Tag Archives: VolgaHost

2011 – A Bad Start For Cybercriminals: 14 Rogue ISPs Disconnected

Normally I blog about new threats and issues that are popping up in cyberspace, but today I have some good news for you.

On the evening of the 11th of January, a Russian based ISP called Vline Telecom (AS39150) was de-peered from its upstream provider RUNNet.ru. As a result of the disconnect, 9 of the world wide worst Bulletproof Hosters got offline and the number of active Zeus Botnet Command&Control servers dropped from 61 to 41 on 12th of January.

Additionally, in January 2011 I was informed about another takedown of a Ukrainian based ISP called ONLINENET SPD Andreychuk Andrey Alekseevich (AS50722) which resulted in another 5 bulletproof hosters disappearing from the global routing table.

We can say that January 2011 was a very bad start for cybercriminals, as a total of 14 bulletproof hosters have been disconnected from the internet this month.

*** What happened? ***
It all started in March 2010 when I came across the first few ZeuS C&Cs in the network of VLine Telecom:

2010-03-24 15:22:33 | aervrfhu.ru | | VLTELECOM-AS VLineTelecom LLC
2010-03-26 07:46:49 | fooofle.ru | | VLTELECOM-AS VLineTelecom LLC
2010-03-26 11:55:20 | aervrfhu.ru | | VLTELECOM-AS VLineTelecom LLC
2010-03-27 11:10:31 | fooofle.ru | | VLTELECOM-AS VLineTelecom LLC
2010-03-27 14:32:45 | aervrfhu.ru | | VLTELECOM-AS VLineTelecom LLC
2010-03-31 06:54:58 | globaldeliveryinc.com | | VLTELECOM-AS VLineTelecom LLC
2010-04-12 08:20:42 | molniy347.com | | VLTELECOM-AS VLineTelecom LLC
2010-04-13 06:31:17 | winrar392.net | | VLTELECOM-AS VLineTelecom LLC
2010-04-16 11:39:39 | napiwis54353.com | | VLTELECOM-AS VLineTelecom LLC
2010-04-16 11:39:55 | translatespanish.ru | | VLTELECOM-AS VLineTelecom LLC
2010-04-16 11:40:18 | wera2.co.tv | | VLTELECOM-AS VLineTelecom LLC
2010-04-16 11:40:43 | wera1.co.tv | | VLTELECOM-AS VLineTelecom LLC

In 2010, VLine Telecom hosted more than 140 ZeuS Botnet Command&Control Servers. Therefore they managed to get a position in the Worlds Top 10 Bad Hosts:

Source: Host Exploit

However, this was just the tip of the iceberg: In June 2010 Vline Telecom started to route a few networks we later came to consider as the worst criminal networks in the world. At the end of 2010 ZeuS Tracker saw a lot of new Command&Control Servers (C&C) popping up in the networks that VLine Telecom provides IP transit for:

AS number: AS48984
AS name: VLAF-AS Vlaf Processing Ltd
Spamhaus SBL: SBL90627
List of ZeuS C&Cs in this network: show

AS number: AS20564
AS name: INFORMEX-MNT Informex, E-commerce Service Provider
Spamhaus SBL: SBL97792
List of ZeuS C&Cs in this network: show

AS number: AS31506
AS name: ASN-YS-IX Yuzhno-Sakhalinsk Internet eXchange
Spamhaus SBL: SBL98806
List of ZeuS C&Cs in this network: show

AS number: AS39858
As name: UNINETMD-AS S.C. Uninet S.R.L
Spamhaus SBL: SBL90650
List of ZeuS C&Cs in this network: show

AS number: AS31682
AS name: DIOSOFT-AS DIOSoft Ltd.
Spamhaus SBL: SBL90652
List of ZeuS C&Cs in this network: show

AS number: AS31445
AS name: TTC-AS Naukanet (TopNET) UA Aggregation network Autonomous System
Spamhaus SBL: SBL92406
List of ZeuS C&Cs in this network: show

AS number: AS48280
AS name: IT-OUTSOURCE-AS LLC _Management, informational
Spamhaus SBL: SBL98806
List of ZeuS C&Cs in this network: show

AS number: AS43181
AS name: K2K-AS Contel 2000 Ltd.
Spamhaus SBL: SBL96584
List of ZeuS C&Cs in this network: show

AS number: AS31478
AS name: PMN-AS PROMIRANET multihomed network
Spamhaus SBL: SBL98807
List of ZeuS C&Cs in this network: show

As you can see in the list above, VLine Telecom not only hosted a lot of ZeuS C&C servers, they also provided internet access (IP transit) to a lot of different networks which are obviously controlled by cybercriminals.

