Category Archives: ZeuS Tracker

How Criminals Defend Their Rogue Networks

It is common that cybercriminals are hosting their stuff in rogue networks (renting out so-called Bulletproof hosted servers). Many of you may remember the year 2008, when a well known Bulletproof hoster named McColo was knocked offline. We can say that this nearly was a historical moment in the history of the world wide web, where the Internet community clearly showed that they didn’t want to tolerate Cybercrime any longer. The McColo takedown was the beginning of a series of takedowns initiated by security researchers, law enforcement agencies and volunteers; In 2010, the well known Russian based Bulletproof hoster Troyak was cut off from the Internet, followed by the takedown of Group Vertical.

The series of takedowns continued in the beginning of 2011, when in January 14 rogue ISPs were disconnected from the Internet. Since then we didn’t see any new Bulletproof hosters popping up… or did we? Where did all the Cybercriminals move to? If we take a look at the ZeuS Tracker statistic (Top ten ZeuS hosting ISPs) we don’t see any network that would look too much like a Bulletproof hoster.

So the Internet appears to be free from cybercrime… *cough* – unfortunately I have to disappoint everyone who thought that the Internet is getting rid of Cybercrime: The Bulletproof hosters are still here. I still see a lot of fraud, malware, phishing etc popping up on a daily basis. But where is it hosted? As you probably know, Cybercriminals can be very creative. They found several ways to hide themselves from the radar of the security industry and from the eyes of security researchers. Some of there tactics are very old, while some of them are pretty new.

FastFlux hosting
FastFlux hosting is a pretty old technique and still an issue (but not that big any more): Cybercriminals are hosting their infrastructure on FastFlux botnets to hide the real botnet controllers (mothership) and to make their infrastructure more hardened against takedowns. During the past few months the situation haven’t really changed. The number of FastFlux hosted ZeuS botnet controllers is more or less constantly 19. What is new is the fact that the Cybercriminals have also started to host SpyEye botnet controllers on FastFlux botnets. Currently SpyEye Tracker tracks 8 SpyEye C&Cs controllers that are hosted on FastFlux botnets.

Domain Generation Algorithms (DGA)
A much more sophisticated way to serve/host botnet control infrastructure are so called Domain Generation Algorithms (DGA). The criminals are using an algorithm that is using date and some salt as parameter to generate the domains the infected computers (bots) should contact. In this way the domains are being ‘fluxed’ on a daily basis – meaning the CnC domains that are used by the bots are changing every day, or in some cases several times a day –  which makes it hard to take down the botnet control infrastructure. Last year, a special version of ZeuS (murofet/LICAT) that used the DGA technique covered some media attention. But in fact the technique isn’t new: Torpig, a sophisticated banking Trojan, has been using a DGA since 2008. Torpig even utilized the Twitter trend API, as mentioned in this old post by unmaskparasites.

How ever sophisticated this technique sounds, DGA can have a benefit for security researchers: If you are able to reverse engineer the code, you are able to identify the algorithm used by the Trojan. In this way it is possible to generate the domain names that the Trojan will use in the future and register them to sinkhole the botnet. However, there are some Trojans that are generating more than 50’000 domains per day. This would mean that you have to register 50’000 domains every day to sinkhole the botnet effectively.

Using custom DNS servers
Another interesting tactic that I’ve seen recently is the use of custom DNS servers. Some Trojans are using custom DNS servers that are under control of the criminals themselves. The Trojan resolves the domain name used as botnet controller using a custom DNS server. The benefit for the criminal is, that only the DNS server that is under control of himself is resolving the domain name correctly. In fact this means when a security researcher tries to access the domain it appears that it does not exist.

Also, the criminal can use well known domain names like or as botnet controllers. Due to the fact that the Trojan resolves the domains using the custom DNS servers the criminal can point the domain name to his botnet controller. In this case the benefit for the criminal is that e.g. appears in the sandbox reports of the Security Industry and may lead to false positives in security products. So the criminals can catch two birds with one stone: Hiding their botnet infrastructure behind a well known domain name and making Security Products imprecise.

Since version 10338 (1.3.38, first seen around April 4 2011), certain SpyEye versions has been seen utilizing such a feature. The botnet master can define custom DNS servers that are being stored in a file called “dns.txt” that is served to the bots within the SpyEye configuration file. However, usually public DNS servers are listed in this dns.txt file, like the ones offered by Google. This is a trick to avoid local DNS blackholing and to avoid detection by looking at local DNS server logs.

Fluxing domain names
After the takedown of several rogue ISPs in January 2011, I’ve seen a big amount of botnet controllers popping up in some suspicious networks. What got my attention was the fact that as soon as I had added a botnet controller to the tracker the domain disappeared and became unreachable. A few hours later a backup domain pointing to the same or nearby IP address in the same subnet came active.

I’ve seen this behaviour on several ISPs that are all looking quite suspicious to me. A good example is AS56659 BALTI-AS (also known as PermInterSvyaz LTD and BESTISP), a Ukraine-based ISP that is being routed by Er-Telecom -> Currently, there are 5 ZeuS botnet controllers tracker by ZeuS Tracker, none of them are currently active. SpyEye Tracker currently tracks 11 SpyEye botnet controllers in that subnet. Only one is currently active. At first glance this AS does not look that suspicious, but if we take a look at this history of the subnet we see that it hosted more than 60 SpyEye botnet controllers since March 2011:

# Timestamp (UTC) | Domain | IP address | AS number | AS name | Country Code
2011-05-02 16:18:05 | | | AS56659 | BALTI-AS OOO | UA
2011-05-19 17:02:55 | | | AS56659 | BALTI-AS OOO | UA
2011-06-11 20:51:10 | | | AS56659 | BALTI-AS OOO | UA
2011-06-13 08:37:27 | | | AS56659 | BALTI-AS OOO | UA
2011-06-16 13:53:34 | | | AS56659 | BALTI-AS OOO | UA
2011-06-16 19:51:46 | | | AS56659 | BALTI-AS OOO | UA
2011-06-18 08:33:12 | | | AS56659 | BALTI-AS OOO | UA
2011-06-19 15:08:48 | | | AS56659 | BALTI-AS OOO | UA
2011-06-21 16:48:57 | | | AS56659 | BALTI-AS OOO | UA
2011-06-26 14:28:59 | | | AS56659 | BALTI-AS OOO | UA
2011-06-27 08:17:03 | | | AS56659 | BALTI-AS OOO | UA
2011-06-27 14:55:25 | | | AS56659 | BALTI-AS OOO | UA
2011-06-28 17:47:31 | | | AS56659 | BALTI-AS OOO | UA
2011-06-29 14:24:51 | | | AS56659 | BALTI-AS OOO | UA
2011-07-05 13:47:09 | | | AS56659 | BALTI-AS OOO | UA
2011-07-05 15:23:33 | | | AS56659 | BALTI-AS OOO | UA
2011-07-05 16:08:27 | | | AS56659 | BALTI-AS OOO | UA
2011-07-05 16:45:49 | | | AS56659 | BALTI-AS OOO | UA
2011-07-06 12:19:17 | | | AS56659 | BALTI-AS OOO | UA
2011-07-06 13:23:26 | | | AS56659 | BALTI-AS OOO | UA
2011-07-06 21:02:21 | | | AS56659 | BALTI-AS OOO | UA
2011-07-07 05:32:33 | | | AS56659 | BALTI-AS OOO | UA
2011-07-07 05:39:20 | | | AS56659 | BALTI-AS OOO | UA
2011-07-07 09:57:46 | | | AS56659 | BALTI-AS OOO | UA
2011-07-07 11:26:23 | | | AS56659 | BALTI-AS OOO | UA
2011-07-08 06:39:56 | | | AS56659 | BALTI-AS OOO | UA
2011-07-08 11:14:17 | | | AS56659 | BALTI-AS OOO | UA
2011-07-08 12:14:50 | | | AS56659 | BALTI-AS OOO | UA
2011-07-08 20:12:23 | | | AS56659 | BALTI-AS OOO | UA
2011-07-09 21:37:13 | | | AS56659 | BALTI-AS OOO | UA
2011-07-10 15:10:36 | | | AS56659 | BALTI-AS OOO | UA
2011-07-11 04:43:30 | | | AS56659 | BALTI-AS OOO | UA
2011-07-11 05:25:34 | | | AS56659 | BALTI-AS OOO | UA
2011-07-11 17:54:31 | | | AS56659 | BALTI-AS OOO | UA
2011-07-12 06:34:04 | | | AS56659 | BALTI-AS OOO | UA
2011-07-12 08:53:25 | | | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:17:31 | | | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:19:35 | | | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:35:57 | | | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:36:32 | | | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:54:07 | | | AS56659 | BALTI-AS OOO | UA
2011-07-13 06:00:11 | | | AS56659 | BALTI-AS OOO | UA
2011-07-13 06:00:32 | | | AS56659 | BALTI-AS OOO | UA
2011-07-13 06:05:58 | | | AS56659 | BALTI-AS OOO | UA
2011-07-13 07:37:45 | | | AS56659 | BALTI-AS OOO | UA
2011-07-14 10:35:32 | | | AS56659 | BALTI-AS OOO | UA
2011-07-14 11:48:02 | | | AS56659 | BALTI-AS OOO | UA
2011-07-15 08:34:38 | | | AS56659 | BALTI-AS OOO | UA
2011-07-15 10:53:58 | | | AS56659 | BALTI-AS OOO | UA
2011-07-15 17:25:45 | | | AS56659 | BALTI-AS OOO | UA
2011-07-23 08:37:36 | | | AS56659 | BALTI-AS OOO | UA
2011-07-23 08:47:07 | | | AS56659 | BALTI-AS OOO | UA
2011-07-23 18:40:28 | | | AS56659 | BALTI-AS OOO | UA
2011-07-24 08:29:53 | | | AS56659 | BALTI-AS OOO | UA

