Sign up for the Security newsletter

Russian malware gang goes to ground

Or has it just moved east?

By Tom Espiner on 12 November 2007 16:42

NEWS

An alleged Russian malware hosting gang has abruptly disappeared, according to internet security company Trend Micro.

The Russian Business Network (RBN), which was allegedly heavily involved in hosting malware packing kits - development suites for malware - suddenly dropped off the internet last week, said the security company.

Raimund Genes, chief technology officer for Trend Micro's antivirus division, said: "It feels like their upstream providers put them on a black list and terminated services to this problematic customer."

Researchers from internet security company VeriSign said RBN has been able to offer "bullet-proof hosting" for malware through links to the Russian government.

Genes claimed it's likely whatever protection RBN enjoyed was withdrawn because the group had overreached itself. "All kinds of cyber crime was on RBN sites but recently they've become too greedy," said Genes. "They infiltrated a Turkish government site so that it pointed to a site in Panama that was registered under RBN. [The site] was rented to multiple malware gangs."

Genes added some Brazilian sites and some US government ones, which he declined to identify specifically, had been compromised through SQL injection attacks to make them point to other RBN sites compromised with malware. "Maybe some government was upset by [RBN] activity," said Genes.

Security A to Z

From antivirus to zero-day, click here for silicon.com's alphabetical guide to security.

Although Trend Micro says it can't be 100 per cent sure, the company believes the gang has shifted operations to Asia. Sites hosted in China and Taiwan are now hosting malware packing kits and malware which had been commonly hosted on RBN sites.

Genes said: "Sites in Taiwan and China are now hosting malware with the same behaviour - MPack [packer kit] and its IcePack add-on are being offered, as well as Iframe exploits."

MPack is a PHP-based malware kit that allows its developers to sell modules of malicious code, while Iframe malware targets browsers by attacking vulnerabilities in the way they handle Iframe HTML tags.

Tom Espiner writes for ZDNet.co.uk

Comments

There is 1 comment. Join the discussion

  1. 1. Karen Challinor

    wild guess here

    I'd say they've been "recruited"

    most likely by the secret service of the first government to successfully locate them

    • 13 November 2007 11:44
    • Add comment

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your silicon.com account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy.

Questions about membership? Find the answers in the Membership FAQ

Get silicon.com's daily newsletter

  • Register on silicon.com

    Enter your email to register

Keep in touch with silicon.com

silicon.com newsletters