Monthly Archive for March, 2010

And another Bulletproof Hoster goes Offline…

A friend over MDL just informed me today that another bulletproof hoster called GR-VERTICAL-AS Group Vertical Ltd (AS49365) has gone offline this night. Back in october 2009 I wrote a blog post about this ISP (see Source of badness: Group Vertical Ltd (AS49365)) and described how bad this ISP is. A few days later, Groupe Vertical has been disconnected from the internet. Unfortunately, the bad guys just managed to get online again.

Now it seems that this night their upstream provider VLineTelecom LLC Moscow (AS39150) just cut their peering with Group Vertical:

GR-VERTICAL-AS Group Vertical Ltd
NOT Announced

This AS is not currently used to announce prefixes in the global routing table, nor is it used as a visible transit AS.

Prefixes added and withdrawn by this origin AS in the past 7 days.
- 91.212.220.0/24 Withdrawn

As of yesterday, this ISP has hosted 20 ZeuS C&C servers in their subnet:

Due to the fact that Group Vertical is offline again, the number of active ZeuS C&C server will just drop again today! But there is even more work left to do:

Let’s see how long these ISPs will stay online….

Massive Drop in Number of Active Zeus C&C Servers

I always check the ZeuS Tracker statistics to get some information about the trend of the active ZeuS Command&Control servers. This morning I was really surprised what I saw on the ZeuS Tracker statistic page:


Massive drop of active ZeuS C&C servers on 2010-03-09

As you can see in the chart above, on March 9th 2010, the number of active ZeuS C&C servers dropped from 249 to 181! The first thing I thought was: There has to be some problem with the ZeuS Tracker cron script. I checked the script – everything looked ok. So the massive drop of ZeuS C&C server is fact. I noticed that six of the worst ZeuS hosting ISP suddently dissapeared from the ZeuS Tracker.

I verified the subnets of the affected ISP and came to the conclusion that Troyak-as (AS50215), the upstream provider for the six worst ZeuS hosting ISPs, was cut from the internet on 2010-03-09. As a result, the following ISPs lost their internet connetivity which finally resulted in a massiv drop in the number of active ZeuS C&C servers:

AS number: AS50390
AS name: SMILA-AS Pavlenko Tetyana Oleksandrivna
Subnet: 193.105.0.0/24
Status: Withdrawn
# of ZeuS C&Cs: 17
Spamhaus SBL: Not listed

AS number AS42229
AS name: MARIAM-AS PP Mariam
Subnet: 91.201.196.0/22
Status: Withdrawn
# of ZeuS C&Cs: 18
Spamhaus SBL: #SBL86729

AS number: AS49934
AS name: VVPN-AS PE Voronov Evgen Sergiyovich
Subnet: 193.104.41.0/24
Status: Withdrawn
# of ZeuS C&Cs: 8
Spamhaus SBL: #SBL82374

AS number: AS44107
AS name: PROMBUDDETAL-AS Prombuddetal LLCst
Subnet: 91.201.28.0/22
Status: Withdrawn
# of ZeuS C&Cs: 5
Spamhaus SBL: #SBL82408

AS number: AS50033
AS name: GROUP3-AS GROUP 3 LLC.
Subnet: 193.104.94.0/24
Status: Withdrawn
# of ZeuS C&Cs: 8
Spamhaus SBL: #SBL85667

AS number: AS12604
AS name: CITYGAME-AS Kamushnoy Vladimir Vasulyovich
Subnet: 193.104.27.0/24
Status: Withdrawn
# of ZeuS C&Cs: 12
Spamhaus SBL: #SBL81900

In total, 68 went down – It was the biggest drop in number of ZeuS C&C servers I’ve ever seen! Some guys have done a great job :D

*** UPDATE 21:03 (UTC) ***
Bad news – it seem that TROYAK-AS has found a new upstream provider to serve their malware to the world:

AS50215 TROYAK-AS Starchenko Roman Fedorovich

Upstream Adjacent AS list
AS44051 YA-AS Professional Communication Systems

Source: http://cidr-report.org/cgi-bin/as-report?as=AS50215

As you can see on Robtex, YA-AS has just one upstream provider called NASSIST-AS (AS29632). Let’s hope that this is just the last breath of TROYAK-AS and that NASSIST-AS will cut their peerings with YA-AS quickly.

*** STATUS 2010-03-11 07:15 (UTC) ***
I just took another look into the ZeuS Tracker statistics – the number of active ZeuS C&Cs is still falling! In total, I’ve counted 104 ZeuS C&C servers which are no longer reachable from the internet!


ZeuS Tracker statistics as of 2010-03-11

As mentioned on the last update from 21:03 UTC, Troyak just found a new upstream provider. This means: Troyak-AS is reconnected to the internet since yesterday. Anyway, I just checked the those ZeuS C&C servers which where routed by Troyak – all of them are still offline.

*** UPDATE 2010-03-11 11:50 (UTC) ***
It’s a very busy day – Troyak is trying hard to get back online. This morning they disappeared again from the global BGP routing table and are now being routed by RTCOMM-AS (AS8342 RTComm.RU), located in Russia:

AS50215 TROYAK-AS Starchenko Roman Fedorovich

Upstream Adjacent AS list
AS8342 RTCOMM-AS RTComm.RU Autonomous System

*** UPDATE 2010-03-11 21:30 (UTC)
Bad news: Since Troyak started their peering with RTCOM-AS, the number of active ZeuS C&C servers has increasted from 149 up to 191. For now, more than 40 ZeuS C&C servers are back online! This means that the cybercriminals are now able to move the stolen data to a safe place or a backup server. Additionally, the cybercriminals are able to update their config files served to the infected clients to set up a fallback server (if Troyak will disappear from the internet again).

*** UPDATE 2010-03-12 11:10 (UTC) ***
Another update: Troyak has changed their upstream provider again and is now being routed by NLINE-AS (AS25189 – JSC Nline):

AS50215 TROYAK-AS Starchenko Roman Fedorovich

Upstream Adjacent AS list
AS25189 NLINE-AS JSC Nline

Further links




economics-recluse
Scene
Urgent!