14 DAY TRIAL // UkrTeleGroup, a notorious ISP based in Ukraine, has been depeered by its uplink provider. In addition to the vast malicious activity originating from its address space, the ISP was also hosting the rogue DNS servers used by the Zlob (DNSChanger) family of trojans.
Brian Krebs, journalist at The Washington Post, who also maintains the Security Fix blog, reports that UkrTeleGroup Ltd. has been known to be involved in online criminal activity since as far back as 2005. As a result, security experts, from the likes of McAfee or the Internet Storm Center, have recommended blocking all traffic from the IP block owned by the Ukrainian company.
The Miami-based FPL FiberNet, which is part of the FPL Group, took the decision to terminate the contract with one of its customers, who was providing uplink to UkrTeleGroup, after receiving a complaint from its own service provider, including an inquiry from Mr. Krebs.
"We determined that one of our customers was providing Internet access to UkrTelegroup and have further determined that UkrTelegroup's activities violate our terms of use agreement. As a result, we have notified our customer that we are terminating its service," told Tim Fitzpatrick, FPL Group's vice president of corporate communications, to Security Fix.
The DNSChanger computer trojan comes in many variants, but all of them exhibit the same core concept of forcing the infected computers to use rogue DNS servers. These type of servers are used by computers to resolve domain names to IPs and the gang behind the trojan has proved particularly innovative in finding new ways to hijack them.
While the original DNSChanger version was doing nothing more than modifying the Windows HOSTS file in order to override legit DNS responses, its latest mutations are capable of breaking into LAN routers and modifying their settings or hijacking DNS requests from wireless clients and poisoning the replies.
By forcing the victim computers to use a DNS server under their control, the attackers are able to change where a legit URL points to. This can range from a fake financial website to a malicious page serving more malware or one displaying revenue generating advertisements.
Some researchers are pointing that the DNSChanger gang started migrating its servers away from the UkrTeleGroup to other more difficult to reach ISPs in Eastern European countries, such as Latvia, a month ago. But even so, the take down of UkrTeleGroup is bound to hinder the operations of other cyber criminal groups, who used its services to host phishing websites or malware distribution servers.
This latest win for the security community comes after other similar efforts led to the shut down, in 2008, of Atrivo/Intercage, a hosting provider affiliated with the notorious Russian Business Network, or the depeering of the infamous McColo ISP, which served as home for the command and control servers of many of the world's largest spam-sending botnets. ICANN terminating the accreditation of the EstDomains, the favorite domain registrant of cyber criminals, represented an important victory as well.