I was happy to read over at Malware Domain List this morning, that Zlkon.lv had apparently been disconnected. Obviously I had to see where the domains listed in hpHosts, that pointed to zlkon, had now gone to. The results were interesting, but we'll get to that in a second.
I checked the AS report, as referenced in the MDL thread, and indeed it did seem as though Zlkon had gone;
Checking via BGPlay for the dates 28-04-2009 - 29-04-2009 shows;
This shows their upstream as;
If we expand the dates a little, we see that indeed, alot of the previous routes seem to have now gone as of 06:42 yesterday;
As mentioned, I ran the domains listed in hpHosts, that previously resolved to Zlkon.lv IP space, to see where they now resolved to, and the results showed;
220.127.116.11 - NET-VENTREX (UK)
18.104.22.168 - SE-PRQ-20051124 (Sweden)
22.214.171.124 - EUROHOST-NET (Ukraine)
126.96.36.199 - RENOME-SERVICE (Ukraine)
188.8.131.52 - RapidSwitch (UK)
184.108.40.206 - RapidSwitch (Cayman Islands)
220.127.116.11 - SpaceWeb (Russia)
18.104.22.168 - Zlathosting.ru (US)
22.214.171.124 - SERVERBOOST (Netherlands)
126.96.36.199 - UNICOM (China)
188.8.131.52 - HKNET-H (Hong Kong)
184.108.40.206 - ECOWEB (Latvia)
220.127.116.11 - EUNET-YU (Serbia)
Interestingly however, quite a few of them are still resolving to the Zlkon IP space, and are seemingly still active. Meaning either Zlkon is still in the process of being taken down, or has found a new upstream provider already.
See the full results, as of two hours ago;
I'm surprised somewhat, that the mainstream tech media hasn't already picked this up, but alas it seems this is certainly the case (or at least, if they have, I've not seen any stories concerning it on any of the RSS feeds I monitor).
Either way, this is great news for us, and is hopefully an end to what is without doubt, one of the worst offenders in the world of malware.
If you've got something to add, or just fancy joining in the discussion, feel free to join us over at the MDL forums;