I assume that the criminals are using some kind of script to check ZeuS- and SpyEye Tracker periodically for new botnet controllers in their subnet. As soon as a new domain pops up they seem to remove it and switch over to a backup URL (both ZeuS and SpyEye have a feature that allows the cybercriminals to define backup URLs that the bots should contact when the main C&C is not reachable).

But what’s the benefit of this tactic for the criminal? Well, Cybercriminals have seen in the past that they will get de-peered quite quickly when they attract to much attention from law enforcement and security researchers. By fluxing the domain name as soon as it appear on a tracker, they ensure that the number of active botnet controllers stay as low as possible. Therefore they will not appear on the radar of the Internet community that fast and of course they can claim that they take action against fraudulent customers quickly.

What we can say is that BALTI-AS is a rogue network for sure. I haven’t seen any legit domain names being hosted there.

Also, the criminals are quite creative and will always try to not appear on the radar of the Internet community. It’s always a cat and mouse game between the infosec community and the criminals who are operating the different botnet infrastructures.

As we all know, things can change quite fast in the Internet. This is a big issue for policy makers and law enforcement. They are not able to act as quick as the criminals do. The cybercriminals knows this too and are trying to make profit with the failing of the law enforcement.

The Internet has no borders so we need a global solution to defend ourselves from cybercrime. But we are still failing to find a global solution. Fortunately, there are dedicated people out there that are determined to fight cybercrime. When these people cooperate, they are able to move mountains.

Good deeds are being done by these folks every day. We just need more of them. And we need governments and organisations across the world to follow in their footsteps.

2011 – A Bad Start For Cybercriminals: 14 Rogue ISPs Disconnected

Normally I blog about new threats and issues that are popping up in cyberspace, but today I have some good news for you.

On the evening of the 11th of January, a Russian based ISP called Vline Telecom (AS39150) was de-peered from its upstream provider As a result of the disconnect, 9 of the world wide worst Bulletproof Hosters got offline and the number of active Zeus Botnet Command&Control servers dropped from 61 to 41 on 12th of January.

Additionally, in January 2011 I was informed about another takedown of a Ukrainian based ISP called ONLINENET SPD Andreychuk Andrey Alekseevich (AS50722) which resulted in another 5 bulletproof hosters disappearing from the global routing table.

We can say that January 2011 was a very bad start for cybercriminals, as a total of 14 bulletproof hosters have been disconnected from the internet this month.

