funsec mailing list archives

Previous By Date Next
Previous By Thread Next

New ShadowServer Whitepaper: RBN "Rizing" - Abdallah Internet Hizmetle ri

From: "Paul Ferguson" <fergdawg () netzero net>
Date: Sat, 1 Mar 2008 19:14:57 GMT
...validating what some of us suspected. :-)

Nice read.

- ferg

[snip]

Russian Business Network (RBN)

In the last few months, there has been a significant amount of press coverage given to insidious cyber activity 
associated with the segment of the Internet known as the “Russian Business Network,” or RBN. Previous studies have 
suggested that the RBN has ties to nearly every area of cybercrime, including: phishing, malware, DDOS activity, 
pornography, botnets, and anonymization.

In November 2007, media reporting indicated that a large portion of the RBN “went dark.” Since that time, the 
Shadowserver Foundation has been more closely analyzing outlying networks implicated as being associated with RBN. One 
of these suspected outliers is AS9121, known as TurkTelekom. SecurityZone.org reported in early December 2007 that 
while not everything in TurkTelekom appears to be malicious, there are some ranges that are “particularly bad” and 
analysis of Shadowserver Foundation data agrees. Several subranges quickly stand out as being deeply involved in 
malicious cyber activity: 88.255.90.0/24 and 88.255.94.0/24. IP registration indicates these ranges are listed under 
the name “ABDALLAH INTERNET HIZMETLERI” (AIH).

Abdallah Internet Hizmetleri (AIH)

In one of the most thorough RBN studies to date, David Bizeul reported that AIH ranges 88.255.90.0/24 and 
88.255.94.0/24 - are among the “most used network ranges used by RBN affiliates’ domain names.” The purpose of this 
paper is to take a deeper look at these two class C ranges of AIH based out of Rize, Turkey, available information from 
the Internet, and statistics collected by the Shadowserver Foundation to provide further insight into the scope and 
depth of the RBN. 

[snip]

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080301

Paper: Direct Link:
http://www.shadowserver.org/wiki/uploads/Information/RBN_Rizing.pdf

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: