* http://www.emergingthreats.net/rules/emerging-rbn.rules

* http://www.emergingthreats.net/rules/emerging-rbn-BLOCK.rules

"Call these hosts what you like, we see a large amount of hostile activity from these nets, and get little to no abuse response for takedown. Do what you will with this information." - Matt Jonkman

Russian Business Network background information compiled by JamesMcQuaid:

From JamesMcQuaid:

• RussianBusinessNetworkIPs.txt Update 6-27-2009: IP address ranges from which the criminal organization, their franchises, affiliates and customers exploit consumers. Block at will. Test for your production environment prior to utilization.
• RBNIPListOptional.txt Update 1-18-2009: IP addresses containing RBN malware domains and large numbers of non-RBN domains.
• OnlineNIC_dns_infrastructure_12-29-2008.txt Update 12-29-2008: These DNS servers are used by typo squatters, and frequently by RBN affiliated criminals. Note: http://www.theregister.co.uk/2008/12/26/verizon_awarded_33mil_against_onlinenic/
• name_servers_supporting_asprox.txt: Update 12-13-2008. The name servers supporting the fast-flux Asprox botnet, as well as domains being used in SQL injection attacks, reside on these hijacked residential IP addresses.
• RBNExploitDomains.txt: Update 8-17-2008. 11,781 hostile Russian Business Network domains (do not visit these sites).
• RBN_Commercial_Pedophile_Payment_Systems.txt: RBN Commercial Pedophile Payment Systems (and DNS responders). 6-11-2008
• Atrivo-domains or Atrivo-domains.txt: The 26,609 domain objects in Atrivo IP space on 3-30-2008. Included in hosts and config-hosts for Smoothwall 3.0.
• Atrivo-config-hosts.txt: Config file for DNS Blackhole in Smoothwall
• Atrivo-hosts.txt: Hosts file for DNS Blackhole in Smoothwall.
• Atrivo-Smoothwall-config: Smoothwall IP blocking of Atrivo-related domains. Updated 3-30-2008.

From Jart Armin: http://rbnexploit.blogspot.com

From Brian Krebs:

• http://blog.washingtonpost.com/securityfix/2007/11/russian_business_network_down.html
• http://blog.washingtonpost.com/securityfix/2007/10/mapping_the_russian_business_n.html
• http://blog.washingtonpost.com/securityfix/2007/10/taking_on_the_russian_business.html
• http://www.washingtonpost.com/wp-dyn/content/story/2007/10/12/ST2007101202661.html?hpid=moreheadlines
• http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101201700.html?sub=new

From Spamhaus:

• http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7740
• "The Russians Go Chinese": http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7829
• http://cidr-report.org/cgi-bin/as-report?as=AS43603
• http://cidr-report.org/cgi-bin/as-report?as=AS42811
• http://cidr-report.org/cgi-bin/as-report?as=AS43259
• http://cidr-report.org/cgi-bin/as-report?as=AS43702
• http://cidr-report.org/cgi-bin/as-report?as=AS43188
• http://cidr-report.org/cgi-bin/as-report?as=AS42672
• http://cidr-report.org/cgi-bin/as-report?as=AS42662

From Dancho Danchev: http://ddanchev.blogspot.com/

From David Bizeul: http://isc.sans.org/presentations/RBN_study.pdf

From Shadowserver: 'Clarifying the "guesswork" of Criminal Activity': http://www.shadowserver.org/wiki/uploads/Information/RBN-AS40989.pdf

Wikipedia: http://en.wikipedia.org/wiki/Russian_Business_Network

-- JamesMcQuaid - 21 June 2009