Reply to thread

Message

The "RBN" (Russian Business Network) & how to avoid them infecting you

The "RBN" (Russian Business Network) & how to avoid them infecting you

As regards the "Russian Business Network" (RBN) who has been @ the heart of MANY online attacks (or, things like Zlob trojan & IDTheft related attacks, etc. et al)? Use this information to protect yourselves, from them.

(RELIABLE/REPUTABLE SOURCE USED = The Spamhaus Project - Security

----

FIRST OF ALL - Note, I use "0.0.0.0" vs. "127.0.0.1"

(That is simply because iirc, the zero's based one leads to a NULL port type of request, rather than your "loopback adapter" (i.e.-> YOUR OWN MACHINE fielding requests) for a couple of reasons (which it took me some time to come up w/ & testing as to which is "better" to use)).

SECONDLY, 0.0.0.0 is SMALLER than 127.0.0.1, & thus, parses + loads FAR faster, & is smaller on disk is why - AND, in RAM once loaded: THUS, I am logically concluding that 0.0.0.0 is better to use period for HOSTS file blocks - same function, & @ LESSER cost, nearly all the way around (less diskspace, faster loadspeed, less memory occupancy, & etc. et al). A MORE EFFICIENT STRUCTURE!

----

USING NOTEPAD.EXE

ADD THIS LIST TO YOUR CUSTOM HOSTS FILE (usually located in %windir%\system32\drivers\etc subfolder-subdirectory):

# === START OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS ===
0.0.0.0 rxpharmacy-support.com
0.0.0.0 ns3.cnmsn.com
0.0.0.0 thecanadianmeds.com
0.0.0.0 officialmedicines.com
0.0.0.0 psxshop.com
0.0.0.0 10000xing.cn
0.0.0.0 222360.com
0.0.0.0 adslooks.info
0.0.0.0 bnably.com
0.0.0.0 eqcorn.com
0.0.0.0 familypostcards2008.com
0.0.0.0 freshcards2008.com
0.0.0.0 happy2008toyou.com
0.0.0.0 happysantacards.com
0.0.0.0 hellosanta2008.com
0.0.0.0 hohoho2008.com
0.0.0.0 kqfloat.com
0.0.0.0 ltbrew.com
0.0.0.0 mymetavids.com
0.0.0.0 obebos.cn
0.0.0.0 parentscards.com
0.0.0.0 postcards-2008.com
0.0.0.0 ptowl.com
0.0.0.0 qavoter.com
0.0.0.0 santapcards.com
0.0.0.0 santawishes2008.com
0.0.0.0 siski.cn
0.0.0.0 snbane.com
0.0.0.0 snlilac.com
0.0.0.0 tibeam.com
0.0.0.0 tushove.com
0.0.0.0 wxtaste.com
0.0.0.0 yxbegan.com
0.0.0.0 iframedollars.biz
0.0.0.0 NS1.RBNNETWORK.COM
0.0.0.0 NS1.4USER.NET
0.0.0.0 NS1.EEXHOST.COM
0.0.0.0 NS1.AKIMON.COM
0.0.0.0 NAME1.AKIMON.COM
0.0.0.0 NS2.RBNNETWORK.COM
0.0.0.0 NS2.4USER.NET
0.0.0.0 NS2.AKIMON.COM
0.0.0.0 NS2.EEXHOST.COM
0.0.0.0 NAME2.AKIMON.COM
0.0.0.0 RUSOUVENIRS.COM
0.0.0.0 RBNNETWORK.COM
0.0.0.0 NS1.INFOBOX.ORG
0.0.0.0 NS2.INFOBOX.ORG
0.0.0.0 NS1.RUSOUVENIRS.COM
0.0.0.0 NS2.RUSOUVENIRS.COM
0.0.0.0 NS1.RUSOUVENIRS.NET
0.0.0.0 NS2.RUSOUVENIRS.NET
0.0.0.0 SBTTEL.COM
0.0.0.0 AKIMON.COM
0.0.0.0 AKIMON.NET
0.0.0.0 EEXHOST.COM
0.0.0.0 NS1.EEXHOST.COM
0.0.0.0 NS2.EEXHOST.COM
0.0.0.0 NS1.4USER.NET
0.0.0.0 NS1.AKIMON.COM
0.0.0.0 NS1.EEXHOST.COM
0.0.0.0 NAME1.AKIMON.COM
0.0.0.0 NS1.RBNNETWORK.COM
0.0.0.0 NS2.4USER.NET
0.0.0.0 NS2.AKIMON.COM
0.0.0.0 NAME2.AKIMON.COM
0.0.0.0 NS2.RBNNETWORK.COM
0.0.0.0 NS2.EEXHOST.COM
0.0.0.0 VALUEDOT.NET
0.0.0.0 ns0.valuedot.net
0.0.0.0 ns1.valuedot.net
0.0.0.0 1000WATT.BIZ
0.0.0.0 2SOVKA.NET
0.0.0.0 AIDEN-GROUP.COM
0.0.0.0 AKIMON.COM
0.0.0.0 ALEKC.NET
0.0.0.0 ANDREY-STUDIO.INFO
0.0.0.0 AUTOKUBAN.INFO
0.0.0.0 AVIATRAVELAGENCY.COM
0.0.0.0 AVTOMOBILEY.NET
0.0.0.0 BAGATITSA.COM
0.0.0.0 BAIKERGROUP.COM
0.0.0.0 BALTICDOORS.COM
0.0.0.0 BALTMONOLIT.COM
0.0.0.0 BRIGADA-EL.COM
0.0.0.0 CARPRIVOZ.COM
0.0.0.0 CHILLERU.COM
0.0.0.0 CVETOVODSTVO.COM
