Tag Archive for 'GR-VERTICAL-AS'

Source of badness: Group Vertical Ltd (AS49365)

I’m watch the growth of bandess from AS49365 aka “Group Vertical Ltd” (GR-VERTICAL-AS) for the past couple of months. As you can see on robtex, the subnet owned by this AS is just very small. It has a size of 256 IP addresses (91.212.220.0/24):

Brief information
Member of as-fiord
Number of originated prefixes: 1
Regions: 1
IP numbers: 256
Unique IP numbers: 256
Overlapping IP numbers: 0

Source: www.robtex.com/as/as49365.html

If you Google AS49365, you will only find a very small numbers of reports concerning abuse comming from this AS. So normaly I would think, that there is nothing to worry about… but fact is: AS49365 is currently Top ZeuS hosting ISP:

ZeuS command&control server hosted on AS49365
Source: zeustracker.abuse.ch/monitor.php?as=49365

There are currently 32 malicious ZeuS Command&Control server (C&C) in this AS tracked by ZeuS Tracker – 25 of them are currently active.

Let’s try to get some more information about this ISP:

aut-num: AS49365
as-name: GR-VERTICAL-AS
descr: Group Vertical Ltd
org: ORG-GVL2-RIPE
import: from AS44146 action pref=100; accept {0.0.0.0/0}
import: from AS12360 action pref=100; accept {0.0.0.0/0}
export: to AS44146 announce AS49365
export: to AS12360 announce AS49365
admin-c: VN840-RIPE
tech-c: VN840-RIPE
notify: registry(at)citytelecom.ru
mnt-by: RIPE-NCC-END-MNT
mnt-by: HOSTER-RIPE-MNT
mnt-routes: VERTICAL-MNT
changed: hostmaster(at)ripe.net 20090527
source: RIPE

Group Vertical Ltd has its upstream on JSC “TRC FIORD” (Fiord-AS), a Russian ISP located in Moscow, which is offering Internet connections, web-hosting and colocation services:

AS49365 upstream
Source: www.robtex.com/as/as49365.html

The subnet (91.212.220.0/24) was allocated by Group Vertical on 2009-05-26.
But this AS wasn’t always rogue: Most of those ZeuS command&control servers started to show up in this AS between August 2009 and October 2009.

And now the million dollar question: Why has this AS just started to hosting so much garbage in August 2009?

The answer seems to be the fact that the Latvian ISP JUNIK-RIGA-LV has just cut-off its downstream connection to the well known rogue ISP Real Host on August 3rd, which have hosted more then 20 ZeuS command&control servers. So the bad guys had to look for a new home for their crap – and have found Group Vertical.




economics-recluse
Scene
Urgent!