Over 100 Malwares Hosted on a Single RBN IP

["Paul Ferguson" <fergdawg () netzero net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dancho Danchev:

[snip]

The never ending Russian Business Network's saga on whether or not they
host malware on behalf of their customers enters in an entirely new
phrase with the discovery of over 100 malwares hosted on a single IP -
81.95.149.51/ms where the directory listing indicates that the earliest
binary was uploaded on 19-Sep-2006 and the most recent one on the
28-May-2007. If only was the directory listing denied we would only be
speculating on such a development, and as it's obvious that it isn't
sooner or later they'll simple rename the directory as they apparently
did in the past from 81.95.149.51/ms21 to 81.95.149.51/ms51 and to the
current state.

Meanwhile, there's an active mass mailing campaign going on in the time
of blogging, that's exploiting the recent mailto PDF vulnerability.
Guess where does the PDF file's payload point to? The Russian Bussiness
Network, again, again and again.

[snip]

Link:
http://ddanchev.blogspot.com/2007/10/over-100-malwares-hosted-on-single-rbn
.html

So much for RBN's claims of innocence:
http://blog.wired.com/27bstroke6/2007/10/controversial-r.html

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFHHpNsq1pz9mNUZTMRAmAvAJ4kKMZLN76NfTdPyAq9fhK5fn+MIQCdHfUk
pee8p5fKBImTFGoTketR8Yk=
=+zYC
-----END PGP SIGNATURE-----




--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.