Monthly Archives: October 2009

Well known ZeuS hosting ISP “Group Vertical” offline

A week ago I wrote a post about the well known rogue ISP Group Vertical (see “Source of badness: Group Vertical Ltd (AS49365)”) which was top ZeuS hosting ISP over several month.

Today I took a look at the ZeuS statistics on the ZeuS Tracker and I was really suprised:

Number of ZeuS hosts after cut off AS49365

As you can see on the statistic above the number of active ZeuS Command&Control servers (C&C) had a big decreas on the 26th october 2009. My first thought was that there maybe was a problem with the ZeuS Tracker script. But after I tooked a look at the top ZeuS hosting ISPs on the ZeuS Tracker, I saw that all ZeuS Command&Control servers in the subnet of Group Vertical (AS49365) are offline. Finally I took a look at the CIDR Report for AS49365 and I was happy to see that this rogue AS is no longer being announced in the global BGP table:

Report for AS49365
Name GR-VERTICAL-AS Group Vertical Ltd

NOT Announced

This AS is not currently used to announce prefixes in the global routing table, nor is it used as a visible transit AS.
Prefixes added and withdrawn by this origin AS in the past 7 days.

– Withdrawn

Source: CIDR report for AS49365

So I guess that the Russian upstream provider Fiord has cut off their peers to the rogue ISP Group Vertical on 26th october 2009. As e result of this, Group Vertical lost their internet connection and the number of active ZeuS Command&Control servers (C&C) dropped rapidly from 190 down to 148 world wide – That’s more than 40 ZeuS Command&Control server which are now no longer reachable from the internet!

McColo… Ural Industrial Company… Real Host… Group Vertical… Who’s next? 😛

Source of badness: Group Vertical Ltd (AS49365)

I’m watch the growth of bandess from AS49365 aka “Group Vertical Ltd” (GR-VERTICAL-AS) for the past couple of months. As you can see on robtex, the subnet owned by this AS is just very small. It has a size of 256 IP addresses (

Brief information
Member of as-fiord
Number of originated prefixes: 1
Regions: 1
IP numbers: 256
Unique IP numbers: 256
Overlapping IP numbers: 0


If you Google AS49365, you will only find a very small numbers of reports concerning abuse comming from this AS. So normaly I would think, that there is nothing to worry about… but fact is: AS49365 is currently Top ZeuS hosting ISP:

ZeuS command&control server hosted on AS49365

There are currently 32 malicious ZeuS Command&Control server (C&C) in this AS tracked by ZeuS Tracker – 25 of them are currently active.

Let’s try to get some more information about this ISP:

aut-num: AS49365
descr: Group Vertical Ltd
import: from AS44146 action pref=100; accept {}
import: from AS12360 action pref=100; accept {}
export: to AS44146 announce AS49365
export: to AS12360 announce AS49365
admin-c: VN840-RIPE
tech-c: VN840-RIPE
notify: registry(at)
mnt-routes: VERTICAL-MNT
changed: hostmaster(at) 20090527
source: RIPE

Group Vertical Ltd has its upstream on JSC “TRC FIORD” (Fiord-AS), a Russian ISP located in Moscow, which is offering Internet connections, web-hosting and colocation services:

AS49365 upstream

The subnet ( was allocated by Group Vertical on 2009-05-26.
But this AS wasn’t always rogue: Most of those ZeuS command&control servers started to show up in this AS between August 2009 and October 2009.

And now the million dollar question: Why has this AS just started to hosting so much garbage in August 2009?

The answer seems to be the fact that the Latvian ISP JUNIK-RIGA-LV has just cut-off its downstream connection to the well known rogue ISP Real Host on August 3rd, which have hosted more then 20 ZeuS command&control servers. So the bad guys had to look for a new home for their crap – and have found Group Vertical.