Normally I blog about new threats and issues that are popping up in cyberspace, but today I have some good news for you.
On the evening of the 11th of January, a Russian based ISP called Vline Telecom (AS39150) was de-peered from its upstream provider RUNNet.ru. As a result of the disconnect, 9 of the world wide worst Bulletproof Hosters got offline and the number of active Zeus Botnet Command&Control servers dropped from 61 to 41 on 12th of January.
Additionally, in January 2011 I was informed about another takedown of a Ukrainian based ISP called ONLINENET SPD Andreychuk Andrey Alekseevich (AS50722) which resulted in another 5 bulletproof hosters disappearing from the global routing table.
We can say that January 2011 was a very bad start for cybercriminals, as a total of 14 bulletproof hosters have been disconnected from the internet this month.
*** What happened? ***
It all started in March 2010 when I came across the first few ZeuS C&Cs in the network of VLine Telecom:
2010-03-26 07:46:49 | fooofle.ru | 188.8.131.52 | VLTELECOM-AS VLineTelecom LLC
2010-03-26 11:55:20 | aervrfhu.ru | 184.108.40.206 | VLTELECOM-AS VLineTelecom LLC
2010-03-27 11:10:31 | fooofle.ru | 220.127.116.11 | VLTELECOM-AS VLineTelecom LLC
2010-03-27 14:32:45 | aervrfhu.ru | 18.104.22.168 | VLTELECOM-AS VLineTelecom LLC
2010-03-31 06:54:58 | globaldeliveryinc.com | 22.214.171.124 | VLTELECOM-AS VLineTelecom LLC
2010-04-12 08:20:42 | molniy347.com | 126.96.36.199 | VLTELECOM-AS VLineTelecom LLC
2010-04-13 06:31:17 | winrar392.net | 188.8.131.52 | VLTELECOM-AS VLineTelecom LLC
2010-04-16 11:39:39 | napiwis54353.com | 184.108.40.206 | VLTELECOM-AS VLineTelecom LLC
2010-04-16 11:39:55 | translatespanish.ru | 220.127.116.11 | VLTELECOM-AS VLineTelecom LLC
2010-04-16 11:40:18 | wera2.co.tv | 18.104.22.168 | VLTELECOM-AS VLineTelecom LLC
2010-04-16 11:40:43 | wera1.co.tv | 22.214.171.124 | VLTELECOM-AS VLineTelecom LLC
However, this was just the tip of the iceberg: In June 2010 Vline Telecom started to route a few networks we later came to consider as the worst criminal networks in the world. At the end of 2010 ZeuS Tracker saw a lot of new Command&Control Servers (C&C) popping up in the networks that VLine Telecom provides IP transit for:
AS name: VLAF-AS Vlaf Processing Ltd
Spamhaus SBL: SBL90627
List of ZeuS C&Cs in this network: show
As you can see in the list above, VLine Telecom not only hosted a lot of ZeuS C&C servers, they also provided internet access (IP transit) to a lot of different networks which are obviously controlled by cybercriminals.
However, at this time it was also clear that some movement in the situation was needed so Spamhaus issued two SBLs on VLine Telecom’s Upstream provider called GlobalNet Russia (see SBL98570 / SBL96680). As it turned out, this listing was one of the best things Spamhaus did in the last couple of weeks because GlobalNet Russia started to face the problem when nearly every mailserver in the world stopped accepting emails from GlobalNet and their customers.
Additionally, I reached out to GlobalNet on the 15th of December with a immediate de-peering request for VLine Telecom. GlobalNet denied to disconnect VLine Telecom by referring to the Russian Law and the contract that GlobalNet had with VLine Telecom. Fortunately, GlobalNet was very cooperative and my contact there agreed to null route the IP addresses where I had evidence that they actually were bad.
After my chat with GlobalNet the situation improved by the end of 2010. Unfortunately, VLine Telecom still didn’t care about any abuse that came from their networks or their IP transit customers. This resulted in new ZeuS C&C servers popped up there pretty quickly. I had to reach out again to GlobalNet on December 27 2010 with another request to de-peer VLine Telecom immediately.
GlobalNet (as the uptream provider) reached out to VLine Telecom with a request to solve these problems immediately. As a result of the pressure made by GlobalNet, VLine Telecom disconnected the first Bulletproof hoster from the internet:
AS name: ASN-YS-IX Yuzhno-Sakhalinsk Internet eXchange
Status: NOT Announced
Spamhaus SBL: SBL98806
On January 5th, I was pretty surprised when VLine Telecom suddenly changed their routes and started to route all their traffic over RUNNet.ru, which is the Russian Federal University Network. I guess that VLine Telecom just had enough of GlobalNet null routing all IPs that I reported to them, so they obviously decided to switch to a different upstream provider. At the same time I received an email from VLine Telecom asking me to send any information concerning abuse in their network directly to them instead of to their upstream provider. As VLine contacted me, I decided to give them a chance, so I replied with a long email that contained a list of abuse issues from their networks (you can imagine that the list of current issues was huge). A few minutes later, I received a response from VLine Telecom where they told me that they had blocked the mentioned IP addresses. I was pretty surprised that they had taken action. But unfortunately I made one big mistake: I believed what VLine Telecom told me…
A few hours after the reply from VLine Telecom that they had banned the mentioned IP addresses, I noticed that the hosts were still reachable, but NOT from my IP address. I did some research and I found out that all of the associated networks was blocking traffic which comes from ZeuS Tracker.
You can imagine that I got pretty angry about this, so I decided to reach out to RUNNet.ru with an immediate de-peering request for VLine Telecom. One hour later I got the following message from RUNNet.ru:
IP-transit VLineTelecom ( ^39150_ ) via RUNNet is stopped now.
A short trace route from different locations just confirmed what RUNNet told me in their email: VLine Telecom was no longer being routed through RUNNet! After the disconnect, it took VLine Telecom just 4 minutes to tell RUNNet and me that they had disconnected all IP transit customers.
After some downtime of VLine Telecom (and of course all their customers) GlobalNet decided to start routing of VLine Telecom again through GlobalNet’s network. As soon as they were up and running again we checked that the before mentioned networks were no longer being routed by VLine Telecom.
*** Current status ***
As of January 22nd, VLine Telecom is routed through GlobalNet Russia and the mentioned 9 networks above are not being announced in the global routing table. It didn’t get so far as to get VLine Telecom permanently disconnected, but I think I made a pretty good arrangement with GlobalNet to monitor the situation of their downstreams for a while.
*** Further takedowns ***
On January 17th, I was informed about another takedown; this time it was an ISP called ONLINENET SPD Andreychuk Andrey Alekseevich (AS50722) which had been disconnected by its upstream provider called ISV4 (AS21379 – intersv.com). Because ONLINENET provided IP transit to another 5 bulletproof hosters, these also were forced offline in January 2011:
AS name: VAKUSHAN-AS Anton Vakushin
Spamhaus SBL: SBL96354
AS number: AS29106
AS name: VOLGAHOST-AS PE Bondarenko Dmitriy Vladimirovich
Spamhaus SBL: SBL83028
AS number: AS51554
AS name: LYAHOV-AS Lyahovich Maksim
Spamhaus SBL: SBL97861
AS number: AS51354
AS name: VPNME-AS Igor Vladimirovich Kanaev
Spamhaus SBL: SBL97864
AS number: AS51303
AS name: GORBY-AS Alexandr Gorbunov
Spamhaus SBL: SBL97616
*** What we have learned from the VLine-case ***
While investigating the VLine-case I made a lot of new experiences. The first and most relevant one is: Not every Russian speaking guy is a cybercriminal
When I started my investigation at GlobalNet and RUNNet I was completely unsure whether I could trust them or not. Today I know that I can trust them and that they have done (and of course are still doing) a very good job to solve the issues within their responsibility.
With the knowledge that I gained in the VLine-case I’m now able to draw the following network map:
The second thing I learned is that there are often language problems. As you see in the chart above I (still) consider VLine as bad. However, I have to say that some times I had the feeling that they just didn’t know what they were doing (from a technical perspective) and that they didn’t understand what I wanted to tell them (language problem).
Anyway, I still have the opinion that VLine Telecom should be permanently disconnected, but I also know that they now are aware of the situation and that the whole world is now (at least after this blog post) watching their behaviour and actions closely.
Follow me on Twitter: twitter.com/abuse_ch