Hacking It: ISP linked to Zeus botnet

Real Host Ltd., a so-called bulletproof hosting provider, was shut down by Swedish telecommunications company TeliaSonera after an investigation confirmed connections to a host of Internet-based crimes, including hosting C&Cs linked to the Zeus botnet.

The Zeus botnet, linked to the infection of over three million computers in the U.S. alone, is the major threat hosted on the Real Host network. While Zeus is the core issue, research from and Andrew Martin of Martin Security shows ties to dozens of crimes and hundreds of malicious domains. And all of this comes from three IP blocks hosted on the autonomous system (Internet Server) AS8206 Junik, in Riga, Latvia.

Once Real Host was exposed, Junik was told by its upstream provider TeliaSonera to kill Real Host’s connections to the Web. Once the links were severed, Real Host joined McColo, Atrivo, and Pricewert as the latest ISP to be closed as a result of its direct link to cyber crime.

So what exactly was Real Host up to? The research from Martin Security and HostExploit offers an interesting look into the offerings of a rogue ISP, and the things its customers did with the services.

The first criminal enterprise is the control of the Zeus botnet. There were six C&C (Command and Control) servers on Real Host for Zeus. Real Host also played a role in money mule scams, Phishing, and one scam that paid criminals for embedding malicious Iframes on compromised Web sites. Moreover, Real Host is linked to the hosting of exploits, aimed at vulnerabilities on poorly patched systems.

“Google’s Safe Browsing -- shows for AS8206 Junik in the last 90 days; 12 sites providing malicious software for drive by downloads, 102 sites acting as intermediaries for the infection of 11,810 other web sites. Finally it found 161 websites hosting malware that infected 20,681 other web sites,” the investigation report outlined.

Various other items of note from the investigation into Real Host include the mass sale of stolen banking and financial information. One site offered a variety of services and information for sale, including PayPal accounts in the U.K. with confirmed balances. The cost to obtain one of these U.K. accounts was 10 percent of the hijacked PayPal account balance. Other criminal businesses included botnet rental, botnet loading and illegal pornographic content, as well as Warez (illegal software distribution) hosting.

The Real Host investigation also turned up evidence of some interesting links to the Russian Business Network (RBN). Many of the discovered linked domains were previously hosted by EstDomains, which was shut down in November of 2008 because of its criminal connections,proving that stopping one source of Web crime only leads to another taking its place.

“All of these were operational elements of RBN (Russian Business Network). So this may not be a reincarnation of the RBN but are clearly Russian organized cyber criminals, in the same vein and at least headed by someone from the old school of RBN.”


Visit the Site