*** What happened? ***
It all started in March 2010 when I came across the first few ZeuS C&Cs in the network of VLine Telecom:

2010-03-24 15:22:33 | | | VLTELECOM-AS VLineTelecom LLC
2010-03-26 07:46:49 | | | VLTELECOM-AS VLineTelecom LLC
2010-03-26 11:55:20 | | | VLTELECOM-AS VLineTelecom LLC
2010-03-27 11:10:31 | | | VLTELECOM-AS VLineTelecom LLC
2010-03-27 14:32:45 | | | VLTELECOM-AS VLineTelecom LLC
2010-03-31 06:54:58 | | | VLTELECOM-AS VLineTelecom LLC
2010-04-12 08:20:42 | | | VLTELECOM-AS VLineTelecom LLC
2010-04-13 06:31:17 | | | VLTELECOM-AS VLineTelecom LLC
2010-04-16 11:39:39 | | | VLTELECOM-AS VLineTelecom LLC
2010-04-16 11:39:55 | | | VLTELECOM-AS VLineTelecom LLC
2010-04-16 11:40:18 | | | VLTELECOM-AS VLineTelecom LLC
2010-04-16 11:40:43 | | | VLTELECOM-AS VLineTelecom LLC

In 2010, VLine Telecom hosted more than 140 ZeuS Botnet Command&Control Servers. Therefore they managed to get a position in the Worlds Top 10 Bad Hosts:

Source: Host Exploit

However, this was just the tip of the iceberg: In June 2010 Vline Telecom started to route a few networks we later came to consider as the worst criminal networks in the world. At the end of 2010 ZeuS Tracker saw a lot of new Command&Control Servers (C&C) popping up in the networks that VLine Telecom provides IP transit for:

AS number: AS48984
AS name: VLAF-AS Vlaf Processing Ltd
Spamhaus SBL: SBL90627
List of ZeuS C&Cs in this network: show

AS number: AS20564
AS name: INFORMEX-MNT Informex, E-commerce Service Provider
Spamhaus SBL: SBL97792
List of ZeuS C&Cs in this network: show

AS number: AS31506
AS name: ASN-YS-IX Yuzhno-Sakhalinsk Internet eXchange
Spamhaus SBL: SBL98806
List of ZeuS C&Cs in this network: show

AS number: AS39858
As name: UNINETMD-AS S.C. Uninet S.R.L
Spamhaus SBL: SBL90650
List of ZeuS C&Cs in this network: show

AS number: AS31682
AS name: DIOSOFT-AS DIOSoft Ltd.
Spamhaus SBL: SBL90652
List of ZeuS C&Cs in this network: show

AS number: AS31445
AS name: TTC-AS Naukanet (TopNET) UA Aggregation network Autonomous System
Spamhaus SBL: SBL92406
List of ZeuS C&Cs in this network: show

AS number: AS48280
AS name: IT-OUTSOURCE-AS LLC _Management, informational
Spamhaus SBL: SBL98806
List of ZeuS C&Cs in this network: show

AS number: AS43181
AS name: K2K-AS Contel 2000 Ltd.
Spamhaus SBL: SBL96584
List of ZeuS C&Cs in this network: show

AS number: AS31478
AS name: PMN-AS PROMIRANET multihomed network
Spamhaus SBL: SBL98807
List of ZeuS C&Cs in this network: show

As you can see in the list above, VLine Telecom not only hosted a lot of ZeuS C&C servers, they also provided internet access (IP transit) to a lot of different networks which are obviously controlled by cybercriminals.

However, at this time it was also clear that some movement in the situation was needed so Spamhaus issued two SBLs on VLine Telecom’s Upstream provider called GlobalNet Russia (see SBL98570 / SBL96680). As it turned out, this listing was one of the best things Spamhaus did in the last couple of weeks because GlobalNet Russia started to face the problem when nearly every mailserver in the world stopped accepting emails from GlobalNet and their customers.

Additionally, I reached out to GlobalNet on the 15th of December with a immediate de-peering request for VLine Telecom. GlobalNet denied to disconnect VLine Telecom by referring to the Russian Law and the contract that GlobalNet had with VLine Telecom. Fortunately, GlobalNet was very cooperative and my contact there agreed to null route the IP addresses where I had evidence that they actually were bad.

After my chat with GlobalNet the situation improved by the end of 2010. Unfortunately, VLine Telecom still didn’t care about any abuse that came from their networks or their IP transit customers. This resulted in new ZeuS C&C servers popped up there pretty quickly. I had to reach out again to GlobalNet on December 27 2010 with another request to de-peer VLine Telecom immediately.

