Russian Hacker Gang Vanishes Again

Arashtamere writes "The shadowy hacker and malware hosting network that only recently fled Russia to set up operations in China has now pulled the plug there and vanished yet again. An analyst at VeriSign's iDefense Labs unit said iDefense had tracked RBN's migration earlier in the week from servers based in Russia to ones running in China, after obtaining at least seven net blocks of Chinese IP addresses. As of Wednesday, RBN controlled 5,120 IP addresses assigned to Chinese service providers; known RBN clients were even seen using those addresses that day. But with its China move putting the spotlights of the media and the security community on the organization, RBN suddenly went offline on Thursday. 'They severed connections to six of the seven net blocks on November 8,' the analyst said. RBN as a single organization may be dead and gone; it may even now be breaking up into smaller pieces farmed out to multiple countries' Internet infrastructures."

Hunt them down... big blocks of IP space = obvious

It seems like having all of your traffic on seven well-defined subnets is an easy way to make all of your activity really obvious.

But hey, at least these guys are being pursued and thwarted. There are way too many hackers and script kiddies out there who need to get their butts kicked one and become productive members of society with their skills. This is an important lesson and it comes at a price, but ultimately we need to convert these people to use their technical knowledge for good. By making it harder and harder for the underworld to survive, the economic benefits of that lifestyle become overshadowed by its risks. This will bring these people out into the light, and hopefully both reduce the economic pain they cause with their mischief, and also let them contribute constructively.

--
Educational microcontroller kits for the digital generation. [nerdkits.com]

Alternative Theory: Russian Mafia Groups

There may be another possibility. With so much unwanted attention in the media, the Russian Business Network (RBN) may voluntarily have broken up into numerous small groups. In much the same fashion, the alumni of the KGB [rferl.org] have broken up into numerous small cliques. Each clique is essentially a mafia gang with a strongman as boss and wields considerable power.

As the Kremlin moves into cyberspace [slashdot.org], each KGB clique will want a "piece of the action" and has absorbed some alumni of the RBN. In the 21st century, even the Russian mafia needs an online presence.

Re:Alternative Theory: Russian Mafia Groups

That's a nice set of shiny tubes you have there sonny, We wouldn't want anything to happen to them now, would we?

nice...

It doesn't take a rocket scientist to figure out that setting up inside China was bound to be a bit of a bad move...

Might as well hang out a sign... ---> R U S S I A N -- B O T N E T -- M A S T E R S -- H E R E ! ! !

Don't be so fast

Well, based in China as I am, I can think of another reason the RBN stayed here for a few days and then quit. The internet connection to the outside world is horribly slow! I regularly get modem speeds when using US-based sites such as slashdot. If file transfers go above 10k/s then I'm ecstatic. I can't imagine that spammers would be happy with slow connections. I had a Nordic businessman ask me for some consulting recently. I talked to him, and he said that the internet was too slow between there and Denmark, and could I fix it? I just rolled my eyes and told him to talk to either Hu Jintao or the Ministry of Propaganda and Information...

Re:Don't be so fast

Well, actually I'm in China too. The interesting aspect of internet access in China is that ISPs here always provide much higher upload speeds than download speeds, by a ratio of about 3 or 4 to 1. This is to serve the interests of Chinese exporters, by making Chinese based websites more accesable to the outside world. That is to say the internet in China is more about exporting data -good or bad- rather than importing. So China is rather a logical location for those hackers, especially as policing of the internet here is almost non-existant ( no fears about P-2P downloading here).Incidentally, download speeds, while slower than North America or Europe are not always painfully slow. Speed depends largely on where you live: I live a a modern building in a modern city and can get download speeds of 100k/s no problem.

Applauds headline

While I'm not sure it's a good thing that this hacker network has vanished, I am still pleased with the headline using the term 'hacker' correctly.

Perhaps we are finally ready to put the misnomer 'cracker' to rest once and for all.

Now I feel like a bit of cheese...

yeah?

So how has this affected spam and cyber crime? It would be interesting to see if these networks vanishing has any affect.

Uh oh, Russian Hacker Gang...

Vanishes Again, and continues hacking while invisible -- that's right, just like before, they'll continue hacking. And they're using new IP's!

How unusual.

Duh.

Hey, Really? No shit. If you are doing a bunch of stuff you don't really want taken notice of, having the mass media saying "Hey look, they're in China and have these netblocks!" could be bad . It also stands a chance of coming to the notice of someone in a position to do something about it - also not good from the hackers' point of view.

Botnets/SETI/Folding@Home

Apart from how they get on the machine in the first place, I guess these clients all work in similar ways? Central controller sends work out to distributed workers, who do their thing and then report back for more work. I guess botnets are a bit more cunning as they have to hide and can change jobs/controllers/whatever.

Which netblocks?

Can you tell us which 7 netblocks they are (were) using, so that we can block them on our firewalls?

All that I could find was the fourth comment to this article [washingtonpost.com], in which a /20 block is mentioned. The article itself was previously linked on Slashdot; it's about a sysadmin who decided to block the RBN's address ranges and was rewarded by a noticable drop in compromised customer boxes.

Again?

That was quick, must've used Atlas Van Lines. Or maybe they just used Brown. They can move stuff FAST!

Hopefully they will move to Afghanistan or Iraq, they will bomb them.

The game continues...

As long as they can find complacent registrars and ISPs to propagate their system. They left Russia when the heat was turned up on their hosting / registration providers there. At least the companies in Russia speak English - or at least admit to knowing enough English to respond to complaints from the US. So then the hacker gang packed up and went to China, where the companies get away with pretending to not speak English, in spite of hosting sites in English and selling domains with English language registration data.

Exactly what drove this most recent move I don't know yet. It will be interesting to see where they pop up next. I wouldn't be surprised if they even just decided to take a little "cooling off" period, and we'll see them there again shortly.

russia and china arent friends

They've had wars several times in the 20th century due to border disputes. Right now both sides make lots of money and the friction is way down, but underlying tension may still be there.
China could close down these business whenever it sees a need.

The rules of RBN

The first rule of RBN is, you do not talk about RBN.

The second rule of RBN is, you DO NOT talk about RBN.

If something says BSOD, goes coredump, logs out, the crack is over.

Two crackers to a host.

One crack at a time.

No GUIs, no frameworks.

Cracks will go on as long as they have to.

If this is your first account at RBN, you have to crack.

Re:You never know....

dapper.. AW HELL NO theyre using outdated ubuntu distros just when we thought this couldn't get any worse

alll your...

Russian bases belonga to Kazakhstan, the greatest kuntry on a Earth.

Hi Five.

Yakshi Mash.