0.0.0.0 E-GOLD-CHANGER.COM
0.0.0.0 ELECTRONOV.NET
0.0.0.0 FASHIONER.BIZ
0.0.0.0 FFFFFF.ORG
0.0.0.0 FIFACUP06.INFO
0.0.0.0 FISHTORG.COM
0.0.0.0 FKGARANT.COM
0.0.0.0 FOTORETUSH.COM
0.0.0.0 FREGATSOFT.COM
0.0.0.0 FROLROMANOFF.COM
0.0.0.0 FULLVER.INFO
0.0.0.0 GAKKEL.COM
0.0.0.0 GARANTSERVICE.ORG
0.0.0.0 GDEDENGI.INFO
0.0.0.0 GLAZKI.NET
0.0.0.0 GOLD-DRAGON.INFO
0.0.0.0 GORODM.COM
0.0.0.0 GRAYZI.NET
0.0.0.0 GRIFFINFLY.COM
0.0.0.0 HEAT-ENERGO.COM
0.0.0.0 HITEMA.NET
0.0.0.0 HYIPREVIEW.INFO
0.0.0.0 HYIPSMAP.COM
0.0.0.0 ILOXX.ORG
0.0.0.0 IMYA.INFO
0.0.0.0 INFODOSKA.COM
0.0.0.0 INTERNETWORLDBOOK.COM
0.0.0.0 KLIMATA.NET
0.0.0.0 KOMOV.NET
0.0.0.0 KOSMETICHKA.NET
0.0.0.0 LIDTRADE.COM
0.0.0.0 LIFE-RU.ORG
0.0.0.0 LPSPB.COM
0.0.0.0 M-OST.NET
0.0.0.0 M-UNLOCK.COM
0.0.0.0 MAMRU.COM
0.0.0.0 MAPSERV.COM
0.0.0.0 MASTERDOKS.COM
0.0.0.0 MIRMED.COM
0.0.0.0 MOOSEMUSE.COM
0.0.0.0 MOREPRODUCT.NET
0.0.0.0 MUSEMOOSE.COM
0.0.0.0 NESTRONICS.COM
0.0.0.0 NESTRONICS.NET
0.0.0.0 NOFUN.INFO
0.0.0.0 OIL-GAS-MINERALS.COM
0.0.0.0 OKOSHKA.NET
0.0.0.0 OPTIMUS.BIZ
0.0.0.0 OTKRITKI.NET
0.0.0.0 OTKRITOK.NET
0.0.0.0 PARALLELSIXTY.COM
0.0.0.0 PASSOMONTANO.COM
0.0.0.0 PETROBALT.NET
0.0.0.0 PHARMACY-MD.COM
0.0.0.0 PISKUNOV.NET
0.0.0.0 POIGRAI.INFO
0.0.0.0 PROETCONTRA.ORG
0.0.0.0 PSOLAO.ORG
0.0.0.0 ROSEL.INFO
0.0.0.0 SBTTEL.COM
0.0.0.0 SECONDAPPROACH.COM
0.0.0.0 SMARTSOFTLINE.COM
0.0.0.0 SMESHNOY.COM
0.0.0.0 SQUAREDREAM.COM
0.0.0.0 STROIINFORM.COM
0.0.0.0 STROYBRIGADA.COM
0.0.0.0 TANK-HOBBY.COM
0.0.0.0 TECHNONORDIC.COM
0.0.0.0 TELEUNITED.NET
0.0.0.0 TEPLOCOM.COM
0.0.0.0 THERMOCAUTERY.COM
0.0.0.0 TIARU.COM
0.0.0.0 TRADEFINANS.COM
0.0.0.0 TRADEFINANS.NET
0.0.0.0 TRAININGS-TRIUMPH.ORG
0.0.0.0 TSAR-SUVENIR.COM
0.0.0.0 UEFACUP08.INFO
0.0.0.0 UMNIKSOFT.COM
0.0.0.0 UNDERCOOLED.NET
0.0.0.0 VALIDBIT.COM
0.0.0.0 VERESC.ORG
0.0.0.0 VOROLAIN.COM
0.0.0.0 WHITENIGHTSHOSTELS.COM
0.0.0.0 WORLDFONDS.NET
0.0.0.0 XRUST.NET
0.0.0.0 YAHOCHU.COM
0.0.0.0 Z-GROUP.INFO
0.0.0.0 ZDRAV.INFO
0.0.0.0 ZHESTOV.NET
0.0.0.0 ZOOSPB.COM
0.0.0.0 goldenpiginvest.com
0.0.0.0 goldenpiginvest.net
0.0.0.0 pharmacy-viagra.net
# === END OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS ===

Also - You can (AND SHOULD) verify your HOSTS file location, because it CAN be moved (& some virus/spywares do so, like QHosts) by using regedit.exe
& going here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

& checking to see it has NOT been misdirected from C:\WINDOWS\SYSTEM32\DRIVERS\etc

(Unless you KNOW that YOU move it, as I do!)

I move mine INTENTIONALLY to another disk here that is less used & faster on seeks!

That is just so it init.'s faster since the HDD is not contending with other programs loading etc.
or data loading etc. - mine's on an SSD (solid-state ramdisk, for access-seek gains for example).

----

FOR FIREWALL BLOCKING RULES (or IE "restricted zones" lists (in IE options), OR possibly IP Security Policies usage):

I.P. address block for Russian Business Network:

81.95.144.0/20 #SBL43489
(81.95.144.0 - 81.95.159.255)

And the address blocks for its equally corrupt cousins at Intercage, Inhoster, and Nevacon:

85.255.112.0/20 #SBL36702
(85.255.112.0 - 85.255.127.255)

69.50.160.0/19
(69.50.160.0 - 69.50.191.255)

194.146.204.0/22 #SBL51152
(194.146.204.0 - 194.146.207.255)

Lastly/Optionally - You should block all IPs starting with these if you do not care about Russia and China:

193.
194.
195.
213.
217.
62.64.
62.76.

(AND, A few major Internet providers that provide services to RBN including)

Tiscali.uk
SBT Telecom
Aki Mon Telecom
Nevacon LTD
Frame Cash
76service
Noc4Hosts

APK

P.S.=> So you all know WHY I put up info. on the "RBN" (Russian Business Network) in my last post above?

Well, I strongly suspected (& proved correct) "they're @ it again" & here is why:

Cyber-attack launched from 10,000 web pages:

http://itnews.com.au/News/71994,cyberattac...-web-pages.aspx

"A single entity is likely to be behind this attack, since the malicious code on all these pages came from the same server in China."

(AND, the "RBN" is KNOWN to 'hop between' China & Russia regularly, as needed, & I suspect they are the ones behind this, but the article offers NO discrete IP Address ranges or IP's so, we have to wait on the specifics, but it is a GOOD guess based on their prior track record w/ Zlob, which I see nearly every day @ times on the job)...

APK

<blockquote data-quote="APK" data-source="post: 417213" data-attributes="member: 963">The &quot;RBN&quot; (Russian Business Network) &amp; how to avoid them infecting youThe &quot;RBN&quot; (Russian Business Network) &amp; how to avoid them infecting youAs regards the &quot;Russian Business Network&quot; (RBN) who has been @ the heart of MANY online attacks (or, things like Zlob trojan &amp; IDTheft related attacks, etc. et al)? Use this information to protect yourselves, from them.(RELIABLE/REPUTABLE SOURCE USED = <a href="http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7465" target="_blank">The Spamhaus Project - Security</a>----FIRST OF ALL - Note, I use &quot;0.0.0.0&quot; vs. &quot;127.0.0.1&quot;(That is simply because iirc, the zero&#039;s based one leads to a NULL port type of request, rather than your &quot;loopback adapter&quot; (i.e.-&gt; YOUR OWN MACHINE fielding requests) for a couple of reasons (which it took me some time to come up w/ &amp; testing as to which is &quot;better&quot; to use)).SECONDLY, 0.0.0.0 is SMALLER than 127.0.0.1, &amp; thus, parses + loads FAR faster, &amp; is smaller on disk is why - AND, in RAM once loaded: THUS, I am logically concluding that 0.0.0.0 is better to use period for HOSTS file blocks - same function, &amp; @ LESSER cost, nearly all the way around (less diskspace, faster loadspeed, less memory occupancy, &amp; etc. et al). A MORE EFFICIENT STRUCTURE!----USING NOTEPAD.EXEADD THIS LIST TO YOUR CUSTOM HOSTS FILE (usually located in %windir%\system32\drivers\etc subfolder-subdirectory):# === START OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS ===0.0.0.0 rxpharmacy-support.com0.0.0.0 ns3.cnmsn.com0.0.0.0 thecanadianmeds.com0.0.0.0 officialmedicines.com0.0.0.0 psxshop.com0.0.0.0 10000xing.cn0.0.0.0 222360.com0.0.0.0 adslooks.info0.0.0.0 bnably.com0.0.0.0 eqcorn.com0.0.0.0 familypostcards2008.com0.0.0.0 freshcards2008.com0.0.0.0 happy2008toyou.com0.0.0.0 happysantacards.com0.0.0.0 hellosanta2008.com0.0.0.0 hohoho2008.com0.0.0.0 kqfloat.com0.0.0.0 ltbrew.com0.0.0.0 mymetavids.com0.0.0.0 obebos.cn0.0.0.0 parentscards.com0.0.0.0 postcards-2008.com0.0.0.0 ptowl.com0.0.0.0 qavoter.com0.0.0.0 santapcards.com0.0.0.0 santawishes2008.com0.0.0.0 siski.cn0.0.0.0 snbane.com0.0.0.0 snlilac.com0.0.0.0 tibeam.com0.0.0.0 tushove.com0.0.0.0 wxtaste.com0.0.0.0 yxbegan.com0.0.0.0 iframedollars.biz0.0.0.0 NS1.RBNNETWORK.COM0.0.0.0 NS1.4USER.NET0.0.0.0 NS1.EEXHOST.COM0.0.0.0 NS1.AKIMON.COM0.0.0.0 NAME1.AKIMON.COM0.0.0.0 NS2.RBNNETWORK.COM0.0.0.0 NS2.4USER.NET0.0.0.0 NS2.AKIMON.COM0.0.0.0 NS2.EEXHOST.COM0.0.0.0 NAME2.AKIMON.COM0.0.0.0 RUSOUVENIRS.COM0.0.0.0 RBNNETWORK.COM0.0.0.0 NS1.INFOBOX.ORG0.0.0.0 NS2.INFOBOX.ORG0.0.0.0 NS1.RUSOUVENIRS.COM0.0.0.0 NS2.RUSOUVENIRS.COM0.0.0.0 NS1.RUSOUVENIRS.NET0.0.0.0 NS2.RUSOUVENIRS.NET0.0.0.0 SBTTEL.COM0.0.0.0 AKIMON.COM0.0.0.0 AKIMON.NET0.0.0.0 EEXHOST.COM0.0.0.0 NS1.EEXHOST.COM0.0.0.0 NS2.EEXHOST.COM0.0.0.0 NS1.4USER.NET0.0.0.0 NS1.AKIMON.COM0.0.0.0 NS1.EEXHOST.COM0.0.0.0 NAME1.AKIMON.COM0.0.0.0 NS1.RBNNETWORK.COM0.0.0.0 NS2.4USER.NET0.0.0.0 NS2.AKIMON.COM0.0.0.0 NAME2.AKIMON.COM0.0.0.0 NS2.RBNNETWORK.COM0.0.0.0 NS2.EEXHOST.COM0.0.0.0 VALUEDOT.NET0.0.0.0 ns0.valuedot.net0.0.0.0 ns1.valuedot.net0.0.0.0 1000WATT.BIZ0.0.0.0 2SOVKA.NET0.0.0.0 AIDEN-GROUP.COM0.0.0.0 AKIMON.COM0.0.0.0 ALEKC.NET0.0.0.0 ANDREY-STUDIO.INFO0.0.0.0 AUTOKUBAN.INFO0.0.0.0 AVIATRAVELAGENCY.COM0.0.0.0 AVTOMOBILEY.NET0.0.0.0 BAGATITSA.COM0.0.0.0 BAIKERGROUP.COM0.0.0.0 BALTICDOORS.COM0.0.0.0 BALTMONOLIT.COM0.0.0.0 BRIGADA-EL.COM0.0.0.0 CARPRIVOZ.COM0.0.0.0 CHILLERU.COM0.0.0.0 CVETOVODSTVO.COM0.0.0.0 E-GOLD-CHANGER.COM0.0.0.0 ELECTRONOV.NET0.0.0.0 FASHIONER.BIZ0.0.0.0 FFFFFF.ORG0.0.0.0 FIFACUP06.INFO0.0.0.0 FISHTORG.COM0.0.0.0 FKGARANT.COM0.0.0.0 FOTORETUSH.COM0.0.0.0 FREGATSOFT.COM0.0.0.0 FROLROMANOFF.COM0.0.0.0 FULLVER.INFO0.0.0.0 GAKKEL.COM0.0.0.0 GARANTSERVICE.ORG0.0.0.0 GDEDENGI.INFO0.0.0.0 GLAZKI.NET0.0.0.0 GOLD-DRAGON.INFO0.0.0.0 GORODM.COM0.0.0.0 GRAYZI.NET0.0.0.0 GRIFFINFLY.COM0.0.0.0 HEAT-ENERGO.COM0.0.0.0 HITEMA.NET0.0.0.0 HYIPREVIEW.INFO0.0.0.0 HYIPSMAP.COM0.0.0.0 ILOXX.ORG0.0.0.0 IMYA.INFO0.0.0.0 INFODOSKA.COM0.0.0.0 INTERNETWORLDBOOK.COM0.0.0.0 KLIMATA.NET0.0.0.0 KOMOV.NET0.0.0.0 KOSMETICHKA.NET0.0.0.0 LIDTRADE.COM0.0.0.0 LIFE-RU.ORG0.0.0.0 LPSPB.COM0.0.0.0 M-OST.NET0.0.0.0 M-UNLOCK.COM0.0.0.0 MAMRU.COM0.0.0.0 MAPSERV.COM0.0.0.0 MASTERDOKS.COM0.0.0.0 MIRMED.COM0.0.0.0 MOOSEMUSE.COM0.0.0.0 MOREPRODUCT.NET0.0.0.0 MUSEMOOSE.COM0.0.0.0 NESTRONICS.COM0.0.0.0 NESTRONICS.NET0.0.0.0 NOFUN.INFO0.0.0.0 OIL-GAS-MINERALS.COM0.0.0.0 OKOSHKA.NET0.0.0.0 OPTIMUS.BIZ0.0.0.0 OTKRITKI.NET0.0.0.0 OTKRITOK.NET0.0.0.0 PARALLELSIXTY.COM0.0.0.0 PASSOMONTANO.COM0.0.0.0 PETROBALT.NET0.0.0.0 PHARMACY-MD.COM0.0.0.0 PISKUNOV.NET0.0.0.0 POIGRAI.INFO0.0.0.0 PROETCONTRA.ORG0.0.0.0 PSOLAO.ORG0.0.0.0 ROSEL.INFO0.0.0.0 SBTTEL.COM0.0.0.0 SECONDAPPROACH.COM0.0.0.0 SMARTSOFTLINE.COM0.0.0.0 SMESHNOY.COM0.0.0.0 SQUAREDREAM.COM0.0.0.0 STROIINFORM.COM0.0.0.0 STROYBRIGADA.COM0.0.0.0 TANK-HOBBY.COM0.0.0.0 TECHNONORDIC.COM0.0.0.0 TELEUNITED.NET0.0.0.0 TEPLOCOM.COM0.0.0.0 THERMOCAUTERY.COM0.0.0.0 TIARU.COM0.0.0.0 TRADEFINANS.COM0.0.0.0 TRADEFINANS.NET0.0.0.0 TRAININGS-TRIUMPH.ORG0.0.0.0 TSAR-SUVENIR.COM0.0.0.0 UEFACUP08.INFO0.0.0.0 UMNIKSOFT.COM0.0.0.0 UNDERCOOLED.NET0.0.0.0 VALIDBIT.COM0.0.0.0 VERESC.ORG0.0.0.0 VOROLAIN.COM0.0.0.0 WHITENIGHTSHOSTELS.COM0.0.0.0 WORLDFONDS.NET0.0.0.0 XRUST.NET0.0.0.0 YAHOCHU.COM0.0.0.0 Z-GROUP.INFO0.0.0.0 ZDRAV.INFO0.0.0.0 ZHESTOV.NET0.0.0.0 ZOOSPB.COM0.0.0.0 goldenpiginvest.com0.0.0.0 goldenpiginvest.net0.0.0.0 pharmacy-viagra.net# === END OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS ===Also - You can (AND SHOULD) verify your HOSTS file location, because it CAN be moved (&amp; some virus/spywares do so, like QHosts) by using regedit.exe&amp; going here:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters&amp; checking to see it has NOT been misdirected from C:\WINDOWS\SYSTEM32\DRIVERS\etc(Unless you KNOW that YOU move it, as I do!)I move mine INTENTIONALLY to another disk here that is less used &amp; faster on seeks!That is just so it init.&#039;s faster since the HDD is not contending with other programs loading etc.or data loading etc. - mine&#039;s on an SSD (solid-state ramdisk, for access-seek gains for example).----FOR FIREWALL BLOCKING RULES (or IE &quot;restricted zones&quot; lists (in IE options), OR possibly IP Security Policies usage):I.P. address block for Russian Business Network:81.95.144.0/20 #SBL43489(81.95.144.0 - 81.95.159.255)And the address blocks for its equally corrupt cousins at Intercage, Inhoster, and Nevacon:85.255.112.0/20 #SBL36702(85.255.112.0 - 85.255.127.255)69.50.160.0/19(69.50.160.0 - 69.50.191.255)194.146.204.0/22 #SBL51152(194.146.204.0 - 194.146.207.255)Lastly/Optionally - You should block all IPs starting with these if you do not care about Russia and China:193.194.195.213.217.62.64.62.76.(AND, A few major Internet providers that provide services to RBN including)Tiscali.ukSBT TelecomAki Mon TelecomNevacon LTDFrame Cash76serviceNoc4HostsAPKP.S.=&gt; So you all know WHY I put up info. on the &quot;RBN&quot; (Russian Business Network) in my last post above? Well, I strongly suspected (&amp; proved correct) &quot;they&#039;re @ it again&quot; &amp; here is why:Cyber-attack launched from 10,000 web pages:<a href="http://itnews.com.au/News/71994,cyberattack-launched-from-10000-web-pages.aspx" target="_blank">http://itnews.com.au/News/71994,cyberattac...-web-pages.aspx</a>&quot;A single entity is likely to be behind this attack, since the malicious code on all these pages came from the same server in China.&quot;(AND, the &quot;RBN&quot; is KNOWN to &#039;hop between&#039; China &amp; Russia regularly, as needed, &amp; I suspect they are the ones behind this, but the article offers NO discrete IP Address ranges or IP&#039;s so, we have to wait on the specifics, but it is a GOOD guess based on their prior track record w/ Zlob, which I see nearly every day @ times on the job)...APK</blockquote>

[QUOTE="APK, post: 417213, member: 963"] [b]The "RBN" (Russian Business Network) & how to avoid them infecting you[/b] The "RBN" (Russian Business Network) & how to avoid them infecting you [b]As regards the "Russian Business Network" (RBN) who has been @ the heart of MANY online attacks (or, things like Zlob trojan & IDTheft related attacks, etc. et al)? Use this information to protect yourselves, from them.[/b] ([b]RELIABLE/REPUTABLE SOURCE USED [/b]= [url=http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7465]The Spamhaus Project - Security[/url] ---- [b]FIRST OF ALL - Note, I use "0.0.0.0" vs. "127.0.0.1"[/b] (That is simply because iirc, the zero's based one leads to a NULL port type of request, rather than your "loopback adapter" (i.e.-> YOUR OWN MACHINE fielding requests) for a couple of reasons (which it took me some time to come up w/ & testing as to which is "better" to use)). [b]SECONDLY, 0.0.0.0 is SMALLER than 127.0.0.1, & thus, parses + loads FAR faster, & is smaller on disk is why - AND, in RAM once loaded: THUS, I am logically concluding that 0.0.0.0 is better to use period for HOSTS file blocks - same function, & @ LESSER cost, nearly all the way around (less diskspace, faster loadspeed, less memory occupancy, & etc. et al). A MORE EFFICIENT STRUCTURE![/b] ---- USING NOTEPAD.EXE ADD THIS LIST TO YOUR CUSTOM HOSTS FILE (usually located in %windir%\system32\drivers\etc subfolder-subdirectory): [b]# === START OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS ===[/b] 0.0.0.0 rxpharmacy-support.com 0.0.0.0 ns3.cnmsn.com 0.0.0.0 thecanadianmeds.com 0.0.0.0 officialmedicines.com 0.0.0.0 psxshop.com 0.0.0.0 10000xing.cn 0.0.0.0 222360.com 0.0.0.0 adslooks.info 0.0.0.0 bnably.com 0.0.0.0 eqcorn.com 0.0.0.0 familypostcards2008.com 0.0.0.0 freshcards2008.com 0.0.0.0 happy2008toyou.com 0.0.0.0 happysantacards.com 0.0.0.0 hellosanta2008.com 0.0.0.0 hohoho2008.com 0.0.0.0 kqfloat.com 0.0.0.0 ltbrew.com 0.0.0.0 mymetavids.com 0.0.0.0 obebos.cn 0.0.0.0 parentscards.com 0.0.0.0 postcards-2008.com 0.0.0.0 ptowl.com 0.0.0.0 qavoter.com 0.0.0.0 santapcards.com 0.0.0.0 santawishes2008.com 0.0.0.0 siski.cn 0.0.0.0 snbane.com 0.0.0.0 snlilac.com 0.0.0.0 tibeam.com 0.0.0.0 tushove.com 0.0.0.0 wxtaste.com 0.0.0.0 yxbegan.com 0.0.0.0 iframedollars.biz 0.0.0.0 NS1.RBNNETWORK.COM 0.0.0.0 NS1.4USER.NET 0.0.0.0 NS1.EEXHOST.COM 0.0.0.0 NS1.AKIMON.COM 0.0.0.0 NAME1.AKIMON.COM 0.0.0.0 NS2.RBNNETWORK.COM 0.0.0.0 NS2.4USER.NET 0.0.0.0 NS2.AKIMON.COM 0.0.0.0 NS2.EEXHOST.COM 0.0.0.0 NAME2.AKIMON.COM 0.0.0.0 RUSOUVENIRS.COM 0.0.0.0 RBNNETWORK.COM 0.0.0.0 NS1.INFOBOX.ORG 0.0.0.0 NS2.INFOBOX.ORG 0.0.0.0 NS1.RUSOUVENIRS.COM 0.0.0.0 NS2.RUSOUVENIRS.COM 0.0.0.0 NS1.RUSOUVENIRS.NET 0.0.0.0 NS2.RUSOUVENIRS.NET 0.0.0.0 SBTTEL.COM 0.0.0.0 AKIMON.COM 0.0.0.0 AKIMON.NET 0.0.0.0 EEXHOST.COM 0.0.0.0 NS1.EEXHOST.COM 0.0.0.0 NS2.EEXHOST.COM 0.0.0.0 NS1.4USER.NET 0.0.0.0 NS1.AKIMON.COM 0.0.0.0 NS1.EEXHOST.COM 0.0.0.0 NAME1.AKIMON.COM 0.0.0.0 NS1.RBNNETWORK.COM 0.0.0.0 NS2.4USER.NET 0.0.0.0 NS2.AKIMON.COM 0.0.0.0 NAME2.AKIMON.COM 0.0.0.0 NS2.RBNNETWORK.COM 0.0.0.0 NS2.EEXHOST.COM 0.0.0.0 VALUEDOT.NET 0.0.0.0 ns0.valuedot.net 0.0.0.0 ns1.valuedot.net 0.0.0.0 1000WATT.BIZ 0.0.0.0 2SOVKA.NET 0.0.0.0 AIDEN-GROUP.COM 0.0.0.0 AKIMON.COM 0.0.0.0 ALEKC.NET 0.0.0.0 ANDREY-STUDIO.INFO 0.0.0.0 AUTOKUBAN.INFO 0.0.0.0 AVIATRAVELAGENCY.COM 0.0.0.0 AVTOMOBILEY.NET 0.0.0.0 BAGATITSA.COM 0.0.0.0 BAIKERGROUP.COM 0.0.0.0 BALTICDOORS.COM 0.0.0.0 BALTMONOLIT.COM 0.0.0.0 BRIGADA-EL.COM 0.0.0.0 CARPRIVOZ.COM 0.0.0.0 CHILLERU.COM 0.0.0.0 CVETOVODSTVO.COM 0.0.0.0 E-GOLD-CHANGER.COM 0.0.0.0 ELECTRONOV.NET 0.0.0.0 FASHIONER.BIZ 0.0.0.0 FFFFFF.ORG 0.0.0.0 FIFACUP06.INFO 0.0.0.0 FISHTORG.COM 0.0.0.0 FKGARANT.COM 0.0.0.0 FOTORETUSH.COM 0.0.0.0 FREGATSOFT.COM 0.0.0.0 FROLROMANOFF.COM 0.0.0.0 FULLVER.INFO 0.0.0.0 GAKKEL.COM 0.0.0.0 GARANTSERVICE.ORG 0.0.0.0 GDEDENGI.INFO 0.0.0.0 GLAZKI.NET 0.0.0.0 GOLD-DRAGON.INFO 0.0.0.0 GORODM.COM 0.0.0.0 GRAYZI.NET 0.0.0.0 GRIFFINFLY.COM 0.0.0.0 HEAT-ENERGO.COM 0.0.0.0 HITEMA.NET 0.0.0.0 HYIPREVIEW.INFO 0.0.0.0 HYIPSMAP.COM 0.0.0.0 ILOXX.ORG 0.0.0.0 IMYA.INFO 0.0.0.0 INFODOSKA.COM 0.0.0.0 INTERNETWORLDBOOK.COM 0.0.0.0 KLIMATA.NET 0.0.0.0 KOMOV.NET 0.0.0.0 KOSMETICHKA.NET 0.0.0.0 LIDTRADE.COM 0.0.0.0 LIFE-RU.ORG 0.0.0.0 LPSPB.COM 0.0.0.0 M-OST.NET 0.0.0.0 M-UNLOCK.COM 0.0.0.0 MAMRU.COM 0.0.0.0 MAPSERV.COM 0.0.0.0 MASTERDOKS.COM 0.0.0.0 MIRMED.COM 0.0.0.0 MOOSEMUSE.COM 0.0.0.0 MOREPRODUCT.NET 0.0.0.0 MUSEMOOSE.COM 0.0.0.0 NESTRONICS.COM 0.0.0.0 NESTRONICS.NET 0.0.0.0 NOFUN.INFO 0.0.0.0 OIL-GAS-MINERALS.COM 0.0.0.0 OKOSHKA.NET 0.0.0.0 OPTIMUS.BIZ 0.0.0.0 OTKRITKI.NET 0.0.0.0 OTKRITOK.NET 0.0.0.0 PARALLELSIXTY.COM 0.0.0.0 PASSOMONTANO.COM 0.0.0.0 PETROBALT.NET 0.0.0.0 PHARMACY-MD.COM 0.0.0.0 PISKUNOV.NET 0.0.0.0 POIGRAI.INFO 0.0.0.0 PROETCONTRA.ORG 0.0.0.0 PSOLAO.ORG 0.0.0.0 ROSEL.INFO 0.0.0.0 SBTTEL.COM 0.0.0.0 SECONDAPPROACH.COM 0.0.0.0 SMARTSOFTLINE.COM 0.0.0.0 SMESHNOY.COM 0.0.0.0 SQUAREDREAM.COM 0.0.0.0 STROIINFORM.COM 0.0.0.0 STROYBRIGADA.COM 0.0.0.0 TANK-HOBBY.COM 0.0.0.0 TECHNONORDIC.COM 0.0.0.0 TELEUNITED.NET 0.0.0.0 TEPLOCOM.COM 0.0.0.0 THERMOCAUTERY.COM 0.0.0.0 TIARU.COM 0.0.0.0 TRADEFINANS.COM 0.0.0.0 TRADEFINANS.NET 0.0.0.0 TRAININGS-TRIUMPH.ORG 0.0.0.0 TSAR-SUVENIR.COM 0.0.0.0 UEFACUP08.INFO 0.0.0.0 UMNIKSOFT.COM 0.0.0.0 UNDERCOOLED.NET 0.0.0.0 VALIDBIT.COM 0.0.0.0 VERESC.ORG 0.0.0.0 VOROLAIN.COM 0.0.0.0 WHITENIGHTSHOSTELS.COM 0.0.0.0 WORLDFONDS.NET 0.0.0.0 XRUST.NET 0.0.0.0 YAHOCHU.COM 0.0.0.0 Z-GROUP.INFO 0.0.0.0 ZDRAV.INFO 0.0.0.0 ZHESTOV.NET 0.0.0.0 ZOOSPB.COM 0.0.0.0 goldenpiginvest.com 0.0.0.0 goldenpiginvest.net 0.0.0.0 pharmacy-viagra.net [b]# === END OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS ===[/b] Also - [b]You can (AND SHOULD) verify your HOSTS file location[/b], because it CAN be moved (& some virus/spywares do so, like QHosts) by using regedit.exe & going here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters & checking to see it has NOT been misdirected from C:\WINDOWS\SYSTEM32\DRIVERS\etc (Unless you KNOW that YOU move it, as I do!) I move mine INTENTIONALLY to another disk here that is less used & faster on seeks! That is just so it init.'s faster since the HDD is not contending with other programs loading etc. or data loading etc. - mine's on an SSD (solid-state ramdisk, for access-seek gains for example). ---- [b]FOR FIREWALL BLOCKING RULES (or IE "restricted zones" lists (in IE options), OR possibly IP Security Policies usage):[/b] I.P. address block for Russian Business Network: 81.95.144.0/20 #SBL43489 (81.95.144.0 - 81.95.159.255) And the address blocks for its equally corrupt cousins at Intercage, Inhoster, and Nevacon: 85.255.112.0/20 #SBL36702 (85.255.112.0 - 85.255.127.255) 69.50.160.0/19 (69.50.160.0 - 69.50.191.255) 194.146.204.0/22 #SBL51152 (194.146.204.0 - 194.146.207.255) [b]Lastly/Optionally - You should block all IPs starting with these if you do not care about Russia and China:[/b] 193. 194. 195. 213. 217. 62.64. 62.76. [b](AND, A few major Internet providers that provide services to RBN including)[/b] Tiscali.uk SBT Telecom Aki Mon Telecom Nevacon LTD Frame Cash 76service Noc4Hosts APK P.S.=> So you all know WHY I put up info. on the "RBN" (Russian Business Network) in my last post above? Well, I strongly suspected (& proved correct) "they're @ it again" & here is why: [b]Cyber-attack launched from 10,000 web pages:[/b] [url="http://itnews.com.au/News/71994,cyberattack-launched-from-10000-web-pages.aspx"]http://itnews.com.au/News/71994,cyberattac...-web-pages.aspx[/url] [b]"A single entity is likely to be behind this attack, since the malicious code on all these pages came from the same server in China."[/b] (AND, the "RBN" is KNOWN to 'hop between' China & Russia regularly, as needed, & I suspect they are the ones behind this, but the article offers NO discrete IP Address ranges or IP's so, we have to wait on the specifics, but it is a GOOD guess based on their prior track record w/ Zlob, which I see nearly every day @ times on the job)... APK [/QUOTE]

Verification

This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Accept Learn more…

Back

Top