Russian hacker gang goes dark to relocate; may be moving to China

Computerworld - The Russian Business Network (RBN), a notorious hacker and malware hosting organization that operates out of St. Petersburg, Russia, has gone off the air, security researchers said today.

According to a pair of Trend Micro Inc. researchers, RBN went dark around 10 p.m. EST Tuesday. "The routing information for their IP addresses has been withdrawn," said Paul Ferguson, a network architect at Trend Micro. "That's significant because while RBN has had connectivity issues in the past, then the routing [to its IP addresses] was still being advertised. This time, they've been voluntarily withdrawn.

"This is not the result of someone, such as their ISP, blackholing their traffic," Ferguson continued. "This was done voluntarily." Another report, however, on The Washington Post's Web site, claimed that while RBN has severed links to the Internet, its upstream connectivity providers had begun to refuse to route RBN traffic as early as mid-October.

By relinquishing control of the IP blocks it had been allocated, RBN essentially cut ties to the Internet and made it impossible for its domains -- which number in the thousands -- to access the Web or for users to reach those domains. "Where once there might have been 22 feasible paths for data to take to their IP blocks, now there are none," Ferguson said.

He speculated that RBN is simply shifting to new digs, diversifying its considerable back-end infrastructure, trying to lay low or all of the above. "No one knows why they've done this, but I think they're down, not out," he said.

Jamz Yaneza, a Trend Micro research project manager, agreed. "We're seeing signs of RBN-like activity elsewhere, in Turkey, Taiwan and China. RBN may be moving to places even more inaccessible to the law [than Russia]. Everyone knows they were in St. Petersburg, but now they're changing houses, changing addresses."

The Spamhaus Project antispam group has posted information that indicates RBN may have already laid claim to IP blocks located in China, Shanghai in particular.

RBN has been fingered as the source of a multitude of attacks, including last month's rigged-PDF blitz that used a vulnerability in Windows to drop malware on unsuspecting users who opened specially-crafted PDF-formatted documents. In September, security researchers blamed the gang for infecting customers of the Bank of India with a wide variety of malicious code when they visited the bank's hacked site.

But while RBN may be diversifying its assets -- "piecemealing," Ferguson called it -- it's unlikely to be gone long. "I can't believe they'd walk away from the money. Thinking that they're shutting shop is just naive."