A week ago I wrote a post about the well known rogue ISP Group Vertical (see “Source of badness: Group Vertical Ltd (AS49365)”) which was top ZeuS hosting ISP over several month.
Today I took a look at the ZeuS statistics on the ZeuS Tracker and I was really suprised:
As you can see on the statistic above the number of active ZeuS Command&Control servers (C&C) had a big decreas on the 26th october 2009. My first thought was that there maybe was a problem with the ZeuS Tracker script. But after I tooked a look at the top ZeuS hosting ISPs on the ZeuS Tracker, I saw that all ZeuS Command&Control servers in the subnet of Group Vertical (AS49365) are offline. Finally I took a look at the CIDR Report for AS49365 and I was happy to see that this rogue AS is no longer being announced in the global BGP table:
Name GR-VERTICAL-AS Group Vertical Ltd
This AS is not currently used to announce prefixes in the global routing table, nor is it used as a visible transit AS.
Prefixes added and withdrawn by this origin AS in the past 7 days.
– 22.214.171.124/24 Withdrawn
Source: CIDR report for AS49365
So I guess that the Russian upstream provider Fiord has cut off their peers to the rogue ISP Group Vertical on 26th october 2009. As e result of this, Group Vertical lost their internet connection and the number of active ZeuS Command&Control servers (C&C) dropped rapidly from 190 down to 148 world wide – That’s more than 40 ZeuS Command&Control server which are now no longer reachable from the internet!
McColo… Ural Industrial Company… Real Host… Group Vertical… Who’s next?