Somewhere around 7 p.m. Pacific time on Tuesday evening, researchers at Trend Micro noticed something very odd: Blocks of IP addresses linked to the notorious Russian Business Network (RBN) had suddenly disappeared off the Net.
But researchers say this is by no means the end of the RBN, which security experts say serves as an ISP and host for Websites that deal in child pornography, spam, and identity theft. Some speculated yesterday that RBN's upstream ISPs may have dropped the controversial provider from their networks, or that RBN is merely relocating to keep a lower profile. "We think they are probably just diversifying their operations due to all of the negative publicity surrounding their operations the past couple of months," says Paul Ferguson, network architect with Trend Micro Inc. "This block of IP addresses has gone 'poof.' "
Ferguson says Trend Micro has seen suspicious activity in China and other parts of the Asia/Pacific that indicate RBN is trying to set up shop in more obscure and less regulated regions. "There have been lots of bulk registries of domains in China and Asia/Pacific," Ferguson says. "And we've seen some activities from iFrames similar to what RBN has done in the past to deliver malware. But right now, this is just what we suspect -- there's no way to tie that back to RBN."
Jamz Yaneza, research project manager for Trend Micro, says there are a large number of botnets associated with RBN, and he wouldn't be surprised if those were being used as a backup system for RBN in the interim.
RBN will pop up again, likely under other IP addresses that may make detecting it more difficult, they say. "This doesn't signal any end to their operations -- they are too 'clever' to walk away, and there's lots of money to be made," Ferguson says.
Kelly Jackson Higgins, Senior Editor, Dark Reading