14 DAY TRIAL // Malicious host-tracking outfit HostExploit announces that the number one cybercrime hosting provider, VolgaHost, has been offline since January 17.
Russian-based VolgaHost made it to the first position of HostExploit's "Bad Hosts" list for the fourth quarter of 2010 and ranked third in previous tops.
The provider used to offer bulletproof hosting services to people running command and control (C&C) servers for various botnets, with ZeuS in particular.
Other malicious activity detected on VolgaHost's IP space consisted of infected Web sites, phishing pages, exploit servers and spam.
VolgaHost went offline after it was depeered by its upstream provider, RUNNet.ru, the Russian State Institute of Information Technologies and Telecommunications, along with several other ISPs known for hosting ZeuS domains.
These include INFORMEX(AS20564), Naukanet (TopNET) UA (AS31445), PROMIRANET (AS31478), Yuzhno-Sakhalinsk Internet eXchange (AS31506), Contel 2000 Ltd. (AS43181) and IT-OUTSOURCE-AS (AS48280).
"This was also related to community efforts with regard to AS39150 Vline Telecom (#6 Bad Host in the 2010 Q4 report), which was de-peered from its upstream provider RUNNet.ru," said Jart Armin, a security researcher with HostExploit.
Unfortunately, Vline Telecom still has three other upstream providers, Global Network Managment Ltd., ComLine Ltd and JSC Telenet and serves at least six known rogue hosting companies downstream.
Nevertheless, "This is a major step in the ongoing fight against botnet hosting and CyberCrime as world’s worst host VolgaHost, and other associated crime servers, have disappeared," Jart Armin, added.
The security community celebrates each time a rogue hoster disappears from the Internet, but unfortunately, this has only a temporary effect, because there are many others to take their place.
Causing any significant damage to cybercriminal operations requires a coordinated effort between security researchers and ISP, in order for all points of control to be disrupted at the same time.
At the end of October, the High Tech Crime Team of the Dutch national police, together with the Dutch Forensic Institute, the Computer Emergency Response Team of the Dutch Government, a security vendor called Fox-IT and LeaseWeb, the largest hosting company in the Netherlands, took offline 143 command and control (CnC) servers used by the Bredolab botnet.
Despite this major effort, several servers remained operational in Russia and Kazakhstan and the crybercriminals began updating the botnet through them.