Russian Business Network Taken Down a Notch
November 11th, 2007 by Steven AdairSince I am super slow to update my blog, you may have heard that the Russian Business Network (RBN) has been taken down a notch. Some of the core ranges they operate within are no longer being routed and have had their ASNs withdrawn.
- 81.95.144.0/22 Withdrawn
- 81.95.148.0/22 Withdrawn
- 81.95.154.0/24 Withdrawn
- 81.95.155.0/24 Withdrawn
However, this doesn’t mean they have disappeared or are finished. Spamhaus reported a while back that the Russians are going “Chinese” over here. A lot of people are keeping their eyes on all of this. Even the Bleeding Threats project has start publishing rulesets for RBN related activity. You can grab the Snort rules for RBN related hosts and ranges from http://www.bleedingthreats.net/rules/bleeding-rbn.rules.
We’ve noticed a big increase in the last few months in the amount of malware coming out of one of the IP ranges being tracked on those rulesets. What range is that you ask? Well that would be Intercage. You might as well block or pay specific attention to this range:
85.255.112.0/20
I’m not promising it will be perfect and free of false positives, but it is definitely worth a look. We’re seeing a bunch of stuff out of the whole 85.255.0.0/16 but I wouldn’t block all of it. Plenty of legit stuff but be on the look out.
Posted in Snort, RBN | 1 Comment »