However, at this time it was also clear that some movement in the situation was needed so Spamhaus issued two SBLs on VLine Telecom’s Upstream provider called GlobalNet Russia (see SBL98570 / SBL96680). As it turned out, this listing was one of the best things Spamhaus did in the last couple of weeks because GlobalNet Russia started to face the problem when nearly every mailserver in the world stopped accepting emails from GlobalNet and their customers.

Additionally, I reached out to GlobalNet on the 15th of December with a immediate de-peering request for VLine Telecom. GlobalNet denied to disconnect VLine Telecom by referring to the Russian Law and the contract that GlobalNet had with VLine Telecom. Fortunately, GlobalNet was very cooperative and my contact there agreed to null route the IP addresses where I had evidence that they actually were bad.

After my chat with GlobalNet the situation improved by the end of 2010. Unfortunately, VLine Telecom still didn’t care about any abuse that came from their networks or their IP transit customers. This resulted in new ZeuS C&C servers popped up there pretty quickly. I had to reach out again to GlobalNet on December 27 2010 with another request to de-peer VLine Telecom immediately.

GlobalNet (as the uptream provider) reached out to VLine Telecom with a request to solve these problems immediately. As a result of the pressure made by GlobalNet, VLine Telecom disconnected the first Bulletproof hoster from the internet:

AS number: AS31506
AS name: ASN-YS-IX Yuzhno-Sakhalinsk Internet eXchange
Status: NOT Announced
Spamhaus SBL: SBL98806

On January 5th, I was pretty surprised when VLine Telecom suddenly changed their routes and started to route all their traffic over RUNNet.ru, which is the Russian Federal University Network. I guess that VLine Telecom just had enough of GlobalNet null routing all IPs that I reported to them, so they obviously decided to switch to a different upstream provider. At the same time I received an email from VLine Telecom asking me to send any information concerning abuse in their network directly to them instead of to their upstream provider. As VLine contacted me, I decided to give them a chance, so I replied with a long email that contained a list of abuse issues from their networks (you can imagine that the list of current issues was huge). A few minutes later, I received a response from VLine Telecom where they told me that they had blocked the mentioned IP addresses. I was pretty surprised that they had taken action. But unfortunately I made one big mistake: I believed what VLine Telecom told me…

A few hours after the reply from VLine Telecom that they had banned the mentioned IP addresses, I noticed that the hosts were still reachable, but NOT from my IP address. I did some research and I found out that all of the associated networks was blocking traffic which comes from ZeuS Tracker.

You can imagine that I got pretty angry about this, so I decided to reach out to RUNNet.ru with an immediate de-peering request for VLine Telecom. One hour later I got the following message from RUNNet.ru:

IP-transit VLineTelecom ( ^39150_ ) via RUNNet is stopped now.

A short trace route from different locations just confirmed what RUNNet told me in their email: VLine Telecom was no longer being routed through RUNNet! After the disconnect, it took VLine Telecom just 4 minutes to tell RUNNet and me that they had disconnected all IP transit customers.

After some downtime of VLine Telecom (and of course all their customers) GlobalNet decided to start routing of VLine Telecom again through GlobalNet’s network. As soon as they were up and running again we checked that the before mentioned networks were no longer being routed by VLine Telecom.

*** Current status ***
As of January 22nd, VLine Telecom is routed through GlobalNet Russia and the mentioned 9 networks above are not being announced in the global routing table. It didn’t get so far as to get VLine Telecom permanently disconnected, but I think I made a pretty good arrangement with GlobalNet to monitor the situation of their downstreams for a while.

*** Further takedowns ***
On January 17th, I was informed about another takedown; this time it was an ISP called ONLINENET SPD Andreychuk Andrey Alekseevich (AS50722) which had been disconnected by its upstream provider called ISV4 (AS21379 – intersv.com). Because ONLINENET provided IP transit to another 5 bulletproof hosters, these also were forced offline in January 2011:

AS number: AS34229
AS name: VAKUSHAN-AS Anton Vakushin
Spamhaus SBL: SBL96354

AS number: AS29106
AS name: VOLGAHOST-AS PE Bondarenko Dmitriy Vladimirovich
Spamhaus SBL: SBL83028

AS number: AS51554
AS name: LYAHOV-AS Lyahovich Maksim
Spamhaus SBL: SBL97861

AS number: AS51354
AS name: VPNME-AS Igor Vladimirovich Kanaev
Spamhaus SBL: SBL97864

AS number: AS51303
AS name: GORBY-AS Alexandr Gorbunov
Spamhaus SBL: SBL97616

*** What we have learned from the VLine-case ***
While investigating the VLine-case I made a lot of new experiences. The first and most relevant one is: Not every Russian speaking guy is a cybercriminal 🙂

When I started my investigation at GlobalNet and RUNNet I was completely unsure whether I could trust them or not. Today I know that I can trust them and that they have done (and of course are still doing) a very good job to solve the issues within their responsibility.

With the knowledge that I gained in the VLine-case I’m now able to draw the following network map:

The second thing I learned is that there are often language problems. As you see in the chart above I (still) consider VLine as bad. However, I have to say that some times I had the feeling that they just didn’t know what they were doing (from a technical perspective) and that they didn’t understand what I wanted to tell them (language problem).

Anyway, I still have the opinion that VLine Telecom should be permanently disconnected, but I also know that they now are aware of the situation and that the whole world is now (at least after this blog post) watching their behaviour and actions closely.

Last but not least I would like to thank GlobalNet Russia and RUNNet for all their efforts and their help to get the problem with VLine Telecom solved.

Follow me on Twitter: twitter.com/abuse_ch

The Bozvanovna ZeuS Botnet

This week I’ve taken the opportunity to take a closer look at the current ZeuS campaigns. A few of them keep popping up again and again, so I’ve tried to get some more information about those botnets, their targets as well as the infrastructure that the cybercriminals are using.

In this first blog post I will talk about a ZeuS botnet which I call the “Bozvanovna Botnet”, which is being spread using drive-by exploits (hopefully I will find the time to blog about the other botnets that I’ve found too…).

First of all, let’s take a look at the botnet Command&Control infrastructure: The cybercriminals have registered a pretty big amount of domains to serve ZeuS configs and binaries as well as to provide a dropzone for the infected clients (bots) to upload the stolen information. The reason for this is pretty simple: In most cases the domains that get listed on ZeuS Tracker will get nuked quickly. Then the cybercriminals have to register new domains every time the old domains get suspended.

Below is a list of the domains that were associated with the Bozvanovna Botnet and that ZeuS Tracker came across of:

Firstseen Domain Registrar Registrant A record Status
2010-10-18 0luxdan.com DIRECTI Anton Petushkov Suspended
2010-10-30 jankult.com REGTIME Andrey Aleksandrovich Polev Suspended
2010-10-29 3color3.com REGTIME Andrey Aleksandrovich Polev Suspended
2010-11-05 file-system5.com REGTIME Anton Petushkov Suspended
2010-11-07 razaasmss.com REGTIME SP3 LTD Suspended
2010-11-22 olmsqq0.com DIRECTI Annamos Susdanil Suspended
2010-11-22 xinetdstart.com DIRECTI Petr Klimov Suspended
2010-11-25 vatnaya0.com DIRECTI SP3 LTD Suspended
2010-11-28 losma00s.com DIRECTI SP3 LTD Suspended
2010-11-28 goodysw.com DIRECTI Saoma LTD Suspended
2010-11-28 shanhaiswerat.com DIRECTI Saoma LTD Suspended
2010-11-16 oslolstal.com REGTIME Maksim A Roslyakov Inactive
2010-11-22 thechno000.com REGTIME Maksim A Roslyakov Suspended
2010-11-22 shawn00.com REGTIME Maksim A Roslyakov Suspended
2010-11-27 tundraburb.com DIRECTI Saoma ltd Suspended
2010-11-28 comeasuwewd.com DIRECTI SP3 LTD Suspended
2010-12-05 lloqqqcss.com REGTIME Maksim A Roslyakov Suspended
2010-12-06 eat0good.com REGTIME Max Pet Inactive
2010-12-08 yakonohadersh.com REGTIME Evgeniy Jaakson Active
2010-12-08 unagimakimoto.com REGTIME Evgeniy Jaakson Active
2010-12-10 poweroffbutson.com DIRECTI PrivacyProtect.org Suspended
2010-12-10 pilotsmradios.com DIRECTI PrivacyProtect.org Suspended
2010-12-13 arteowerpot.com DIRECTI Alexander Fulop Suspended
2010-12-13 sdartinagrest.com DIRECTI Alexander Fulop Suspended
2010-12-13 destopinterfo.com DIRECTI Alexander Fulop Suspended
2010-12-13 portityuwdef.com DIRECTI Alexander Fulop Suspended
2010-12-13 plotetihnask.com DIRECTI Alexander Fulop Suspended
2010-12-13 itroluikdired.com DIRECTI Alexander Fulop Suspended
2010-12-13 cernelpanished.com REGTIME Aaltonen Alexander Active
2010-12-13 openwdscript.com REGTIME Aaltonen Alexander Active
2010-12-13 tilimilitram.com DIRECTI PrivacyProtect.org Suspended
2010-12-14 polirtikolost.com DIRECTI Alexander Fulop Suspended
2010-12-16 werlijokityp.com DIRECTI Alexander Fulop Suspended
2010-12-16 jakudzahamato.com REGTIME Evgeniy Jaakson Active
2010-12-17 enkwertiout.com REGTIME Aaltonen Alexander Active
2010-12-17 lib32listends.com REGTIME Aaltonen Alexander Active
2010-12-17 fjfhbhwerkbfger.com REGTIME Evgeniy Jaakson Active
2010-12-19 werodtlejfcok.com DIRECTI PrivacyProtect.org Suspended

The first domain popped up on 2010-10-18, but it looks like the Bozvanovna gang has been operating at least since July 2010. Fortunately, it’s pretty easy to detect those domains that are associated with that specific botnet, because in most of the cases they are using the same URL scheme:

  • ZeuS Config file: 000XYYY.so
  • ZeuS Binary file: 000XYYY.exe
  • ZeuS Dropzone: i.php

Where X is an alphabetic letter (eg n or x) and Y a numeric character (eg 2 or 123).

Another point which pops up when we take a look at the list above is that most of the domains are hosted at a well known bulletproof hosting provider named VolgaHost and is located in Russia:

As number: AS29106
AS name: VolgaHost
ZeuS C&Cs: zeustracker.abuse.ch/monitor.php?as=29106
Spamhaus SBL: www.spamhaus.org/sbl/sbl.lasso?query=SBL83028
CIDR Report: www.cidr-report.org/cgi-bin/as-report?as=AS29106

According to CIDR Report, VolgaHost is being routed through AS39307 – DCOMM-UA-AS Digital Communications Ltd. Both ASs can be considered 100% malicious and should therefore not be routed. But let’s get back to the Bozvanovna botnet…

When I took a look at the ZeuS config files of the Bozvanovna botnet (they are using ZeuS version, I was really surprised as I saw how many financial instutions they are targeting. Below is a list of the targets of this ZeuS campaign which I’ve seen so far:

  • NatWest
  • HSBC
  • Nationwide
  • Lloyds TSB
  • Co-operative bank
  • Bank of Scotland
  • Yorkshire Bank
  • Halifax
  • Postbank
  • Sparkasse
  • Barclays
  • Commerzbank

Like most ZeuS campaigns, the Bozvanovna botnet is also using so-called Webinjects to phish credentials and steal money from the victims online bank account. The Bozvanovna botnet is using different Webinjects, some of them are implemented in the ZeuS config file and some of them are hosted on a server on the internet (to generate webinjects dynamically). In total I’ve seen two domains which are being used to implement the webinjects:

Domain Registrar Registrant A record AS number AS name
bozvanovna.com REGTIME Lubov Bozvanovna AS23352 Server Central Network
freetalkgamez.com REGTIME Aaltonen Alexander AS55720 GIGABIT-MY

Both domain names are currently active and what is even more interesting: Both domain names are using HTTPS with a valid certificate. This is actually not that uncommon: A lot of the recent ZeuS campaigns I’ve seen are using valid SSL certificates to avoid browser warnings on the client side during the ebanking session.

Bozvanovna SSL certificate

Bozvanovna SSL certificate

The webinjects as well as the server side scripts are (as in most of the cases) pretty complex. What I’ve seen in the Bozvanovna ZeuS campaign is that they can switch the targets of their interest pretty easily by using some kind of switcher to turn the campaign targeting a special bank on or off. Therefore they have defined a lot webinjects in the ZeuS config file for a lot of differnet financial institutions. As soon as they want to activate a campaign, they just have to change the switcher on the webinject server to on (by using this switcher they don’t have to change the config file every time they want to change the targets of their campaign). Let take a look at a target in the ZeuS config file of Bozvanovna:

Webinject Bozvanovna

The Target URL defines the target of this Webinject. The cybercriminal can then define at which point of the online banking site they want to replace or insert code (data_before / data_after). In this example ZeuS will add a lot of HTML- and Javascript code (data_inject) after the head-tag. What is interesting in this example is that the victims browser will load additional code from bozvanovna.com using java script. As already mentioned before you see that they are using HTTPS to load that code from bozvanovna.com.

If we take a look at this URL referenced in the ZeuS config file, we will see the following content:

var current_state = “offline”;

It looks like the cybercriminals have disable the phishing campaign against this target, but they can change that pretty easily:

Bozvanonvna Webinject Status

If we now take another look at the same URL again, we will see that there is now a lot of HTML code being served from bozvanovna.com and injected into the online banking session of the victim:

Activated Webinject

What we see on the code snippet above is that the phishing campaign against this target is now active. ZeuS will now phish the credentials for the online bank account and display the error message “We have problem with online service. Try again later, sorry for any inconvenience” to the victim.

We have seen that the webinjects are pretty complex. So we have to ask ourselves: Is this really going to work? I can tell you: yes it is! Below is a screenshot of a log which is generated by the webinject backend:

Bozvanovna Victims

Click to enlarge

The log file is huge and contains information about:

  • Timestamp
  • Victims IP address
  • Victims Bank
  • User Agent (Browser)
  • Customer Number (Account number)
  • Memorable Data
  • Passnumber
  • Available amount of cash

You can also see that some of the victims are using Firefox. So you can even be targeted by such phishing attacks when you are using Firefox for your online banking sessions. Another interesting point in the logfiles are the timestamps: They have attacked the Nationet Internet Banking from October 14th to October 21th. Afterwards it seems that they have stopped the phishing campaign against this bank for some time by turning of the switcher (about which I have talked before). Since December 17th they are targeting the bank again.

But there is one fact that scares me much more than anything else: I saw a couple of victims which have logged in to their online banking account which are tagged as Business or Corporate online. When I do a whois on the victims IPs I saw that these IPs belongs to corporate customers within Europe. In fact this means that the cybercriminals are also targeting business customer and therefore they have access to a lot of money (you can imagine that there is more money on a business bank account than on a bank account of a private customer).

If we look at the admin panel of the server which is hosting the webinjects, we see that the cybercriminals have already grabbed a lot of information about the bank accounts of their victims. Below is just a very small screenshot of the admin panel (called personal room) on bozvanovna.com

Bozvanovna Admin Panel

The bank account which I’ve outlined in the screenshot above currently has a balance of 371’535.26 pounds. And now imagine: The entry table has 600 bank accounts listed! So there is a lot of money on those accounts….

Finally, let’s take a short look at the Bozvanovna botnet. Fortunately I had the chance to sinkhole a handfull domains which are associated with the Bozvanovna botnet and which are being used to control the botnet. Therefore I’m able to provide some information about the Bozvanovna botnet geo location:

Bozvanovna Botnet Geolocation

As shown in the pie chart above, most infected clients are located in Great Britain (GB) and Germany (DE). That’s not really surprising, because the financial institutions targeted by the Bozvanovna ZeuS campaign are mainly located in those countries.

*** Conclusion ***
While ZeuS and Spyeye obviously merged some months ago, we can see that ZeuS is still around (at least for now). The Bozvanovna ZeuS campaign is a good example on how sophisticated and complex the attacks on finanical insitutions are today.

If you want to mitigate the ZeuS threat in your network, I recommend you use one of ZeuS Tracker blocklists:


Follow me on Twitter: http://twitter.com/abuse_ch