A funny thing happened after I posted my last article - the UralNet IP block was removed from the global routing table. I didn't see any notifications in the press or on any network operations lists (although I am not on any RIPE-specific listservs), so my suspicion is that they are simply lying low for a bit. I assume that if they had their plug forcibly pulled then the responsible party would want to be recognized (rightfully) for taking a step against cyber-crime in the region.
Another reason why I believe they are lying low is that an AS that had been dormant (unrouted) for months came back online this week and immediately started hosting much of the malware that used to be on UralNet. They've only been back a week, have a mere /24 (256 IPs), don't have a corporate homepage, and yet, already have quite a few criminal customers.
Another reason why I believe they are lying low is that an AS that had been dormant (unrouted) for months came back online this week and immediately started hosting much of the malware that used to be on UralNet. They've only been back a week, have a mere /24 (256 IPs), don't have a corporate homepage, and yet, already have quite a few criminal customers.
Read the full article
http://blog.fireeye.com/research/2009/03/bad-actors-part-6-eurohost-llc.html
No comments:
Post a Comment