We own the Russian Business Network! (at least their domain)

Kleissner & Associates s.r.o. is a newly founded company in Prague, Czech Republic. One of the founders is Peter Kleissner, a Czech resident. K&A is the company behind the Virus Tracker – an automated system to monitor botnets and gather longtermĀ botnet statistics from both the infection and the command & control side.

Russian Business Network

The Russian Business Network used to be a hosting provider (operating like a company but not legally registered) whose main customers were hosting command & control and drop servers of different types of botnets. Some background information is available on Wikipedia [1]. For their web presence they had used the domain rbnnetwork.com.

RBN Mails

Behind the technical details

Recently we acquired the domain of the infamous Russian Business Network – rbnnetwork.com. If you check the who-is information, you can see us as the legal owner:

Domain rbnnetwork.com

Date Registered: 2011-11-9
Date Modified: 2012-12-7
Expiry Date: 2013-11-9

DNS1: ns1.easyname.eu
DNS2: ns2.easyname.eu

Registrant
Kleissner & Associates s.r.o.
Authorized Representative
Email:info@rbnnetwork.com
Na strzi 1702/65
140 00 Praha
Czech Republic
Tel: +420.00000000

We installed a SMTP sinkhole which catches all emails being sent to *@rbnnetwork.com and added it to the Virus Tracker system. From December 2012 to January 2013, we received emails addressed to the following recipients:

47175755.6020800@rbnnetwork.com
abuse@rbnnetwork.com
info@rbnnetwork.com
maria@rbnnetwork.com
natalia@rbnnetwork.com
ncc@rbnnetwork.com
noc@rbnnetwork.com
ripe@rbnnetwork.com
support@rbnnetwork.com
tim@rbnnetwork.com
vladimir@rbnnetwork.com

All emails were sent from automated systems of newsletters, forums and spam bots. Once you own a domain name you can set up your own email server and receive any emails. This means you can use the password recovery functionality built into most forums and websites. All you need to know usually is the users email address or user name – which you might get through automated newsletters.

We have automated the process of catching all emails and automatically generating a listing. You can download the daily generated overview of the received emails here (xlsx). Also, there is a new tab on http://virustracker.info/.

About the operation

The first step was to register the domain. Once you own it, there is the question what to do with it. There are legal considerations on how far one can go – technically a lot is possible. The policy of K&A is, however, to not return any payload data on any kind of sinkholes. While our mission is to do the technical investigation of botnets (and criminal organizations) we do not stand above the law and it is not up to us to catch criminals.

The interest behind this operation is to show what there is technically possible to do. This here (a small piece of a bigger puzzle) helps investigate the criminal network and understand the organizational structure (even though it is considerable old by now). If you own the domain of an organization (whether it is a company or a criminal network) you can simply impersonate it – social engineering comes up here. This might become interesting when for example probing a government or intelligence – offering a criminal service and checking their response. The Russian Business Network has “good” street credits out.

We will keep this blog post updated if there are any new developments.

References

[1] http://en.wikipedia.org/wiki/Russian_Business_Network
[2] http://www.bizeul.org/files/RBN_study.pdf