Sunday, November 11, 2007

RBN down ... and no e-Jihad, of course!

Oh yes, I did forgot to mention 2 interesting messages in my last post ..

The infamous Russian Business Network (RBN) dropped out of the Internet several days ago. Since then, IP addresses of RBN can no longer be reached because there is no routing for them any longer. It could be that the upstream providers who provided RBN with Internet connectivity may have terminated their services to their problematic customer temporarily or (hopefully) even permanently.
The Russian Business Network is notorious for hosting lots of malware and Web browser exploits. These threats have been injected into thousands of legitimate Web sites. Customers of RBN abuse the latest exploits for their nefarious purposes. The most recent example is a security issue in Adobe’s Acrobat Reader that was fixed only a few weeks ago.
The RBN has been described as "the baddest of the bad". It offers web hosting services and internet access to all kinds of criminal and immoral activities, with individual activies earning up to $150m in one year. Businesses that take active stands against such attacks are sometimes targetted by denial of service attacks originating in the RBN network. RBN sells its services to these operations for $600 per month. The business is difficult to trace. It is not a registered company, and its domains are registered to anonymous addresses. Its owners are known only by nicknames. It does not advertise, and trades only in untraceable electronic transactions.
Maintenance? A switch to Asia? Just wait and watch, the future will tell.

Today is 11th of 11th and there's supposed to be an "electronic jihad attack" today.
Well, so far I haven't seen any activity. Earlier this week you could download a DDoS tool called E-Jihad30.exe from al-jinan.net (down now). Today's attack rumours circle around this tool, of which we have a description and screenshots available over here. This tool creates a botnet using a server at jo-uf.net - a domain registered to Iraq. However, a lot of AV companies has been monitoring this server all day and it's IP address continues to point to 127.0.0.1. So at least regarding this botnet, nothing's gonna happen of course ... The website variables are in English. Extremists/Islamic Jihadists tend not to speak English. These guys have some understanding of English – indicating they might not be the stereotypical terrorist. And also, the webserver had 'frontpage' extentions – this again just seems out of place for cyber war. ;-)