Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 17 February 2009

Bad Actors Part 3 - Internet Path/Cernel

Much was made of the Intercage/Atrivo shutdown last year, which was a result of significant research by the security community, and tenacity by the Washington Post's Security Fix technical blog. While a good chunk of the network was depeered, there are a few netblocks owned by "sister organizations" which remain routed.

The connection between Internet Path/Cernel, Intercage/Atrivo, Hostfresh, UkrTeleGroup, etc, is a tangled mess which others have written about extensively. In this article I'll be looking at UkrTeleGroup and Internet Path/Cernel.

This simple exercise can be done for any of the examples below, but for posterity's sake, I'll just point out one simple way to convince yourself that it is probably all the same group. Below I look deeply into the networking side of the DNSChanger trojan, much of which uses malicious DNS servers in the block. Simply whoising the IP shows the following:

inetnum: -
netname: UkrTeleGroup
mnt-routes: UKRTELE-MNT

Read the full article

Previous episodes:

Bad Actors Part 2 - ZlKon

Bad Actors Part 1 - Starline Web Services

No comments: