Category Archives: Monitoring & Reporting

Introducing: Palevo Tracker

Today we are going to talk about a nasty worm called Palevo.

Palevo (also known as Rimecud, Butterfly bot or Pilleuz) made some big press in 2009 when Panda Security announced the coordinated takedown of a huge botnet that they called Mariposa.

Since then the threat lost its media attention, but what most people don’t known is: Palevo is still a big player in the global threat landscape. According to FireEye, in 2010 Palevo was the top malware (# of infections) in the world:

Source: FireEye’s Malware Intelligence Lab: World’s Top Malware

Palevo is a so called bot kit that is being sold in underground forums (like ZeuS) using the name BUtterFly BOT. Therefore there are dozens of different botnets out there run by different criminal groups.

So what is the key to the success of Palevo? The worm is using different techniques to spread itself. The most common builtin techniques include:

  • P2P filesharing programs (bearshare, imesh, emule, limewire etc.)
  • Instant messaging (MSN- / Windows Live Messenger)
  • Removable drives (like USB-Sticks)

In addition, criminals have been observed linking other spreading mechanisms such as windows filesharing spread with palevo to achieve maximum impact.

During the past few months I have come across dozens of USB sticks infected with a variant of Palevo. Unfortunately, most (new) Palevo samples have a very bad detection rate. This makes it pretty easy to get infected. Just imagine you are attending a meeting or event, and you ask your colleague or the presenter to get a copy of the presentation he just held a few minutes before. What will he do? Well, most probably he will provide you with his USB stick with a copy of the presentation and BOOM – you are infected.

Another aspect of the problem is the fact that most employees are using the same USB stick at home and at work. If they plug-in the USB stick (which were previously infected by Palevo on the home computer) into the office computer, Palevo will infected it immediately. In this case it doesn’t matter what corporate Firewall or what Spam-Filter you are using in your network – you will get infected before most of the corporate security devices have had a chance to kick in.

In spite of Microsofts decision to disable autoplay in Windows 7, and the highly needed disabling of autorun (except for CDs) in XP/Vista/2003/2008, Palevo still seems to spread widely.

A further problem is the way Palevo communicates with its Command&Control server (C&C): The worm uses UDP and encrypts the data sent to the C&C server on (in most cases) a high port (e.g. 7700 UDP). The reason why Palevo uses UDP is simple: There is a bunch of Firewalls/Appliances out there which are poorly configured and therefore:

  • aren’t logging UDP packets in the Firewall log
  • allow UDP traffic by default

That makes it pretty easy to keep the Palevo C&C traffic hidden even in corporate networks.

*** Palevo Tracker ***
As outlined above, Palevo is a huge threat for corporate- and home networks. Due to the fact that it is spread widely and most people are not aware of the problem I have decided to create Palevo Tracker. My goals are:

  • Get some attention on the Palevo threat
  • Provide a blocklist for well known Palevo C&Cs to the internet community
  • Provide details regarding Palevo C&Cs to ISPs, CERTs and Law Enforcement
  • Keep the project smart and simple as possible

To keep it simple I’ve created Palevo Tracker as sub-project on AMaDa. This means that the Palevo Tracker blocklist is included in the AMaDa C&C Blocklist.

You can use the blocklist to block Palevo C&C traffic proactively and/or to identify infected clients (e.g. by matching the blocklist against your Firewall logs).

*** Further Links ***
Below are some links to different AV-vendors currently detecting Palevo:

Symantec: W32.Pilleuz
McAfee: W32/Palevo
Microsoft: Win32/Rimecud
Symantec Connect: The Mariposa Butterfly

Follow me on Twitter:

2011 – A Bad Start For Cybercriminals: 14 Rogue ISPs Disconnected

Normally I blog about new threats and issues that are popping up in cyberspace, but today I have some good news for you.

On the evening of the 11th of January, a Russian based ISP called Vline Telecom (AS39150) was de-peered from its upstream provider As a result of the disconnect, 9 of the world wide worst Bulletproof Hosters got offline and the number of active Zeus Botnet Command&Control servers dropped from 61 to 41 on 12th of January.

Additionally, in January 2011 I was informed about another takedown of a Ukrainian based ISP called ONLINENET SPD Andreychuk Andrey Alekseevich (AS50722) which resulted in another 5 bulletproof hosters disappearing from the global routing table.

We can say that January 2011 was a very bad start for cybercriminals, as a total of 14 bulletproof hosters have been disconnected from the internet this month.

*** What happened? ***
It all started in March 2010 when I came across the first few ZeuS C&Cs in the network of VLine Telecom:

2010-03-24 15:22:33 | | | VLTELECOM-AS VLineTelecom LLC
2010-03-26 07:46:49 | | | VLTELECOM-AS VLineTelecom LLC
2010-03-26 11:55:20 | | | VLTELECOM-AS VLineTelecom LLC
2010-03-27 11:10:31 | | | VLTELECOM-AS VLineTelecom LLC
2010-03-27 14:32:45 | | | VLTELECOM-AS VLineTelecom LLC
2010-03-31 06:54:58 | | | VLTELECOM-AS VLineTelecom LLC
2010-04-12 08:20:42 | | | VLTELECOM-AS VLineTelecom LLC
2010-04-13 06:31:17 | | | VLTELECOM-AS VLineTelecom LLC
2010-04-16 11:39:39 | | | VLTELECOM-AS VLineTelecom LLC
2010-04-16 11:39:55 | | | VLTELECOM-AS VLineTelecom LLC
2010-04-16 11:40:18 | | | VLTELECOM-AS VLineTelecom LLC
2010-04-16 11:40:43 | | | VLTELECOM-AS VLineTelecom LLC

In 2010, VLine Telecom hosted more than 140 ZeuS Botnet Command&Control Servers. Therefore they managed to get a position in the Worlds Top 10 Bad Hosts:

Source: Host Exploit

However, this was just the tip of the iceberg: In June 2010 Vline Telecom started to route a few networks we later came to consider as the worst criminal networks in the world. At the end of 2010 ZeuS Tracker saw a lot of new Command&Control Servers (C&C) popping up in the networks that VLine Telecom provides IP transit for:

AS number: AS48984
AS name: VLAF-AS Vlaf Processing Ltd
Spamhaus SBL: SBL90627
List of ZeuS C&Cs in this network: show

AS number: AS20564
AS name: INFORMEX-MNT Informex, E-commerce Service Provider
Spamhaus SBL: SBL97792
List of ZeuS C&Cs in this network: show

AS number: AS31506
AS name: ASN-YS-IX Yuzhno-Sakhalinsk Internet eXchange
Spamhaus SBL: SBL98806
List of ZeuS C&Cs in this network: show

AS number: AS39858
As name: UNINETMD-AS S.C. Uninet S.R.L
Spamhaus SBL: SBL90650
List of ZeuS C&Cs in this network: show

AS number: AS31682
AS name: DIOSOFT-AS DIOSoft Ltd.
Spamhaus SBL: SBL90652
List of ZeuS C&Cs in this network: show

AS number: AS31445
AS name: TTC-AS Naukanet (TopNET) UA Aggregation network Autonomous System
Spamhaus SBL: SBL92406
List of ZeuS C&Cs in this network: show

AS number: AS48280
AS name: IT-OUTSOURCE-AS LLC _Management, informational
Spamhaus SBL: SBL98806
List of ZeuS C&Cs in this network: show

AS number: AS43181
AS name: K2K-AS Contel 2000 Ltd.
Spamhaus SBL: SBL96584
List of ZeuS C&Cs in this network: show

AS number: AS31478
AS name: PMN-AS PROMIRANET multihomed network
Spamhaus SBL: SBL98807
List of ZeuS C&Cs in this network: show

As you can see in the list above, VLine Telecom not only hosted a lot of ZeuS C&C servers, they also provided internet access (IP transit) to a lot of different networks which are obviously controlled by cybercriminals.

However, at this time it was also clear that some movement in the situation was needed so Spamhaus issued two SBLs on VLine Telecom’s Upstream provider called GlobalNet Russia (see SBL98570 / SBL96680). As it turned out, this listing was one of the best things Spamhaus did in the last couple of weeks because GlobalNet Russia started to face the problem when nearly every mailserver in the world stopped accepting emails from GlobalNet and their customers.

Additionally, I reached out to GlobalNet on the 15th of December with a immediate de-peering request for VLine Telecom. GlobalNet denied to disconnect VLine Telecom by referring to the Russian Law and the contract that GlobalNet had with VLine Telecom. Fortunately, GlobalNet was very cooperative and my contact there agreed to null route the IP addresses where I had evidence that they actually were bad.

After my chat with GlobalNet the situation improved by the end of 2010. Unfortunately, VLine Telecom still didn’t care about any abuse that came from their networks or their IP transit customers. This resulted in new ZeuS C&C servers popped up there pretty quickly. I had to reach out again to GlobalNet on December 27 2010 with another request to de-peer VLine Telecom immediately.