GlobalNet (as the uptream provider) reached out to VLine Telecom with a request to solve these problems immediately. As a result of the pressure made by GlobalNet, VLine Telecom disconnected the first Bulletproof hoster from the internet:

AS number: AS31506
AS name: ASN-YS-IX Yuzhno-Sakhalinsk Internet eXchange
Status: NOT Announced
Spamhaus SBL: SBL98806

On January 5th, I was pretty surprised when VLine Telecom suddenly changed their routes and started to route all their traffic over, which is the Russian Federal University Network. I guess that VLine Telecom just had enough of GlobalNet null routing all IPs that I reported to them, so they obviously decided to switch to a different upstream provider. At the same time I received an email from VLine Telecom asking me to send any information concerning abuse in their network directly to them instead of to their upstream provider. As VLine contacted me, I decided to give them a chance, so I replied with a long email that contained a list of abuse issues from their networks (you can imagine that the list of current issues was huge). A few minutes later, I received a response from VLine Telecom where they told me that they had blocked the mentioned IP addresses. I was pretty surprised that they had taken action. But unfortunately I made one big mistake: I believed what VLine Telecom told me…

A few hours after the reply from VLine Telecom that they had banned the mentioned IP addresses, I noticed that the hosts were still reachable, but NOT from my IP address. I did some research and I found out that all of the associated networks was blocking traffic which comes from ZeuS Tracker.

You can imagine that I got pretty angry about this, so I decided to reach out to with an immediate de-peering request for VLine Telecom. One hour later I got the following message from

IP-transit VLineTelecom ( ^39150_ ) via RUNNet is stopped now.

A short trace route from different locations just confirmed what RUNNet told me in their email: VLine Telecom was no longer being routed through RUNNet! After the disconnect, it took VLine Telecom just 4 minutes to tell RUNNet and me that they had disconnected all IP transit customers.

After some downtime of VLine Telecom (and of course all their customers) GlobalNet decided to start routing of VLine Telecom again through GlobalNet’s network. As soon as they were up and running again we checked that the before mentioned networks were no longer being routed by VLine Telecom.

*** Current status ***
As of January 22nd, VLine Telecom is routed through GlobalNet Russia and the mentioned 9 networks above are not being announced in the global routing table. It didn’t get so far as to get VLine Telecom permanently disconnected, but I think I made a pretty good arrangement with GlobalNet to monitor the situation of their downstreams for a while.

*** Further takedowns ***
On January 17th, I was informed about another takedown; this time it was an ISP called ONLINENET SPD Andreychuk Andrey Alekseevich (AS50722) which had been disconnected by its upstream provider called ISV4 (AS21379 – Because ONLINENET provided IP transit to another 5 bulletproof hosters, these also were forced offline in January 2011:

AS number: AS34229
AS name: VAKUSHAN-AS Anton Vakushin
Spamhaus SBL: SBL96354

AS number: AS29106
AS name: VOLGAHOST-AS PE Bondarenko Dmitriy Vladimirovich
Spamhaus SBL: SBL83028

AS number: AS51554
AS name: LYAHOV-AS Lyahovich Maksim
Spamhaus SBL: SBL97861

AS number: AS51354
AS name: VPNME-AS Igor Vladimirovich Kanaev
Spamhaus SBL: SBL97864

AS number: AS51303
AS name: GORBY-AS Alexandr Gorbunov
Spamhaus SBL: SBL97616

*** What we have learned from the VLine-case ***
While investigating the VLine-case I made a lot of new experiences. The first and most relevant one is: Not every Russian speaking guy is a cybercriminal 🙂

When I started my investigation at GlobalNet and RUNNet I was completely unsure whether I could trust them or not. Today I know that I can trust them and that they have done (and of course are still doing) a very good job to solve the issues within their responsibility.

With the knowledge that I gained in the VLine-case I’m now able to draw the following network map:

The second thing I learned is that there are often language problems. As you see in the chart above I (still) consider VLine as bad. However, I have to say that some times I had the feeling that they just didn’t know what they were doing (from a technical perspective) and that they didn’t understand what I wanted to tell them (language problem).

Anyway, I still have the opinion that VLine Telecom should be permanently disconnected, but I also know that they now are aware of the situation and that the whole world is now (at least after this blog post) watching their behaviour and actions closely.

Last but not least I would like to thank GlobalNet Russia and RUNNet for all their efforts and their help to get the problem with VLine Telecom solved.

Follow me on Twitter: