If RBN is dead, their customers are still alive
Friday September 12, 2008 at 10:25 am CST
Posted by Francois Paget
After I read the Chris post on our blog that dissected the darksides domains, I wondered about the Russian Business Network and its state of health.
This year, the posts and white papers circulating on the web portray new protagonists like AbdAllah, Atrivo, Directi or EstDomains. Like their RBN senior branch, these Internet network providers are strongly suspected to protect many actors in the malware/phishing/fraud world.
In February 2008, a ShadowServer foundation document explained that many domains had moved from RBN to AIH (AbdAllah Internet Hizmetleri). Like me, many researchers saw here a revival of RBN. But as it is assumed by some French bloggers, it was only a migration from customers, from one bulletproof hoster to another.
2 weeks ago, in the last Jart Armin controversial paper, the St Petersburg entity was hardly mentioned. Various networks previously known as RBN bastions were listed as core component of the Atrivo California-based family of companies (you can read the Brian Krebs post to be convinced).
In October 2007, after the media got in the Russian ISP in the spotlights, their representative Tim Jaret forcefully denied the accusations. He said that his company investigated abuse complaints and took care of them if there was a violation of law. Now, Emil Kacperski, the Atrivo founder hands out the same message. He assures the company works very hard to clean up his image and respond to abuse reports and then proceed to any corrective action when necessary. But some people don’t believe them!
One thing is sure, each time a report discloses a lax ISP, many unscrupulous customers looking for discretion, cover or camouflage, are disrupted. As I said before, we have seen some of them moving to AbdAllah or Atrivo. I should not be surprised if they started searching for a new refuge! All the more probable that bad advertising arrived to the ears of many attentive backbone providers bring about Atrivo to lose peering from all sides. At least it is something!
Today several researchers announce the dissolution of RBN and with the Atrivo and Directi disclosures, we gave new kicks into the anthill. But all these criminals who pay for dedicated server and protection from takedowns due to abuse complaints are still busy. For that reason, the criminal business network is still living even if it changes sometimes in name and management.
September 12th, 2008 at 12:44
Good blog. Two comments. 1) Jart Armin is a complete idiot as is anyone who cites him. 2) The Tim Jaret commentary was a complete hoax by someone who thought it would be funny to see if reporters would check their credibility…and they didn’t.
September 15th, 2008 at 23:03
[...] AvertLabs’ blogger Francois Paget comments on the Shadowserver reports of the apparent demise of rogue registrar RBN and the apparent customer [...]