Application security, Threat Management, Incident Response, Malware, Phishing, TDR

Is this the end of the Russian Business Network?


A shadowy Russia-based internet service provider, which security researchers said is responsible for hosting two out of every three malicious web attacks, has been forced to close its doors.

But experts believe the Russian Business Network (RBN) may be reinventing itself in China, although they are unsure if the new operation is under the same management or if it is a copycat version.

"It's changing by the minute right now," Matt Richard, director of the Rapid Response Team at VeriSign iDefense, told today. "It's a highly volatile situation."

The RBN, formerly based in St. Petersburg, closed shop Wednesday after its last upstream bandwidth provider cut ties with the ISP following numerous media reports detailing the shady doings.

The company is known in cybercriminal circles as a bulletproof hosting provider, Richard said. It has a no-questions-asked policy when it comes to hosting its roughly 4,000 IP addresses, which have been used in a bevy of malicious attacks, from spam to phishing to IFRAMEs, he said.

"They provide services without regard to what the content is going to be," Richard said. "The promise to their customers is that they'll ignore abuse complaints and not take any action against them. The problem that cybercriminals usually have is they'll put a site up with malicious code, but someone sends an abuse complaint and the ISP takes that site down. Nobody [at RBN] is going to take away their sites."

An RBN representative could not be reached for comment.

Richard Cox, chief information officer of anti-spam group Spamhaus, told today that the RBN has not closed, but is instead recreating itself.

"We've seen new IP ranges and domains being registered," he said. "They will take on a new appearance. We've seen nothing to suggest their operations are in any way being shut down. They're replacing everything that was externally visible. They have planned to divest themselves of the identity of the RBN."

Richard said he and his team are "seeing the emergence of the same kind of code" as the original RBN, this time claiming to originate in China. Yet it is impossible to determine how the new network might ultimately shake out, he said.

"What we think is going to happen is that they're going to be much more discreet and use smaller and smaller operations," he said. "They'll still be in the bulletproof hosting operation, but they won't be as obvious as they are today."

The RBN was forced to reinvent itself after a Washington Post investigative report highlighted the unscrupulous operations of the ISP. Soon after, a U.K.-based upstream provider, Tiscali, severed ties with the RBN.

A Tiscali spokeswoman told in an email that the company is checking with one of its subsidiaries, TiNet, which may have had a "peering agreement" with the RBN.

Then, earlier this week, another U.K.-based bandwidth provider, Connections 4 London (C4L), also stopped doing business with the RBN.

"That left them with no connectivity to the rest of the internet," Richard said. "Essentially, they went dark."

A spokeswoman from Tiscali did not return an email seeking comment. A C4L sales representative said he was not familiar with RBN, but that he would further investigate.

Richard said internet backbone vendors provided service for the RBN because they typically turn a blind eye to any shady undertakings.

"Usually the upstream providers aren't too worried about content," Richard said. "Really their concern is providing that infrastructure. They don't really look inside the traffic to see what's going on. They do, however, care when they get in the news."

The RBN is also believed to be associated with InterCage, a Concord, Calif.-based dedicated server provider, Cox said. But the company's president, when reached by today by telephone, denied any affiliation with the RBN.

"This is the first time I've heard that term," said Emio Kacperski, adding that the company is receptive to any user complaints concerning abuse.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.