RBN - RBusinessNetwork / RBNnetwork

RBN - IP deployment Panama

RBNetwork AS40989 RBN as RBusiness Network

Number of unique AS-peers:


Number of found peering routers:


Number of prefixes:


Number of ip numbers:


RBN - Too coin Software & SBT Telecom

RBN traceroute - Nevecon Ltd. - - Too coin Software Limited (UK) - SBT Telecom Network (Seychelles); Traceroute

Panama > Ukraine > UK > Seychelles

Too coin Software Limited

CT19 4RH, UK

phone: +1 401 369 8152
e-mail: noc@rbnnetwork.com

Its RIPE NCC Association Membership status is: Full

announced by AS41173(SBT AS SBT Telecom) AS24867(Adapt AS Adapt Services Ltd)
* as-sbtel(member of as-arbinet-lon-buyers, as-bandxuk, as-c4l, as-cais, as-interoute, as-mnet-t, as-tiscalicust, as-tsn)
* AS20807 Credolink ASN Credolink ISP Autonomous System St Petersburg
* AS39848 DELTASYS Delta Systems network
* AS40989 RBN AS RBusiness Network
* AS41108 OINVEST AS Online Invest group LLC
* AS41173 SBT AS SBT Telecom
* AS41181 RUSTELECOM AS Rustelecom AS

RBN - Nevecon Ltd. Panama

RBN's IP & Domain Deployment - Nevecon Ltd. Panama -

AS41731 NEVSKCC as Nevacon Ltd.

Number of unique AS-peers:


Number of found peering routers:


Number of prefixes:


Number of ip numbers:


RBN - MPack

MPack is the latest and greatest tool for sale on the Russian Underground. $ash sells MPack for around $500-1,000. In a recent posting $ash attempted to sell a "loader" for $300 and a kit for $1,000. The author claims that attacks are 45-50 percent successful, including the animated cursor exploit and many others, including ANI overflow, MS06-014, MS06-006, MS06-044, XML Overflow, WebViewFolderIcon Overflow, WinZip ActiveX Overflow, QuickTime Overflow (all these are $ash names for exploits). Attacks from MPack , aka WebAttacker II, date back to October 2006 and account for roughly 10 percent of web based exploitation today according to one public source.

More than 10,000 referral domains exist in a recent MPack attack, largely successful MPack attack in Italy, compromising at least 80,000 unique IP addresses. It is likely that cPanel exploitation took place on host provider leading to injected iFrames on domains hosted on the server. When a legitimate page with a hostile iFrame is loaded the tool silently redirects the victim in an iFrame to an exploit page crafted by MPack. This exploit page, in a very controlled manner, executes exploits until exploitation is successful, and then installs malicious code of the attacker's choice.

Torpig is one of the known payloads for MPack attacks to date. This code relates back to the Russian Business Network (RBN), through which many Internet-based attacks take place today. The RBN is a virtual safe house for attacks out of Saint Petersburg, Russia, responsible for Torpig and other malicious code attacks, phishing attacks, child pornography and other illicit operations. The Italian hosts responsible for most of the domains seen in a recent MPack attack are using cPanel, a Web administration tool for clients. A zero-day cPanel attack took place in the fall of 2006 leading up to the large scale vector mark-up language (VML) attacks at that time. It appears likely that the Russian authors of the cPanel exploit, Step57.info, who are also related to the RBN used the exploit to compromise the Italian ISP and referral domains used in the latest mPack attack.

MPack uses a command and control website interface for reporting of MPack success. A JPEG screenshot of a recent attack is attached to this message.


1. MPack is a powerful Web exploitation tool that claims about 50 percent success in attacks silently launched against Web browsers.

2. $ash is the primary Russian actor attempting to sell mPack on the underground, for about $1,000 for the complete MPack kit.

3. MPack leverages multiple exploits, in a very controlled manner, to compromise vulnerable computers. Exploits range from the recent animated cursor (ANI) to QuickTime exploitation. The latest version of mPack, .90, includes the following exploits:

WinZip ActiveX overflow
QuickTime overflow

4. The Russian Business Network (RBN) is one of the most notorious criminal groups on the Internet today. A recent MPack attack installed Torpig malicious code hosted on an RBN server. RBN is closely tied to multiple attacks including Step57.info cPanel exploitation, VML, phishing, child pornography, Torpig, Rustock, and many other criminal attacks to date. Nothing good ever comes out of the Russian Business Network net block.

5. MPack attacks experience high success, according to attack log files analyzed by VeriSign-iDefense. In just a few hours more than 2,000 new victims reported to an MPack command and control website. A recent attack, largely focused in the area of Italy, involved more than 80,000 unique IPs.

RBN - The Bank of India

Bank of India IT staff are mopping up the mess left by attackers who rigged the firm's website to feed malware to customers trying to access online services.

The bank managed to pry loose the rogue iframe responsible for the malware sometime early Friday morning California time. At time of writing, though, Bank of India's website was effectively cordoned off, bearing a terse notification saying: "This site is under temporary maintenance and will be available after 09:00 IST on 1.09.07."

The shuttering came a day after employees for security provider Sunbelt Software discovered someone had planted an iframe in the site that caused unpatched Windows machines to be infected with some of the most destructive pieces of malware currently in circulation. Sunbelt counted 31 separate pieces in all, including Pinch, a powerful and easy-to-use Trojan that siphons personal information from a user's PC. Other malware included Trojan.Netview, Trojan-Spy.Win32.Agent.ql, various rootkits and several spam bots.

Executives and IT administrators at US offices of Bank of India who were contacted Friday morning by IDG were initially unaware of the attack. A spokesman later told the news service that officials were aware of the problem and were working to correct it, but had no information concerning its severity or duration.

Some of the servers used to install the malware belonged to the notorious Russian Business Network, a group Spamhaus says is involved in child porn, phishing and other misdeeds. According to Verisign's iDefense unit, the RBN also played a hand in bringing us MPack, a powerful Trojan downloader that infected more than 10,000 websites in just three days.

In this case, the attackers appeared to use an exploit kit dubbed n404, according to this post by Dancho Danchev. It relies on a technique known as Fast Flux domain name service, which is proving to be resilient against bot hunters because there is no single point of weakness to take down.

Roger Thompson, a researcher with Exploit Prevention Labs, said he spotted one piece of code that exploited a vulnerability patched by last year's Microsoft Security Bulletin MS06-042."It's pretty much a cut-and-paste of the original proof-of-concept that was put out on Metasploit last July," Thompson said of the code.

RBN Info - Spamhaus.org Rosko Listing

Spamhaus.Org - RBN Info

Russian Business Network - Among the world's worst spammer, child-pornography, malware, phishing and cybercrime hosting networks. Provides "bulletproof hosting", but is probably involved in the crime too.

Dear stupid trackback spammer at,

in case you haven't noticed yet: None of the trackback spams you have attempted to send to this and a couple of other sites over the last 24 hours has made it through. They are deleted automatically, and I didn't even have to block your IP address ...

The Management

There's a reason why we haven't seen a lot of trackback spam recently, but it seems someone in Russia ( belongs to Russian Business Network in St. Petersburg) hasn't gotten the memo yet.

Oh, and while you're at it, block through to .70, too. I see Bad Behavior takes care of those already (claiming to be GoogleBot isn't really helping in getting trackback spam through), but just in case.

iFrameDollars.com or .biz


etname: MICRONNET-NET; descr: Micronnet LTD network; country: RU

Address: Reshetnikova str. HSE 9, 197119 St. Petersburg , Russia

E-mail: info@micronnet.net

RBN Exploit - IP Addresses (1)

Just so you know your enemy, our good friends the RBN (Russian Business Network) - now widening their buisiness to "bullet proof" hosting of MPack (diy exploiters) - if you try and complain to Nevacon, do not expect a reply ;-) - I keep wondering why the international community cannot do something about this? - WE seem more inclined to blame China or Russia as countries. Just so we now 4/5 times more spam & exploits are from USA hostings then China:

Add all below to your IP banned list on your hosts / servers, another 300+ RBN IPs to go with these :-(


IP Address:
IP Location Panama (just domains) - Panama - Nevacon Ltd, new hosting out of The Seychelles.

