Source of badness: Group Vertical Ltd (AS49365)

I’m watch the growth of bandess from AS49365 aka “Group Vertical Ltd” (GR-VERTICAL-AS) for the past couple of months. As you can see on robtex, the subnet owned by this AS is just very small. It has a size of 256 IP addresses (

Brief information
Member of as-fiord
Number of originated prefixes: 1
Regions: 1
IP numbers: 256
Unique IP numbers: 256
Overlapping IP numbers: 0


If you Google AS49365, you will only find a very small numbers of reports concerning abuse comming from this AS. So normaly I would think, that there is nothing to worry about… but fact is: AS49365 is currently Top ZeuS hosting ISP:

ZeuS command&control server hosted on AS49365

There are currently 32 malicious ZeuS Command&Control server (C&C) in this AS tracked by ZeuS Tracker – 25 of them are currently active.

Let’s try to get some more information about this ISP:

aut-num: AS49365
descr: Group Vertical Ltd
import: from AS44146 action pref=100; accept {}
import: from AS12360 action pref=100; accept {}
export: to AS44146 announce AS49365
export: to AS12360 announce AS49365
admin-c: VN840-RIPE
tech-c: VN840-RIPE
notify: registry(at)
mnt-routes: VERTICAL-MNT
changed: hostmaster(at) 20090527
source: RIPE

Group Vertical Ltd has its upstream on JSC “TRC FIORD” (Fiord-AS), a Russian ISP located in Moscow, which is offering Internet connections, web-hosting and colocation services:

AS49365 upstream

The subnet ( was allocated by Group Vertical on 2009-05-26.
But this AS wasn’t always rogue: Most of those ZeuS command&control servers started to show up in this AS between August 2009 and October 2009.

And now the million dollar question: Why has this AS just started to hosting so much garbage in August 2009?

The answer seems to be the fact that the Latvian ISP JUNIK-RIGA-LV has just cut-off its downstream connection to the well known rogue ISP Real Host on August 3rd, which have hosted more then 20 ZeuS command&control servers. So the bad guys had to look for a new home for their crap – and have found Group Vertical.

3 thoughts on “Source of badness: Group Vertical Ltd (AS49365)

  1. Pingback: Irgendwas blockt Anti-Spyware-Seiten und kompromittiert Combofix - Trojaner-Board

  2. Pingback: Well known ZeuS hosting ISP "Group Vertical" offline |

  3. Pingback: And another Bulletproof Hoster goes Offline... |

Leave a Reply

Your email address will not be published. Required fields are marked *