ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
The Register of Known Spam Operations
Russian Business Network

Records Menu:

< Index


Country: Russian Federation
State:
Russian Business Network


Russian Business Network SBL Listings History
Current SBL Listings
Archived SBL Listings

Real Host Ltd. and Zeus botnet


http://www.thetechherald.com/article.php/200932/4195/ISP-linked-to-Zeus-botnet-shutdown-after-investigation
____________________________________________________________

ISP linked to Zeus botnet shutdown after investigation

by Steve Ragan - Aug 6 2009, 16:00

Real Host Ltd., a so-called bulletproof hosting provider, was shut down by Swedish telecommunications company TeliaSonera after an investigation confirmed connections to a host of Internet-based crimes, including hosting C&Cs linked to the Zeus botnet.

The Zeus botnet, linked to the infection of over three million computers in the U.S. alone, is the major threat hosted on the Real Host network. While Zeus is the core issue, research from HostExploit.com and Andrew Martin of Martin Security shows ties to dozens of crimes and hundreds of malicious domains. And all of this comes from three IP blocks hosted on the autonomous system (Internet Server) AS8206 Junik, in Riga, Latvia.

Once Real Host was exposed, Junik was told by its upstream provider TeliaSonera to kill Real Hosts connections to the Web. Once the links were severed, Real Host joined McColo, Atrivo, and Pricewert as the latest ISP to be closed as a result of its direct link to cyber crime.

So what exactly was Real Host up to? The research from Martin Security and HostExploit offers an interesting look into the offerings of a rogue ISP, and the things its customers did with the services.

The first criminal enterprise is the control of the Zeus botnet. There were six C&C (Command and Control) servers on Real Host for Zeus. Real Host also played a role in money mule scams, Phishing, and one scam that paid criminals for embedding malicious Iframes on compromised Web sites. Moreover, Real Host is linked to the hosting of exploits, aimed at vulnerabilities on poorly patched systems.

Googles Safe Browsing -- shows for AS8206 Junik in the last 90 days; 12 sites providing malicious software for drive by downloads, 102 sites acting as intermediaries for the infection of 11,810 other web sites. Finally it found 161 websites hosting malware that infected 20,681 other web sites, the investigation report outlined.

Various other items of note from the investigation into Real Host include the mass sale of stolen banking and financial information. One site offered a variety of services and information for sale, including PayPal accounts in the U.K. with confirmed balances. The cost to obtain one of these U.K. accounts was 10 percent of the hijacked PayPal account balance. Other criminal businesses included botnet rental, botnet loading and illegal pornographic content, as well as Warez (illegal software distribution) hosting.

The Real Host investigation also turned up evidence of some interesting links to the Russian Business Network (RBN). Many of the discovered linked domains were previously hosted by EstDomains, which was shut down in November of 2008 because of criminal connections -- proving that killing off one source of Web crime only leads to another promptly taking its place.

Older entities which many had thought were dead and gone are here; Barwells Group, Newsky, Web-Alfa, and good old Botnet.Su, the report added.

All of these were operational elements of RBN (Russian Business Network). So this may not be a reincarnation of the RBN but are clearly Russian organized cyber criminals, in the same vein and at least headed by someone from the old school of RBN.

While the RBN ties are circumstantial, the fact they exist at all only proves that the criminals are smarter than they're given credit for -- at least insofar as they took the losses and moved on to other services.

There is bound to be some relief now that Real Host has been shut down, but sadly this wont last long. The question is not if, but when, the criminals using Real Host will return?




http://www.computerweekly.com/Articles/2009/08/04/237165/zeus-botnets-real-host-cut-off-from-the-internet.htm
____________________________________________________________

Zeus botnets Real Host cut off from the internet

Author: Warwick Ashford
Posted: 09:09 04 Aug 2009

Swedish telco Telia Sonera has shut down the internet connections of Latvian company Real Host after it was linked with the world's biggest cybercrime botnet.

Real Host has been compared to McColo and Atrivo, two hosting companies shut down by authorities because of links to large-scale cybercriminal activities.

Security researcher found that Real Host had rented a large range of internet addresses from a server provider in Riga called Junik and was linking to the internet through Telia.

The researchers found that Real Host's servers had captured around 3.6 million PCs for use in a botnet called Zeus.

Zeus has been linked to Rock Phish, a Russian-led gang blamed for half of the world's phishing attacks to steal credit card and banking information.
ADVERTISEMENT

Some Real Host sites tried to infect visitors through only recently patched security holes in Adobe Flash, while others sold stolen banking data or recruited people to transfer money into accounts controlled by cybercriminals.





Related URLs
original articles:
1. http://www.thetechherald.com/article.php/200932/4195/ISP-linked-to-Zeus-botnet-shutdown-after-investigation
2. http://www.computerweekly.com/Articles/2009/08/04/237165/zeus-botnets-real-host-cut-off-from-the-internet.htm

The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is: http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK8825

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2010 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy