November 9, 2007 11:53 AM PST

Infamous Russian malware gang vanishes

A Russian gang allegedly hosting malicious software abruptly disappeared this week, according to Trend Micro.

The Russian Business Network, which allegedly was heavily involved in hosting packing kits--development suites for malicious software--suddenly dropped off the Internet on Tuesday, the Tokyo-based security company said.

"It feels like their upstream providers put them on a blacklist and terminated services to this problematic customer," Raimund Genes, chief technology officer of Trend Micro's antivirus division, said Friday.

Researchers from Internet security company VeriSign said RBN has been able to offer "bulletproof hosting" for malicious software by means of links to the Russian government.

Genes claimed it is likely that whatever protection RBN enjoyed was withdrawn because the group had overreached itself. "All kinds of cybercrime was on RBN sites, but recently, they've become too greedy," Genes said. "They infiltrated a Turkish government site so that it pointed to a site in Panama that was registered under RBN. (The site) was rented to multiple malware gangs."

Genes added that some U.S. government and Brazilian sites, which he declined to identify specifically, had been compromised through SQL (Structured Query Language) injection attacks to make them point to other RBN sites compromised with malicious software. "Maybe some government was upset by (RBN) activity," Genes said.

Although Trend Micro says it cannot be 100 percent sure, the company believes that the gang has shifted operations to Asia. Sites hosted in Taiwan and China are now hosting malicious-software packing kits and software that had been commonly hosted on RBN sites.

"Sites in Taiwan and China are now hosting malware with the same behavior," Genes said. "MPack (packer kit) and its IcePack add-on are being offered, as well as iframe exploits."

MPack is a PHP-based kit that allows its developers to sell modules of malicious code. So-called iframe is an HTML tag that allows the embedding of a Web page inside another document; iframe malicious software targets Web browsers by attacking vulnerabilities in the way they handle iframe HTML tags.

Tom Espiner of ZDNet UK reported from London.

See more CNET content tagged:
Raimund Genes, malicious software, Trend Micro Inc., hosting, Taiwan


Join the conversation!
Add your comment
Too bad
When I read the headlines my first thought was that Putin threw
them into the gulag.
Posted by Lee in San Diego (608 comments )
Reply Link Flag
Blacklisting them does little good
When one gets on a blacklist, they're only stopped from using one ISP's network to do their dirty deeds.

As soon as they're blacklisted, they'll just set up shop elsewhere... as seems to be the case here... in Asia.

Now if the parties invoved had been jailed... that would have stopped them. But apparently, all that was done was a blacklist so they'll be back up and operational in NO TIME!

So DID THEY VANISH? Only from their current IP address. DID THEY TOTALLY DISAPPEAR? (* ROFLOL *) I highly doubt it.

Next time, they'll resurface with a double access account such that if another ISP cuts them off... they'll still be in business with a secondary ISP in no time flat.

They learned that lesson this time around. Next time... they'll have wised up a bit making it harder to stop them!

Posted by wbenton (522 comments )
Reply Link Flag
The Blacklist won't prevent them
From getting hosting under another assumed name either. It could just be, as the article said, that they have decided to 'lay low' after their government supporters told them to, or they would withdraw their support.
Posted by Leria (585 comments )
Link Flag
The iframe tag
The iframe tag is not standard HTML and was created by the company that is responsible for more vulnerabilities than any other.

You guessed it. None other than Microsoft.

They can't help but create vulnerabilities in their code it seems.
Posted by t8 (3716 comments )
Reply Link Flag
pretty amazing!
Posted by techfan_08 (31 comments )
Reply Link Flag
' t8' you have hit the nail right on the head, Like the RBN their need for greed is so great they make mistakes but with m-soft it costs us. Every time they rush out a new piece of faulty code we pay for it.
Posted by cupid stunt (1 comment )
Reply Link Flag
Putin and the Orthodox Church are almost inseparable these days. Wonder how the religious types sleep at night.
Posted by clamenza (401 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.