Slashdot Mirror

← Back to Stories (view on slashdot.org)

After Links To Cybercrime, Latvian ISP Cut Off

Posted by timothy on from the people-interpret-jerks-as-damage-and-route-around-them dept.

alphadogg writes with this Network World story, excerpting "A Latvian ISP linked to online criminal activity has been cut off from the Internet, following complaints from Internet security researchers. Real Host, based in Riga, Latvia was thought to control command-and-control servers for infected botnet PCs, and had been linked to phishing sites, Web sites that launched attack code at visitors and were also home to malicious 'rogue' antivirus products, according to a researcher using the pseudonym Jart Armin, who works on the Hostexploit.com Web site. 'This is maybe one of the top European centers of crap,' he said in an e-mail interview. 'It was a cesspool of criminal activity,' said Paul Ferguson, a researcher with Trend Micro."

15 of 116 comments (clear)

  1. They'll move elsewhere by Canazza · · Score: 5, Interesting

    The questions that should be asked is "Are they closing in on the criminals who set up these sites?"

    Surely with all the information they can get from this rogue ISP they can track down the wankers who run them.

    --
    It pays to be obvious, especially if you have a reputation for being subtle.
    1. Re:They'll move elsewhere by Zocalo · · Score: 5, Informative

      Probably not. The ISP in question, Real Host, appears to have only had a single upstream to the Internet via the Scandinavia ISP TeliaSonera and it was TeliaSonera being threatened with sanctions if they continued to provide connectivity to Real Host that resulted in the disconnection. Chances are that the operators behind Real Host (there is evidence to suggest at least some are ex-RBN staffers) are looking for other ISPs to provide them connectivity at this moment and Real Host with be coming to an Internet Sewer near you Real Soon.

      --
      UNIX? They're not even circumcised! Savages!
    2. Re:They'll move elsewhere by Anonymous Coward · · Score: 5, Interesting

      Thing is rogue antivirus products and such isn't exactly illegal. In USA it can count as misleading advertisement but as we know USA laws dont apply everywhere. This case also is not police investigation, but their upstream provider TeliaSonera just cut them off because it made them look bad.

      We demand net neutrality for pirates and defend laws of other countries. Now botnets and phishing are really bad, but instead of getting to root of the problem these security researchers are purposely destroying net neutrality. TeliaSonera is also upstream provider for The Pirate Bay so they could just suddenly cut TPB's access to the internet. Then everyone would be saying how they're legal in Sweden and they should not be allowed to do that. Well, its the same issue here.

    3. Re:They'll move elsewhere by AigariusDebian · · Score: 5, Informative

      That is not net neutrality.

      If you connect to the Internet you are an equal peer on it - you can receive and send data. You have the right to set up services just like bbc.co.uk can. If your ISP cuts you connection without a court order (a court that has jurisdiction over you), then it is a violation of net neutrality.

      Traffic shaping based on the destination (or source) of the traffic is also a violation of net neutrality, traffic shaping to prioritize some protocols over others is not (unless a phone company reduces the priority of all VoIP traffic to zero).

    4. Re:They'll move elsewhere by mikael_j · · Score: 4, Informative

      Actually, what happened was that Real Host was getting its connection from Junik which in turn gets its upstream from TeliaSonera and TeliaSonera pressured Junik into cutting off Real Host.

      /Mikael

      --
      Greylisting is to SMTP as NAT is to IPv4
    5. Re:They'll move elsewhere by Zocalo · · Score: 3, Informative

      Yep, my mistake. TeliaSonera was threatening Junik with sanctions if they didn't cut Real Host off. That's what happens when you go from memories of a late night... There's some more background info on the Zeus trojan that Real Host was running the C&C servers for, including a rather incriminating AS map, over at HostExploit. Given the nature of the last couple of hops and liklihood of some RBN involvement, I'm actually inclined to believe that Junik is either a front or is seriously in someone's pocket...

      --
      UNIX? They're not even circumcised! Savages!
  2. Re:It's not criminal activity when we do it by noundi · · Score: 4, Insightful

    Perhaps the malice these researchers feel towards Latvia is similar in some way to the anger the RIAA feels towards filesharers?

    Latvia? You're taking things out of context. This is not about Latvia in general, this is about a Latvian ISP responsible for a shitload of spam and botnets. You're free to replace Latvia for any country you wish and it wouldn't make a difference. Also I think it's fair to say that RIAA only serve their interests, whilst spam and botnets concern anybody who uses internet.

    --
    I am the lawn!
  3. Re:Censorship by Canazza · · Score: 4, Insightful

    So you'd prefer to be subjected to DDoS attacks, have your E-mail account hacked and used to send spam, be phished for your credit card details all in the name of Net Neutrality?

    These are harmful activities. Harmful to people, REAL PEOPLE. It is the definition, at least in my eyes, of what crime is: serious irreversable harm to a person or people.

