Feed on

The dogmas of the quiet past are inadequate to the stormy present. The occasion is piled high with difficulty, and we must rise with the occasion. As our case is new, so we must think anew and act anew.” — Abraham Lincoln

Some stories are just too interesting not to share. The Russian Business Network (RBN) has been getting a bunch of press lately in the security world. Brian Krebs writing for the Washington Post has done a series of articles on the RBN. Krebs details how this shadowy ISP was a “world hub for Web sites devoted to child pornography, spamming and identity theft, a so-called ‘bulletproof hosting’ provider to some of the most sophisticated cyber criminal networks in operation today.

Krebs articles are a very interesting read and include Shadowy Russian Firm Seen as Conduit for Cybercrime, Taking on the Russian Business Network, Mapping the Russian Business Network, and The Russian Business Network Responds.

Richard Bejtlich followed Krebs articles with additional sources of information when he wrote, “there’s a blog — rbnexploit.blogspot.com — that started last month. It’s exclusively about RBN. Second, I found Nicholas Albright’s blog, which covers botnets. Third, there’s an absolutely amazing series of articles by Scott Berinato. They are lengthy but definitely worth reading.

RBN may have been a little too successful, resulting in a little too much press. This week the RBN relinquished most of its Internet addresses after a number of its main upstream Internet providers severed ties with the group. Gregg Keizer from Computerworld reports, “Russian hacker gang goes dark to relocate; may be moving to China.” In the article, Keizer quotes Paul Ferguson, a network architect at Trend Micro as saying, “The routing information for their IP addresses has been withdrawn. That’s significant because while RBN has had connectivity issues in the past, then the routing [to its IP addresses] was still being advertised. This time, they’ve been voluntarily withdrawn. This is not the result of someone, such as their ISP, blackholing their traffic. This was done voluntarily.

Keizer goes on to report that Jamz Yaneza, a Trend Micro research project manager, stated, “We’re seeing signs of RBN-like activity elsewhere, in Turkey, Taiwan and China. RBN may be moving to places even more inaccessible to the law [than Russia]. Everyone knows they were in St. Petersburg, but now they’re changing houses, changing addresses.

Keizer writes, “The Spamhaus Project antispam group has posted information that indicates RBN may have already laid claim to IP blocks located in China, Shanghai in particular.” Krebs in his posting “Russian Business Network: Down, But Not Out” also quotes the Spamhaus Project stating, “strong indications that a huge swath of Internet space recently established in China may soon emerge as the next incarnation of the Russian Business Network. If Spamhaus’s assumptions are correct, RBN’s new home would include several times more additional Web hosting capacity than its previous location in Russia.

RBN may not be going out of business, but like any expanding business just relocating to larger facilities. Krebs points out that, “The apparent flight of RBN came on the eve of a lengthy cybercrime speech by FBI Director Robert Mueller. Speaking at Penn State on Tuesday, Mueller addressed the internationalization of cyber crime and its threat to the political and economic stability of the United States.

Robert Mueller, in his speech, stated, “Increasingly, cyber threats originate outside of our borders. And as more people around the world gain access to computer technology, new dangers will surface.” Mueller went on to say, “The Internet has opened up thousands of new roads for each of us–new ideas and information, new sights and sounds, new people and places. But the invaders–those whose intent is not enlightenment, but exploitation and extremism–are marching right down those same roads to attack us in multiple ways.

Now I was going to quote from Robert F. Kennedy speech, given in Cape Town, South Africa (June 7, 1966), “There is a Chinese curse which says, ‘May he live in interesting times.’” It seemed appropriate considering the possibility that RBN might be setting up shop in China. Plus, we do live in interesting times, though I do not consider it a curse.

Unfortunately, after trying to reference that quote I found tracking the origin as confusing as tracking the RBN. It seems the speech has mystified Chinese scholars who have only heard the quote from Americans. Stephen DeLong, traced the quotation back to a 1950 science fiction story “U-Turn” appearing in the April issue of Astounding Science Fiction. The story was penned by Eric Frank Russell under the name Duncan H. Munro. “U-Turn” might have been referencing a quote from a fictional Chinese storyteller Kai Lung invented by the Edwardian, English author Ernest Bramah. I do like the report that it was the first of three curses of increasing severity, the other two being:

May you come to the attention of those in authority
May you find what you are looking for

At this point you might be wishing I would get back on topic. Well, my side track into the quote world is an example of the power of the times we live in. The Internet allows us to track things back to the origin and gain information from various sources. RBN fell victim to the second curse, coming to the attention of those in authority. In so doing, RBN lost their upstream Internet access. Now they are doing everything they can to get out of the limelight and disappear.

As for the quote, another possible origin is from the Chinese proverb, “It’s better to be a dog in a peaceful time than be a man in a chaotic period.” I am not sure I would agree with that proverb, preferring the Russian proverb, “It is better to have a small fish than a big cockroach.” Then again, that quote is probably made up also. In today’s world, most things are not what they appear to be. Like the cockroach, RBN is trying to get out of the light and will not be easily killed. We will have to stay tuned and see where these folks pop up next.

Leave a Reply

Bad Behavior has blocked 1635 access attempts in the last 7 days.