Bad Actors Part 3 - Internet Path/Cernel

Much was made of the Intercage/Atrivo shutdown last year, which was a result of significant research by the security community, and tenacity by the Washington Post's Security Fix technical blog. While a good chunk of the network was depeered, there are a few netblocks owned by "sister organizations" which remain routed.

The connection between Internet Path/Cernel, Intercage/Atrivo, Hostfresh, UkrTeleGroup, etc, is a tangled mess which others have written about extensively. In this article I'll be looking at UkrTeleGroup and Internet Path/Cernel.

This simple exercise can be done for any of the examples below, but for posterity's sake, I'll just point out one simple way to convince yourself that it is probably all the same group. Below I look deeply into the networking side of the DNSChanger trojan, much of which uses malicious DNS servers in the 85.255.112.0/20 block. Simply whoising the IP shows the following:

inetnum: 85.255.112.0 - 85.255.127.255
netname: UkrTeleGroup
mnt-routes: UKRTELE-MNT

Read the full article
http://blog.fireeye.com/research/2009/02/bad-actors-part-3-internet-pathcernel.html

Previous episodes:

Bad Actors Part 2 - ZlKon
http://blog.fireeye.com/research/2009/02/bad-actors-part-2-zlkon.html

Bad Actors Part 1 - Starline Web Services
http://blog.fireeye.com/research/2009/02/bad-actors-part-1-compic.html