    Botnets sending out DDoS attacks make the Server Admin's job harder. Whatever site it is running becomes locked, likely losing the business revenue they can never get back.
    Hacked Email accounts cause headaches for the person who's account was compromised, it causes headaches for those who recieve it, especially if it came from a white-listed friend, as it means wading through them and deleting them manually rather than have them caught by the filter. And again, most importantly, it makes the server admins job harder, as they have to devise work arounds and filters for Spam.
    And the most serious of all? Phishing for card details. Serious Monetery loss from an individual - they may be able to get it back, but not without a serious fight (My card got skimmed at a shop once, they managed to spend £700 before the bank stopped the card. It was a week before a new card was sent out, and 2 months before I got the money back)

    A whole industry has arisin around fighting these criminals. We're in a Broken Window situation and the only way to stop it is not to fix the window, but to remove the person throwing the stones.

    --
    It pays to be obvious, especially if you have a reputation for being subtle.
  4. Centers of Crap by xtracto · · Score: 3, Funny

    This is maybe one of the top European centers of crap,'

    The server 216.178.38.116 is an American server known to have loads of crap too! I hope they also could get it!

    --
    Ubuntu is an African word meaning 'I can't configure Debian'
  5. Re:Censorship by cbhacking · · Score: 3, Insightful

    It's almost certainly against the contract terms that Real Host signed with their upstream provider. Net neutrality has nothing to do with this issue; this isn't packet injection or traffic shaping or anything like that. This is simply disconnecting a client who is in breach of contract and criminal law. In effect, blocking them (as you personally advocated).

    Do you honestly think it should be the responsibility of the rest of the world to deal with these attacks, just because they are sent over the Internet?

    --
    There's no place I could be, since I've found Serenity...
  6. Re:Censorship by X0563511 · · Score: 4, Insightful

    The "powers that be" didn't shut them down. Their upstream provider did.

    Take this analogy:

    --start-bad-analogy--
    I let you watch TV at my house. But, most of the time you are there, you leave trash and shit everywhere, and fail to clean up after yourself.

    So, after enough complaints from my other guests, I decide to kick your ass out.
    --end-bad-analogy--

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  7. If there's one kind of cesspool I hate... by Jafafa+Hots · · Score: 4, Funny

    ...it's a cesspool of crap.

    the other kinds are ok.

    --
    This space available.
  8. Re:It's not criminal activity when we do it by Linker3000 · · Score: 4, Funny

    I thought xenophobia was a fear of virtualised environments?

    --
    AT&ROFLMAO
  9. Throw the baby out with the bathwater by cdrguru · · Score: 3, Insightful

    A real problem here is that if upstream providers do this sort of thing, there is no limit to their power. We're not talking about any court action, any due process or any other legal nicity. We are talking about vigilante action and mob rule.

    The idea of "net neutrality" pretty much can be agreed upon that upstream providers do not cut off users for actions that violate the laws of some jurisdiction on their own. Now this may not be a good idea, but if your ISP is prevented from cutting you off for downloading pirated music and movies then a rogue ISP better not be cut off for hosting botnet control centers and phishing web sites. Sorry, you can't have it both ways.

    Of course the real problem is that there is no force of law that can successfully prosecute folks like this. They might even be violating laws in their home country - but how do law enforcement agencies conduct a highly technical investigation when they have no facilities. Not only that, but the whole idea of the Internet makes it extremely difficult to conduct investigations without effectively wiretapping and requires the cooperation of a high level provider. It is difficult to see how such an investigation can be conducted by anyone without lots of resources and financial backing. And cooperation of providers, often at their own expense.

    No, prosecution of such crimes as are alleged on the Internet is very difficult without either inside information (usually bragging) or evidence collected for other court actions. For example, the ISP is sued for lack of tax payments and the servers are seized as part of discovery, which then uncovers further evidence.

    No I think this vigilante action is short lived and not in the best interests of people vitally concerned with the freedom of action on the Internet. Of course, freedom of action implies freedom to commit crimes on the Internet, like copyright violation and phishing.

  10. Real Host is not an ISP by ACS+Solver · · Score: 3, Informative

    The summary is quite wrong, though I do not blame the submitter. All English and Russian language sources that I can find state that supposedly Real Host, an ISP, got cut off. That is not actually so.

    Real Host is some company that is running fraudulent operations and other crap, making use of the Zeus botnet. Real Host rented servers from Junik, which is an ISP. They're a small ISP connected upstream via the Latvian branch of Telia. And the story now is that Junik cut off Real Host's access and revoked the servers they rented. Real Storm itself doesn't appear to be linked to Latvia in any real way. They use an address in Kazakhstan as the legal address from where the IP blocks are leased, the botnet itself is being linked to a Russian group of hackers. And they chose Latvian servers to rent, which doesn't make them a Latvia-based group.