In the last quarter of 2007, under the public pressure put on the Russian Business Network's malicious practices, the RBN started faking the removal of malicious domains from its network by placing fake account suspended notices, but continuing the malware and exploit serving campaigns on them. And since I constantly monitor RBN activity, in particular their relationship with the New Media Malware Gang and Storm Worm, a relationship that I've in fact established several times before, a recently assessed malicious domain further expands their underground ecosystem. Let the data speak for itself :
dev.aero4.cn/adpack/index.php (22.214.171.124) once deobfuscated loads dev.aero4.cn/adpack/load.php :
Detection rate : 11/32 (34.38%)
File size: 6656 bytes
It gets even more interesting as the downloader attempts to download the following :
And as I've already pointed out in a previous post, 126.96.36.199 is the New Media Malware Gang. Moreover, next to m.exe and d.exe with an over 50% detection rates, 200.exe is impressively detected by one anti virus vendor only :
Detection rate : 1/32 (3.13%)
File size: 33280 bytes
Further continuing this assessment, firewalllab.cn (188.8.131.52) also responds to aero4.cn, and is hosted at AS4657 STARHUBINTERNET AS Starhub Internet Pte Ltd 31, Kaki Bukit Rd 3 SINGAPORE (previously known as CyberWay Pte Ltd). Even more interesting is the fact that 184.108.40.206 is also responding to known New Media Malware Gang domains :
Furthermore, 220.127.116.11 seems to have made an appearance at otrix.ru, where in between the obfuscation an IFRAME loads to 18.104.22.168/forum.php, where two more get loaded 4qobj63z.tarog.us/tds/in.cgi?14; 4qobj63z.tarog.us/tds/in.cgi?15. Deja vu, again, again and again - 4qobj63z.tarog.us was among the domains used in the malware embedded attack again the French government's site related to Lybia, and there I made the connection with the New Media Malware Gang for yet another time.
There's indeed a connection between the RBN, Storm Worm and the The New Media malware gang. The malware gang is either a customer of the RBN, partners with the RBN sharing know-how in exchange for infrastructure on behalf of the RBN, or RBN's actual operational department. Piece by piece and an ugly puzzle picture appears thanks to everyone monitoring the RBN that is still 100% operational.