VolgaHost, a hosting provider notorious in the security community for hosting botnet command-and-control servers and other services related to online crime has been taken offline, and a number of servers involved in the Zeus crimeware operation are offline, as a result.
The hosting provider, which is based in Russia, has been offline for more than a week now after it was de-peered by its upstream provider, RUNNET.ru, a Russian university Internet provider. The result of VolgaHost being taken offline is that a large number of crimeware servers that were being used for operations related to the Zeus botnet and other malware campaigns are now unavailable, according to an analysis by researchers at HostExploit.
HostExploit, which tracks crimeware activity and the location and function of servers used in online criminal operations, said in its most recent quarterly report that VolgaHost was the worst crimeware provider online. Its disappearance from the scene is a significant development in the campaign by researchers against crimeware operations.
“VolgaHost is well known to HostExploit. It topped our ranking of ‘Bad
Hosts’ for the 4th quarter of 2010, having been ranked #3 in the two
previous quarters,” HostExploit’s Jart Armin said in the analysis. “This was also related to community efforts with regard to AS39150 Vline Telecom (#6 Bad Host in the 2010 Q4 report), which was de-peered from its upstream provider AS3267 RUNNet.ru – the Russian State Institute of Information Technologies and Telecommunications.”
A query on the current status of VolgaHost shows that the provider’s IP range is offline and that its servers are known to host malicious URLs, botnet C&C servers and other crimeware resources. The company’s main site was still online as of Wednesday morning, however.
In its report on the worst crimeware providers in the fourth quarter of 2010, which was published earlier this month, HostExploit said that VolgaHost had been a focus of security researchers for most of the year, but had recently moved into the top spot.
“VolgaHost AS29106 is no
stranger to the Top 50 reports, having been in the top 10 for the entire
6 months prior to this quarter. And yet the effective badness levels
have continued to rise to now take the #1 rank. Particularly prevalent
on VolgaHost are Zeus servers and infected web sites,” the report said.
Data compiled by Stop Badware shows that the number of malicious URLs hosted by VolgaHost ramped up quickly in 2010 but leveled off close to 500 URLs in July 2010 and stayed at that level since then.