as26780 mccolo mccolo corporation is still peered by as3549 gblx global crossing ltd however we can assume hurricane electric will get around to this 64 62 128 0 18 net block and gblx is also acting in unison again this is an excellent example of a growing community effort involving a wide cross section of anti spammers malware and botnet researchers journalists and internet network operators when considering the ongoing war for the heart and soul of the internet not the end not the beginning of the end but the end of the beginning labels cyber crime hostexploit jart armin mccolo rbn rbnexploit russian business network rbn farewell to estdomains in the wake of the demise of atrivo we now see the demise of estdomains by an emboldened icann many have shown estdomains et al as a source of domain registration badness and used by cyber criminals for many years as recently described within the hostexploit com report atrivo cyber crime usa sunbelt software spamhaus to name a few and followed up by the washington post by brian krebs a superlative scam and spam site registrar ironically estdomains has been trying to fight back with press releases such as estdomains inc takes next step in combating spam and malware with them stating once again estdomains inc would like to address the interactive community and ask for co operation to make the internet clear and safe however even more relevant to the demise of estdomains was the later brian krebs post a sordid history and a storied ceo relating to the estdomains ceo vladimir tsastsin as of today icann has issued a formal and we assume irrevocable notice of termination see fig 2 below the formal letter of termination is available for download from icann here is based on court records from estonia of course what will be interesting is what happens to the approximately 281 000 domain names under estdomains management all registrations sponsored by estdomains will be transferred to an icann accredited registrar in accordance with icann s de accredited registrar transition procedure icann goes on to say it is icann s goal to protect registrants from unnecessary harm and we look forward to amicably resolving any domain name transition issues that may arise from this termination hopefully this does demonstrate an emboldened icann which has recently become besieged on security issues is listening to the community perhaps we could persuade icann to allow the internet security community to provide solid advice which of these domains is abusive before any transfer is made labels cyber crime estdomains icann internet security jart armin rbnexploit russian business network older posts home subscribe to posts atom subscribe now feedburner rbn links jart armin rbn 76service rbn idefense analysis rbn isc sans mpack rbn spamhaus org rosko page rbn washington post rbn wikipedia blog archive 2010 1 march 1 hosting ukraine burnt out hostexploit 2009 1 august 1 2008 18 november 1 october 2 september 1 august 9 may 1 february 1 january 3 2007 24 december 2 november 7 october 7 september 8 this work is licenced under a creative commons licence blog note all trademarks and copyrights on this blog are owned by their respective owners unless otherwise stated opinions expressed here are entirely that of rbnexploit blogspot com all analyses are for personal edification educational and research purposes only any dns ip address domain or as mentioned is derived from exhaustive research and cross correlation from 3rd parties any queries contact rbnexploit at gmail com