Sometimes, not cleaning up your own backyard and responding to abusive requests can be costly when an ISP ends up on the Spamhaus Block List (SBL), as one particular Latvian hoster, Microlines.LV, recently discovered.
Chris Williams explains the situation today in The Register.
The Spamhaus SBL generally lists blocks of IP addresses that exhibit long-term instances of hosting malware, exploit kits, distributed denial-of-service (DDoS) command-and-control (C&C) servers, spam, and others where the responsible ISP ignores and dismisses complaints about the abusive nature of the malicious content.
In essence, getting listed by Spamhaus can have a serious impact on any legitimate customer that a targeted ISP may have since Spamhaus block lists are extensively used by other organizations around the world to deny traffic to or from the listed IP addresses.
After reading about how this saga unfolded today, I decided to look a bit further into our own domain reputation system (DRS) to see if I could validate whether we had also identified malicious content associated with any IP addresses that were allocated to Microlines.LV.
What we saw is a smaller concentrated block of IP addresses with Microlines.LV, an entire allocation that has exhibited long-term hosting of rogue antivirus, various exploit kits, ZeuS and Gozi Trojans, and an array of other badness.
Not only that, it appears that the bad guys operating out of Eastern Europe are also now also using portions of LATNET’s (the upstream ISP of Microlines.LV) IP address space to host additional malware.
Our research confirms what Spamhaus has made public in its SBL listings. We have seen long-term, large-scale criminal activity associated with Microlines.LV as well as a hodgepodge of hosts in LATNET itself.
Apparently, cybercriminals in Eastern Europe are using other Eastern European ISPs and data centers to host their criminal enterprises. This is not a new phenomenon, as this has been happening in various places (including hosting providers in the United States, the United Kingdom, the Netherlands, Germany, and elsewhere) around the world.
But sometimes, the bad guys can’t simply “blend into the noise” and hide in the shadow of another ISP, they have to have the light shine brightly to expose the darkness.
Trend Micro’s customers are protected from these threats by the Trend Micro™ Smart Protection Network™ since the network security and domain intelligence that we use in our research directly goes toward protecting our customers.