Blacklist Status:
Yet another part of Russian Business Network / iframe cash gang. (see; Spamhaus Org - Rosko) Endless malware and PC hijacking.

gretabc.com []
tesla4.net []
intostec.com []
dedust2.net []
mayconcern.com []
mayconcern.net []

inetnum: -
netname: NEVSKCC-NET
country: RU [reverse DNS - ip-207-222.nevacon.net]
1. Adencnt.info
2. Dinacnt.info
3. Empacnt.info
4. Gifecnt.com
5. Grigcnt.info
6. Hasicnt.info
7. Hoicnt.info
8. Juidacnt.info
9. Lipocnt.com
10. Mircnt.net
11. Nisocnt.net
12. Rikocnt.info
13. Sogcnt.info
14. Tipocnt.com
15. Wetricnt.info
16. Xifcnt.com
17. Yektcnt.info

Domain ID:D18788623-LRMS
Created On:30-Jun-2007 17:17:14 UTC
Last Updated On:04-Sep-2007 18:01:41 UTC
Expiration Date:30-Jun-2008 17:17:14 UTC

Registrant ID:DI_6786675
Registrant Name:Wedrov Kirill
Registrant Organization:N/A
Registrant Street1:Lesi Ukraynki 15/7
Registrant Street2:
Registrant Street3:
Registrant City:Lviv
Registrant State/Province:Lviv Oblast
Registrant Postal Code:48751
Registrant Country:UA
Registrant Phone:+093.4584442

Name Server:NS2.YEKTCNT.INFO rbnnetwork.com SBL58402 2007-09-04 02:44:54 rbnnetwork.com SBL58369 2007-09-03 02:09:43 rbnnetwork.com SBL58287 2007-08-31 03:12:22 rbnnetwork.com SBL58284 2007-08-31 03:01:04 rbnnetwork.com SBL58009 2007-08-21 00:35:36 rbnnetwork.com SBL58008 2007-08-21 00:35:08 rbnnetwork.com SBL57580 2007-08-10 03:38:22 rbnnetwork.com SBL57575 2007-08-10 02:19:56 rbnnetwork.com SBL57411 2007-08-05 12:08:37 rbnnetwork.com SBL57122 2007-07-30 02:17:40 rbnnetwork.com SBL57123 2007-07-30 02:17:54 rbnnetwork.com SBL57112 2007-07-30 00:48:36 rbnnetwork.com SBL57085 2007-07-29 09:56:50 rbnnetwork.com SBL55191 2007-06-02 06:48:43

RBN (Russian Business Network) - A User's Guide

ACCORDING to VeriSign, one of the world's largest internet security companies, RBN, an internet company based in Russia's second city, St Petersburg, is "the baddest of the bad". In a report seen by The Economist, VeriSign's investigators unpick an extraordinary story of blatant cybercrime that implies high-level political backing.

In one sense, RBN (Russian Business Network) does not exist. It has no legal identity; it is not registered as a company; its senior figures are anonymous, known only by their nicknames. Its web sites are registered at anonymous addresses with dummy e-mails. It does not advertise for customers. Those who want to use its services contact it via internet messaging services and pay with anonymous electronic cash.

But the menace it poses certainly exists. "RBN is a for-hire service catering to large-scale criminal operations," says the report. It hosts cybercriminals, ranging from spammers to phishers, bot-herders and all manner of other fraudsters and wrongdoers from the venal to the vicious. Just one big scam, called Rock Phish (where gullible internet users were tricked into entering personal financial information such as bank account details) made $150m last year, VeriSign estimates.

Despite the attention it is receiving from Western law enforcement agencies, RBN is not on the run. Its users are becoming more sophisticated, moving for example from simple phishing (using fake e-mails) to malware known as "Trojans" that sit inside a victim's computer collecting passwords and other sensitive information and sending them to their criminal masters.

A favorite trick is to by-pass the security settings of a victim's browser by means of an extra piece of content injected into a legitimate website. An unwary user enters his password or account number into what looks like the usual box on his log-in page, and within minutes a program such as Corpse's Nuclear Grabber, OrderGun and Haxdoor has passed it to a criminal who can empty his bank account. When VeriSign managed to hack into the RBN computer running the scam, it found accumulated data representing 30,000 such infections. "Every major Trojan in the last year links to RBN" says a VeriSign sleuth.

RBN even fights back. In October 2006, the National Bank of Australia took active measures against Rock Phish, both directly and via a national anti-phishing group to which the bank's security director belonged. RBN-based cybercriminals replied by crashing the bank's home-page for three days.

What can be done? VeriSign has tracked down the physical location of RBN's servers. But Western law enforcement officers have so far tried in vain to get their Russian counterparts to pursue the investigation vigorously. "RBN feel they are strongly politically protected. They pay a huge amount of people. They know they are being watched. They cover their tracks," says VeriSign. The head of RBN goes under the internet alias "Flyman". Repeated e-mails to RBN's purported contact addresses asking for comment have gone unanswered.