Rogue Latvian ISP is Now Offline

05Aug09

Very recently, Swedish upstream provider, TeliaSonera, threatened cut off its direct connection to Junik (AS8206) JUNIK-RIGA-LV JUNIKNET if Junik.lv did not cut off its own downstream (Real Host) because of its reputation of being rogue (hosting zeus botnets). By Monday August 3rd, 2009, Real Host lost its connectivity. Jart Armin of HostExploit recently tweeted about the shutdown. At the time of this post, there was only 1 active SBL on Spamhaus ( SBL75831) a /24 blocklisting for Junik.lv from May 2009 – 213.182.197.0/24 which was due to phish and malware domain hosting. According to Jar Armin, this Latvian-based host was the distributing Zero-Day Flash/PDF exploit.

Very recent detailed research on Real Host by HostExploit can be found here. Google Safebrowsing also detected lots of malware on AS8206. At the time of this post, MalwareURL website also listed even more known malware domains on Junik.lv.

If you check the Google cache of Zeus Tracker, dated July 29th 2009, you can find several domains listed

Host A record status files online SBL level dateadded (UTC) Lastchecked (UTC) Lastupdated (UTC)
botnet.su 213.182.197.251 online 0 SBL75831 4 2009-03-12 17:42:57 2009-07-29 04:32:34 2009-07-06 17:41:41
hack-off.ru 213.182.197.20 online 2 SBL75831 4 2009-03-20 19:19:45 2009-07-29 02:17:05 2009-07-23 16:48:53
welcomeone.cn 213.182.197.229 online 0 SBL75831 4 2009-03-19 07:01:02 2009-07-29 02:18:31 2009-07-23 16:50:23
go5reborn.cn 213.182.197.227 online 1 SBL75831 4 2009-03-25 17:27:08 2009-07-29 01:46:00 2009-07-11 10:47:00
index683.com 213.182.197.13 online 0 SBL75831 4 2009-07-15 08:22:03 2009-07-28 15:14:01 2009-07-24 20:48:33
chlenopopik.com 213.182.197.228 online 0 SBL75831 4 2009-06-26 20:37:09 2009-07-28 18:34:27 2009-07-24 23:41:39
213.182.197.236 213.182.197.236 online 0 SBL75831 4 2009-06-26 21:11:35 2009-07-28 17:46:53 2009-07-24 22:51:44
213.182.197.229 213.182.197.229 online 0 SBL75831 4 2009-06-26 21:12:56 2009-07-28 17:39:10 2009-07-24 22:44:01
mywebtraffic.cn 213.182.197.35 online 0 SBL75831 4 2009-06-27 20:03:37 2009-07-28 17:30:02 2009-07-24 22:35:56
megapain.info 213.182.197.37 online 0 SBL75831 4 2009-06-27 20:47:01 2009-07-28 17:20:58 2009-07-24 22:29:42
agrautoparts.cn 213.182.205.36 online 0 Not listed 4 2009-07-03 08:11:24 2009-07-28 16:15:22 2009-07-24 21:36:37
barmatuxa.net 213.182.197.37 online 1 SBL75831 4 2009-07-03 07:50:07 2009-07-28 16:42:32 2009-07-24 22:00:56
google-bot004.cn 213.182.197.229 online 0 SBL75831 4 2009-07-03 07:58:02 2009-07-28 16:34:48 2009-07-24 21:55:14
gnk-msk2.com offline 0 Not listed 4 2009-07-03 08:03:26 2009-07-28 16:33:33 2009-07-24 21:54:10
ukropin.com offline 0 SBL75831 4 2009-06-29 14:10:19 2009-07-28 17:20:10 2009-07-28 17:20:16
rain-man.cn 213.182.197.229 online 0 SBL75831 4 2009-06-29 14:26:04 2009-07-28 17:15:05 2009-07-24 22:27:00
viphack.ru 213.182.197.11 online 3 SBL75831 4 2009-07-03 07:30:26 2009-07-28 16:43:03 2009-07-27 08:33:29
businesscoorptru.cn 213.182.197.229 online 0 SBL75831 4 2009-07-13 14:19:31 2009-07-28 15:32:13 2009-07-24 21:02:51
monozoro.net 213.182.197.37 online 0 SBL75831 4 2009-07-16 11:17:32 2009-07-28 15:10:56 2009-07-24 20:48:15
winsofter.ru 213.182.197.229 online 0 SBL75831 4 2009-07-20 17:43:29 2009-07-28 14:47:14 2009-07-24 20:22:39
smallteam.cn 213.182.197.229 online 0 SBL75831 4 2009-07-24 18:48:20 2009-07-28 14:22:15
somer.ws 213.182.197.238 online 0 SBL75831 4 2009-07-24 18:51:59 2009-07-28 14:11:22 2009-07-27 06:22:45
infoket.info 213.182.197.37 online 0 SBL75831 4 2009-07-24 19:13:14 2009-07-28 14:00:47
xepace.cn 213.182.197.11 online 0 SBL75831 4 2009-07-26 10:35:09 2009-07-28 13:55:02

Most of that recent evidence on ZeuS tracker mirrors the only SBL listing. It is believed that this rogue host was part or a variant of the Russian Business Network. It is curious to note that botnet.su rogue domain listed above was using the outdated Soviet Union TLD (.su). Over a year ago there were a rash of phishing domains on fast flux DNS using the .su extension.

Earlier in the week, some spam investigators had noticed a drop in spam volumes. A few even wondered openly if a rogue ISP was taken down. Now that it is known that Real Host was disabled by its direct connection, junik.lv. According to this insightful blog, Real Host had only 256 IPs: 213.182.197.0/24.

Further Reading (select blogs and news sources) :

Reference: Cybercrime Hotspot: Real Host Ltd. by Jart Armin

Reference: Real Host, Latvia – RBN Resurgence or Clone by Andrew Martin

Reference: After Links to Cybercrime, Latvian ISP Is Cut off – PC World

Reference: Swedish telco disconnects fraud hub – Financial Times

About these ads


One Response to “Rogue Latvian ISP is Now Offline”


  1. 1 Source of badness: Group Vertical Ltd (AS49365) | abuse.ch

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Follow

Get every new post delivered to your Inbox.

%d bloggers like this: