Bulletproof hosting and the Russian Business Network

Several previous blog entries have described various forms of web-based attacks [1,2,3]. In most cases, the attack involves compromising a large number of web servers in order that the sites they host are turned into drive-by download sites. When victims browse these compromised sites, additional malicious content is silently loaded from some remote server (the attack site).

Whilst looking through some of the data collected from the web threat analysis system in the lab over the last few weeks, I noticed that a number of the remote attack sites were in the same address range. Digging further, it quickly became apparent that the attack sites were using hosting services provided by the Russian Business Network (RBN). The RBN provide web hosting and other services much like any other ISP. Unlike other ISPs however, the RBN is reported to be used almost solely by cybercriminals for illegal purposes [4]. Illegal activities such as phishing, botnet C&C, spam, DoS attacks and malware hosting have all been traced to RBN-hosted servers [5].

The hosting services provided by the RBN are frequently referred to as bulletproof hosting, thanks to the remarkable resilience the servers show despite significant law enforcements efforts to shut them down. This sort of resilience is perfect for cybercriminals wishing to construct web attacks, since it provides them with very robust attack sites that can be used in multiple attacks. Once the attack site is running, they can simply compromise other web sites to silently load the malicious content when browsed.

As it happens, the web attack described in the flowchart within the previous blog entry uses a RBN-hosted attack site. This is not that surprising – numerous other recent large-scale attacks have used similar attack sites. In fact, over the past 3 weeks, SophosLabs have identified almost 1,000 web sites that have been compromised to load malicious content from RBN-hosted servers. These compromised sites are globally distributed:

[Global distribution of compromised sites linking to RBN-hosted servers]

Cybercriminals’ use of services such as those provided by the RBN in order to evade law enforcement efforts poses a definite problem. An article last week in the Washington Post [6], discusses some of the concerns and potential solutions. I have little doubt that if the problem persists (and it shows every sign of doing so), there will be even more widespread and aggressive blocking of entire networks by corporations and even ISPs.