Rogue Latvian ISP is Now Offline
Very recently, Swedish upstream provider, TeliaSonera, threatened cut off its direct connection to Junik (AS8206) JUNIK-RIGA-LV JUNIKNET if Junik.lv did not cut off its own downstream (Real Host) because of its reputation of being rogue (hosting zeus botnets). By Monday August 3rd, 2009, Real Host lost its connectivity. Jart Armin of HostExploit recently tweeted about the shutdown. At the time of this post, there was only 1 active SBL on Spamhaus ( SBL75831) a /24 blocklisting for Junik.lv from May 2009 – 213.182.197.0/24 which was due to phish and malware domain hosting. According to Jar Armin, this Latvian-based host was the distributing Zero-Day Flash/PDF exploit.
Very recent detailed research on Real Host by HostExploit can be found here. Google Safebrowsing also detected lots of malware on AS8206. At the time of this post, MalwareURL website also listed even more known malware domains on Junik.lv.
If you check the Google cache of Zeus Tracker, dated July 29th 2009, you can find several domains listed
| Host | A record | status | files online | SBL | level | dateadded (UTC) | Lastchecked (UTC) | Lastupdated (UTC) |
| botnet.su | 213.182.197.251 | online | 0 | SBL75831 | 4 | 2009-03-12 17:42:57 | 2009-07-29 04:32:34 | 2009-07-06 17:41:41 |
| hack-off.ru | 213.182.197.20 | online | 2 | SBL75831 | 4 | 2009-03-20 19:19:45 | 2009-07-29 02:17:05 | 2009-07-23 16:48:53 |
| welcomeone.cn | 213.182.197.229 | online | 0 | SBL75831 | 4 | 2009-03-19 07:01:02 | 2009-07-29 02:18:31 | 2009-07-23 16:50:23 |
| go5reborn.cn | 213.182.197.227 | online | 1 | SBL75831 | 4 | 2009-03-25 17:27:08 | 2009-07-29 01:46:00 | 2009-07-11 10:47:00 |
| index683.com | 213.182.197.13 | online | 0 | SBL75831 | 4 | 2009-07-15 08:22:03 | 2009-07-28 15:14:01 | 2009-07-24 20:48:33 |
| chlenopopik.com | 213.182.197.228 | online | 0 | SBL75831 | 4 | 2009-06-26 20:37:09 | 2009-07-28 18:34:27 | 2009-07-24 23:41:39 |
| 213.182.197.236 | 213.182.197.236 | online | 0 | SBL75831 | 4 | 2009-06-26 21:11:35 | 2009-07-28 17:46:53 | 2009-07-24 22:51:44 |
| 213.182.197.229 | 213.182.197.229 | online | 0 | SBL75831 | 4 | 2009-06-26 21:12:56 | 2009-07-28 17:39:10 | 2009-07-24 22:44:01 |
| mywebtraffic.cn | 213.182.197.35 | online | 0 | SBL75831 | 4 | 2009-06-27 20:03:37 | 2009-07-28 17:30:02 | 2009-07-24 22:35:56 |
| megapain.info | 213.182.197.37 | online | 0 | SBL75831 | 4 | 2009-06-27 20:47:01 | 2009-07-28 17:20:58 | 2009-07-24 22:29:42 |
| agrautoparts.cn | 213.182.205.36 | online | 0 | Not listed | 4 | 2009-07-03 08:11:24 | 2009-07-28 16:15:22 | 2009-07-24 21:36:37 |
| barmatuxa.net | 213.182.197.37 | online | 1 | SBL75831 | 4 | 2009-07-03 07:50:07 | 2009-07-28 16:42:32 | 2009-07-24 22:00:56 |
| google-bot004.cn | 213.182.197.229 | online | 0 | SBL75831 | 4 | 2009-07-03 07:58:02 | 2009-07-28 16:34:48 | 2009-07-24 21:55:14 |
| gnk-msk2.com | offline | 0 | Not listed | 4 | 2009-07-03 08:03:26 | 2009-07-28 16:33:33 | 2009-07-24 21:54:10 | |
| ukropin.com | offline | 0 | SBL75831 | 4 | 2009-06-29 14:10:19 | 2009-07-28 17:20:10 | 2009-07-28 17:20:16 | |
| rain-man.cn | 213.182.197.229 | online | 0 | SBL75831 | 4 | 2009-06-29 14:26:04 | 2009-07-28 17:15:05 | 2009-07-24 22:27:00 |
| viphack.ru | 213.182.197.11 | online | 3 | SBL75831 | 4 | 2009-07-03 07:30:26 | 2009-07-28 16:43:03 | 2009-07-27 08:33:29 |
| businesscoorptru.cn | 213.182.197.229 | online | 0 | SBL75831 | 4 | 2009-07-13 14:19:31 | 2009-07-28 15:32:13 | 2009-07-24 21:02:51 |
| monozoro.net | 213.182.197.37 | online | 0 | SBL75831 | 4 | 2009-07-16 11:17:32 | 2009-07-28 15:10:56 | 2009-07-24 20:48:15 |
| winsofter.ru | 213.182.197.229 | online | 0 | SBL75831 | 4 | 2009-07-20 17:43:29 | 2009-07-28 14:47:14 | 2009-07-24 20:22:39 |
| smallteam.cn | 213.182.197.229 | online | 0 | SBL75831 | 4 | 2009-07-24 18:48:20 | 2009-07-28 14:22:15 | |
| somer.ws | 213.182.197.238 | online | 0 | SBL75831 | 4 | 2009-07-24 18:51:59 | 2009-07-28 14:11:22 | 2009-07-27 06:22:45 |
| infoket.info | 213.182.197.37 | online | 0 | SBL75831 | 4 | 2009-07-24 19:13:14 | 2009-07-28 14:00:47 | |
| xepace.cn | 213.182.197.11 | online | 0 | SBL75831 | 4 | 2009-07-26 10:35:09 | 2009-07-28 13:55:02 |
Most of that recent evidence on ZeuS tracker mirrors the only SBL listing. It is believed that this rogue host was part or a variant of the Russian Business Network. It is curious to note that botnet.su rogue domain listed above was using the outdated Soviet Union TLD (.su). Over a year ago there were a rash of phishing domains on fast flux DNS using the .su extension.
Earlier in the week, some spam investigators had noticed a drop in spam volumes. A few even wondered openly if a rogue ISP was taken down. Now that it is known that Real Host was disabled by its direct connection, junik.lv. According to this insightful blog, Real Host had only 256 IPs: 213.182.197.0/24.
Further Reading (select blogs and news sources) :
Reference: Cybercrime Hotspot: Real Host Ltd. by Jart Armin
Reference: Real Host, Latvia – RBN Resurgence or Clone by Andrew Martin
Reference: After Links to Cybercrime, Latvian ISP Is Cut off – PC World
Reference: Swedish telco disconnects fraud hub – Financial Times
Filed under: blacklist, blocklist, cybercrime, malware, phishing, registrars, rogue networks, spam, trojan, virus | 1 Comment
Tags: blocklisting, botnet.su, botnets, HostExploit, JUNIK-RIGA-LV, junik.lv, JUNIKNET, Latvia, malware, phishing, RBN, Real host, SBL, spamhaus, zeus, zeustracker
One Response to “Rogue Latvian ISP is Now Offline”