GlobalNet (as the uptream provider) reached out to VLine Telecom with a request to solve these problems immediately. As a result of the pressure made by GlobalNet, VLine Telecom disconnected the first Bulletproof hoster from the internet:

AS number: AS31506
AS name: ASN-YS-IX Yuzhno-Sakhalinsk Internet eXchange
Status: NOT Announced
Spamhaus SBL: SBL98806

On January 5th, I was pretty surprised when VLine Telecom suddenly changed their routes and started to route all their traffic over, which is the Russian Federal University Network. I guess that VLine Telecom just had enough of GlobalNet null routing all IPs that I reported to them, so they obviously decided to switch to a different upstream provider. At the same time I received an email from VLine Telecom asking me to send any information concerning abuse in their network directly to them instead of to their upstream provider. As VLine contacted me, I decided to give them a chance, so I replied with a long email that contained a list of abuse issues from their networks (you can imagine that the list of current issues was huge). A few minutes later, I received a response from VLine Telecom where they told me that they had blocked the mentioned IP addresses. I was pretty surprised that they had taken action. But unfortunately I made one big mistake: I believed what VLine Telecom told me…

A few hours after the reply from VLine Telecom that they had banned the mentioned IP addresses, I noticed that the hosts were still reachable, but NOT from my IP address. I did some research and I found out that all of the associated networks was blocking traffic which comes from ZeuS Tracker.

You can imagine that I got pretty angry about this, so I decided to reach out to with an immediate de-peering request for VLine Telecom. One hour later I got the following message from

IP-transit VLineTelecom ( ^39150_ ) via RUNNet is stopped now.

A short trace route from different locations just confirmed what RUNNet told me in their email: VLine Telecom was no longer being routed through RUNNet! After the disconnect, it took VLine Telecom just 4 minutes to tell RUNNet and me that they had disconnected all IP transit customers.

After some downtime of VLine Telecom (and of course all their customers) GlobalNet decided to start routing of VLine Telecom again through GlobalNet’s network. As soon as they were up and running again we checked that the before mentioned networks were no longer being routed by VLine Telecom.

*** Current status ***
As of January 22nd, VLine Telecom is routed through GlobalNet Russia and the mentioned 9 networks above are not being announced in the global routing table. It didn’t get so far as to get VLine Telecom permanently disconnected, but I think I made a pretty good arrangement with GlobalNet to monitor the situation of their downstreams for a while.

*** Further takedowns ***
On January 17th, I was informed about another takedown; this time it was an ISP called ONLINENET SPD Andreychuk Andrey Alekseevich (AS50722) which had been disconnected by its upstream provider called ISV4 (AS21379 – Because ONLINENET provided IP transit to another 5 bulletproof hosters, these also were forced offline in January 2011:

AS number: AS34229
AS name: VAKUSHAN-AS Anton Vakushin
Spamhaus SBL: SBL96354

AS number: AS29106
AS name: VOLGAHOST-AS PE Bondarenko Dmitriy Vladimirovich
Spamhaus SBL: SBL83028

AS number: AS51554
AS name: LYAHOV-AS Lyahovich Maksim
Spamhaus SBL: SBL97861

AS number: AS51354
AS name: VPNME-AS Igor Vladimirovich Kanaev
Spamhaus SBL: SBL97864

AS number: AS51303
AS name: GORBY-AS Alexandr Gorbunov
Spamhaus SBL: SBL97616

*** What we have learned from the VLine-case ***
While investigating the VLine-case I made a lot of new experiences. The first and most relevant one is: Not every Russian speaking guy is a cybercriminal 🙂

When I started my investigation at GlobalNet and RUNNet I was completely unsure whether I could trust them or not. Today I know that I can trust them and that they have done (and of course are still doing) a very good job to solve the issues within their responsibility.

With the knowledge that I gained in the VLine-case I’m now able to draw the following network map:

The second thing I learned is that there are often language problems. As you see in the chart above I (still) consider VLine as bad. However, I have to say that some times I had the feeling that they just didn’t know what they were doing (from a technical perspective) and that they didn’t understand what I wanted to tell them (language problem).

Anyway, I still have the opinion that VLine Telecom should be permanently disconnected, but I also know that they now are aware of the situation and that the whole world is now (at least after this blog post) watching their behaviour and actions closely.

Last but not least I would like to thank GlobalNet Russia and RUNNet for all their efforts and their help to get the problem with VLine Telecom solved.

Follow me on Twitter: