Thursday, November 27, 2014
   
Text Size

Real Host, Latvia - RBN Resurgence or Clone

Saturday, 01 August 2009 07:17 in Blogs, Reports by Jart Armin

As a cybercrime and bullet proof hosting hub Real Host Ltd which resides on the autonomous system (Internet server) AS8206 Junik based in Riga, Latvia is high on any watch list, as Dynamoo pointed out in his blog “A real sewer” (ref1).   Moreover this has all the hallmarks and operational elements of the apparently fragmented RBN (Russian Business Network), either as a resurgence or clone of the RBN’s business model.

Bank Logins for Sale
Fig 1 - Stolen: Bank logins, credit cards, PayPal Sales and IDs – On Real Host
Of more current interest, this is the base for distributing the new and as yet un-patched at writing “Zero day Flash/PDF exploit” (ref 2.) and a center for the Zeus botnet C&C the # 1 botnet in the US with an estimated 3.6  million – so a combination of Martin Security (Andrew Martin) (ref 3.) & HostExploit (ref 4.) we set about in analyzing this cybercrime hub, from a few differing angles. With the goal not only to understand in depth but also to reduce the threats discovered.
Server Mapping
Fig 2 - Plot of BGP – 072409 – Flash / PDF Un-Patched Exploit and related Zeus activity (ASN)
Firstly a little logistics of this cybercrime hub; Junik is a relatively small server ranking 2,826 worldwide with 16,384 IP addresses. In this as in many cases it is the old Russian proverb comes to mind and is very apt in this case “Where do you hide a tree? In a forest!”  In pairing down to get to the core we get to the problem, in our examination we discover it is centered on the net block 213.182.197.0/24, Real Host has 3 of 28 IP blocks (48 IPs), and 272 domains.
Root Map for Junik
Fig 3 - Routing plot AS8206 Junik - 073009
Fortunately in more recent times there are several good sources within the Open SEC community of up-to-date information as to malware domains, spam centers, botnets, to select a few:
  • Spamhaus – SBL75831 – lists the net block for Phishing and Malware hosting. (Ref 5.)
  • Fire - shows up to 9 complete malware servers over recent times. (Ref 6.)
  • MalwareURL – shows currently 199 domains hosting amongst other badness; 18 trojans, 25 redirects to exploits and rogue anti-virus, 6 Botnet C&C (command and control) (Ref 7.)
  • Google’s Safe Browsing - shows for AS8206 Junik in the last 90 days; 12 sites providing malicious software for drive by downloads, 102 sites acting as intermediaries for the infection of 11,810 other web sites. Finally it found 161 websites hosting malware that infected 20,681 other web sites.
  • Google’s Safe Browsing  - as an example for just one of the domains – 71.speed.info – 32 scripting exploits
In summary Real Host from within Junik serves;
  • exploits including un patched (or soon to be patched) 0days
  • fake codecs, banking trojans, spambots, down loaders ;
  • phishing sites,
  • money mule recruitment sites;
  • Zeus botnet Command and Control servers
  • Distributing licensed software (Warez),
  • Illegal porn content
Added to which is a center for the money;
  • botnet rental,
  • botnet loading,
  • iFrame exploit affiliate,
  • warez
  • credit card trading forums,
  • openly selling credit card, PayPal accounts and bank logins, over 10,000 “newly harvested”
Installing.CC
Fig 4 - Botnet rentals and installations
So who is Real Host Ltd.? To start with for that net block is leased from Junik by Alex Spiridonov, Abay Street 2a, Almaty, Kazakhstan. However there are a few tell tale signs:
  • Many of the domains are ex-Estdomains.
  • All of the websites are in Russian or for the trading arm Russian / English.
  • However, older entities which many had thought were dead and gone are here; Barwells Group, Newsky, Web-Alfa, and good old Botnet.Su
All of these were operational elements of RBN (Russian Business Network). So this may not be a reincarnation of the RBN but clearly Russian organized cyber criminals, in the same vein and at least headed by someone from the old school of RBN.
To finish on a positive, it is pleasing to report as on today most of the worst offending domains have been suspended thanks to the proactive efforts of Directi’s abuse department.  We are awaiting the results of from the main downstream providers Telia, Latvian CERT and Junik themselves, which we trust will be action based.
Real Host - Domain names suspended to date:

Real Host Domains Suspended to Date
References:
1. Dynamoo’s blog on Real Host / Junik  http://www.dynamoo.com/blog/
2. ISCsans Advisory “0 day Flash/PDF exploit” http://isc.sans.org/diary.html?storyid=6847
3. Martin Security - http://www.martinsecurity.net/
4. HostExploit - http://hostexploit.com

To download The Full Cyber Crime Series 1.0 the Europeans Real Host Latvia Report click here and to see The Real Host Latvia Take Down Video click here.

Login