Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Sometimes, not cleaning up your own backyard and responding to abusive requests can be costly when an ISP ends up on the Spamhaus Block List (SBL), as one particular Latvian hoster, Microlines.LV, recently discovered.

    Chris Williams explains the situation today in The Register.

    The Spamhaus SBL generally lists blocks of IP addresses that exhibit long-term instances of hosting malware, exploit kits, distributed denial-of-service (DDoS) command-and-control (C&C) servers, spam, and others where the responsible ISP ignores and dismisses complaints about the abusive nature of the malicious content.

    In essence, getting listed by Spamhaus can have a serious impact on any legitimate customer that a targeted ISP may have since Spamhaus block lists are extensively used by other organizations around the world to deny traffic to or from the listed IP addresses.

    After reading about how this saga unfolded today, I decided to look a bit further into our own domain reputation system (DRS) to see if I could validate whether we had also identified malicious content associated with any IP addresses that were allocated to Microlines.LV.

    What we saw is a smaller concentrated block of IP addresses with Microlines.LV, an entire allocation that has exhibited long-term hosting of rogue antivirus, various exploit kits, ZeuS and Gozi Trojans, and an array of other badness.

    Not only that, it appears that the bad guys operating out of Eastern Europe are also now also using portions of LATNET’s (the upstream ISP of Microlines.LV) IP address space to host additional malware.

    Our research confirms what Spamhaus has made public in its SBL listings. We have seen long-term, large-scale criminal activity associated with Microlines.LV as well as a hodgepodge of hosts in LATNET itself.

    Apparently, cybercriminals in Eastern Europe are using other Eastern European ISPs and data centers to host their criminal enterprises. This is not a new phenomenon, as this has been happening in various places (including hosting providers in the United States, the United Kingdom, the Netherlands, Germany, and elsewhere) around the world.

    But sometimes, the bad guys can’t simply “blend into the noise” and hide in the shadow of another ISP, they have to have the light shine brightly to expose the darkness.

    Trend Micro’s customers are protected from these threats by the Trend Micro™ Smart Protection Network™ since the network security and domain intelligence that we use in our research directly goes toward protecting our customers.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Jake

      Microlines continues to host these spam sites and I get tons of spam daily advertising many domains that resolve to

      Micrlines has no apparent abuse department. doesn't even exist, and if you try to mail their other email addresses, support and info the message is always bounced (for me) and rejected as spam, even if you don't include the spam message in the complaint- apparently just referring to their network is so suspicious even they can't believe its legitimate.

      Do these people even have an abuse department? How do you contact them? Why do they love spam so much at Microlines, or are they just incompotent?


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice