* http://www.emergingthreats.net/rules/emerging-rbn.rules

* http://www.emergingthreats.net/rules/emerging-rbn-BLOCK.rules

"Call these hosts what you like, we see a large amount of hostile activity from these nets, and get little to no abuse response for takedown. Do what you will with this information." - Matt Jonkman

Russian Business Network background information compiled by JamesMcQuaid:

From JamesMcQuaid:

• RussianBusinessNetworkIPs.txt Update 12-4-2008: IP address ranges from which the criminal organization, their franchises, affiliates and customers exploit consumers. Block at will. Test for your production environment prior to utilization.
• RBNExploitDomains.txt: Update 8-17-2008. 11,781 hostile Russian Business Network domains (do not visit these sites).
• RBN_Commercial_Pedophile_Payment_Systems.txt: RBN Commercial Pedophile Payment Systems (and DNS responders). 6-11-2008
• Atrivo-domains or Atrivo-domains.txt: The 26,609 domain objects in Atrivo IP space on 3-30-2008. Included in hosts and config-hosts for Smoothwall 3.0.
• Atrivo-config-hosts.txt: Config file for DNS Blackhole in Smoothwall
• Atrivo-hosts.txt: Hosts file for DNS Blackhole in Smoothwall.
• Atrivo-Smoothwall-config: Smoothwall IP blocking of Atrivo-related domains. Updated 3-30-2008.

From Jart Armin: http://rbnexploit.blogspot.com

From Brian Krebs:

• http://blog.washingtonpost.com/securityfix/2007/11/russian_business_network_down.html
• http://blog.washingtonpost.com/securityfix/2007/10/mapping_the_russian_business_n.html
• http://blog.washingtonpost.com/securityfix/2007/10/taking_on_the_russian_business.html
• http://www.washingtonpost.com/wp-dyn/content/story/2007/10/12/ST2007101202661.html?hpid=moreheadlines
• http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101201700.html?sub=new

From Spamhaus:

• http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7740
• "The Russians Go Chinese": http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7829
• http://cidr-report.org/cgi-bin/as-report?as=AS43603
• http://cidr-report.org/cgi-bin/as-report?as=AS42811
• http://cidr-report.org/cgi-bin/as-report?as=AS43259
• http://cidr-report.org/cgi-bin/as-report?as=AS43702
• http://cidr-report.org/cgi-bin/as-report?as=AS43188
• http://cidr-report.org/cgi-bin/as-report?as=AS42672
• http://cidr-report.org/cgi-bin/as-report?as=AS42662

From Dancho Danchev: http://ddanchev.blogspot.com/

From David Bizeul: http://isc.sans.org/presentations/RBN_study.pdf

From Shadowserver: 'Clarifying the "guesswork" of Criminal Activity': http://www.shadowserver.org/wiki/uploads/Information/RBN-AS40989.pdf

Wikipedia: http://en.wikipedia.org/wiki/Russian_Business_Network

To cover traffic from the RBN's fake anti-spyware tools (partially within Spamhaus XBL):

IP Range start IP range end AS # Name

64.28.176.0 64.28.191.255 AS27595 INTERCAGE 69.22.162.0 69.22.163.255 AS27595 INTERCAGE 69.22.168.0 69.22.175.255 AS27595 INTERCAGE 69.22.184.0 69.22.187.255 AS27595 INTERCAGE 69.31.64.0 69.31.79.255 AS27595 INTERCAGE 69.50.160.0 69.50.191.255 AS27595 INTERCAGE 85.255.113.0 85.255.117.255 AS27595 INTERCAGE 85.255.118.0 85.255.118.255 AS27595 INTERCAGE 216.255.176.0 216.255.191.255 AS27595 INTERCAGE

58.65.239.66 - RBN domain involved in the Bank of India hack. 58.65.234.17 and 58.65.234.18 - RBN domains for iFrame Cash (see Spamhaus Rosko) 58.65.232.0 - 58.65.239.255 = HOSTFRESH RBN alternative hosting (supposedly Hong Kong based, but Intercage / Estdomains etc. linkage)

200.115.160.0/20 AS26426 OPTYNEX (Central American-based Estdomains and Neo-Nazi linkage)

-- JamesMcQuaid - 13 July 2008