The shadowy hacker and malware hosting network that only recently fled Russia to set up operations in China has now pulled the plug there and vanished yet again, say researchers.
The latest disappearing act of the Russian Business Network (RBN) has left researchers scratching their heads. "Where have they gone, that's the question," said an analyst at VeriSign's iDefense Labs unit who wanted to remain anonymous, leery of retribution from the gang. "What's really interesting is how fast they shut everything down."
IDefense had tracked RBN's migration earlier in the week from servers based in Russia to ones running in China. On Tuesday, RBN's Russian servers went dark as the group relinquished control of its assigned IP addresses, effectively severing its connection to the internet. By Wednesday, however, RBN had relocated to China and Taiwan after obtaining at least seven net blocks of Chinese IP addresses, said iDefense. According to the Sterling, Va.-based security intelligence firm, as of Wednesday, RBN controlled 5,120 IP addresses assigned to Chinese service providers; known RBN clients were even seen using those addresses that day.
But with its China move putting media and security community spotlights on the organisation, RBN suddenly went offline on Thursday, said the analyst. "They severed connections to six of the seven net blocks on November 8," the analyst said.
The analyst speculated that while RBN's operators might dismiss the unflattering stories as attacks meant to discredit Russia and its president, Vladimir Putin, the attention was definitely unwelcome. "If their clients are afraid to use them," said the analyst, "it becomes a real issue of finances for RBN."
Security professionals have long alleged that RBN's clients are almost exclusively spammers, hackers, identity thieves, money mule operators, child pornographers and other criminals who have used its network to host malicious websites packed with malware or as the launching pad for spam campaigns and denial-of-service attacks. "These people don't like attention," said the analyst.
RBN has tried to deflect that attention before. In mid-October, the group spoke with a Western news organisation for the first time when it told Wired that it was a legitimate business and that it was considering suing The Spamhaus Project, an well-known antispam organisation, for blacklisting its IP addresses. Two days later, CNews Russia ran a story within the country that claimed the RBN allegations were fabrications meant to smear Putin.
Where RBN has gone or whether it will resurface is, however, a mystery for now. "Where will they go next, assuming they want to reproduce the same model somewhere else? I don't know," said the iDefense analyst.
According to iDefense, RBN as a single organisation may be dead and gone. The model used in Russia, which it replicated momentarily in China, was of a top-down, centrally-controlled network in which one or two internet service providers (ISP) connected a number of semilegitimate companies to the web. Those companies, in turn, rented so-called bulletproof servers to criminals, meaning that the servers wouldn't be taken offline when complaints were filed by security researchers.
"It was great in terms of control and in terms of money," said the iDefense analyst, noting that the vertical integration put more money in the organisation's pockets.
Rather than return in that format, RBN may even now be breaking up into smaller pieces farmed out to multiple countries' internet infrastructures. "That may keep it under the radar, but it's also more expensive for them, and it's riskier, too, because the more ISPs that it has to deal with, the better the chance that one of those ISPs says 'no' to hosting RBN content and shuts them off," said the analyst.
On the plus side — for its clients — by splitting up, RBN can delay detection and make prosecution difficult. "It's a lot harder for law enforcement when there are six or seven countries involved," said the iDefense researcher. "But I think we'll be able to track them. We've done that kind of thing before when a group has been spread across two or more ISPs."
But as a monolithic, centrally-controlled organization — ironically the model that dominated the now-defunct Soviet Union — RBN is likely dead. "As we've known it, I think RBN is gone," said the researcher.