"Call these hosts what you like, we see a large amount of hostile activity from these nets, and get little to no abuse response for takedown. Do what you will with this information." - Matt Jonkman

Emerging Threats Russian Business Network (RBN) Snort Intrusion Detection Rules:

* http://www.emergingthreats.net/rules/emerging-rbn.rules

* http://www.emergingthreats.net/rules/emerging-rbn-BLOCK.rules

Emerging Threats Firewall Rules:

* http://www.emergingthreats.net/fwrules/

Russian Business Network background information compiled by JamesMcQuaid:

From JamesMcQuaid:

          RBN IP Block List:

• RussianBusinessNetworkIPs.txt Updated 8-6-2010: IP address ranges from which the former customers of the RBN ISP, their malware marketing affiliate networks, emulators, and other organized crime groups exploit consumers. Block at will. Test for your production environment prior to utilization. In cases where a malicious domain occupies an IP address used by many domains, the IP address is not included in this list (due to false positives in Snort and Suricata). Those domains are included in the DNS Blackhole for Smoothwall at http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples

• RBN_Observations_2nd_Quarter_2010.txt through July 5th

• RBNIPListOptional.txt Updated 4-2-2010: Crime friendly IP address ranges that most businesses can block in or out at the perimeter firewall.

• RBNIdentities.txt Registrant nom de guerres associated malicious and infected domains.

From Jart Armin: http://rbnexploit.blogspot.com

From Brian Krebs:

• http://blog.washingtonpost.com/securityfix/2007/11/russian_business_network_down.html
• http://blog.washingtonpost.com/securityfix/2007/10/mapping_the_russian_business_n.html
• http://blog.washingtonpost.com/securityfix/2007/10/taking_on_the_russian_business.html
• http://www.washingtonpost.com/wp-dyn/content/story/2007/10/12/ST2007101202661.html?hpid=moreheadlines
• http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101201700.html?sub=new

From Spamhaus:

• http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7740
• "The Russians Go Chinese": http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7829
• http://cidr-report.org/cgi-bin/as-report?as=AS43603
• http://cidr-report.org/cgi-bin/as-report?as=AS42811
• http://cidr-report.org/cgi-bin/as-report?as=AS43259
• http://cidr-report.org/cgi-bin/as-report?as=AS43702
• http://cidr-report.org/cgi-bin/as-report?as=AS43188
• http://cidr-report.org/cgi-bin/as-report?as=AS42672
• http://cidr-report.org/cgi-bin/as-report?as=AS42662

From Dancho Danchev: http://ddanchev.blogspot.com/

From David Bizeul: http://isc.sans.org/presentations/RBN_study.pdf

From Shadowserver: 'Clarifying the "guesswork" of Criminal Activity': http://www.shadowserver.org/wiki/uploads/Information/RBN-AS40989.pdf

Wikipedia: http://en.wikipedia.org/wiki/Russian_Business_Network

-- JamesMcQuaid - 21 June 2010