Entries filed under 'Alex Lanstein'

Threat Research Blog

The FireEye Labs team posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. They cover the full spectrum of exploits and vulnerabilities, including advanced malware and targeted threats.


    Bad Actors Part 6 - Eurohost LLC (aka UralNet?)

    By Alex Lanstein
      A funny thing happened the day after I posted my last article - the UralNet IP block was removed from the global routing table.  I didn't see any notifications in the press or on any network operations lists (although I am not on any RIPE-specific listservs), so my suspicion is that they are simply lying low for a bit.  I assume that if they had their plug forcibly pulled then the Read more...


    Bad Actors Part 5 - UralNet

    By Alex Lanstein
    I'm not actively picking on the Eastern Bloc, but finding purely malicious IP blocks there is duck soup.  In this posting I'll be looking at UralNet, which is registered to an organization in Russia, but appears to be administered out of the Ukraine.     inetnum:        91.211.64.0 - 91.211.67.255 netname:        Ural-NET descr:          Ural Industrial Limited Company country:        RU address:        Russia, 620240 Ekaterinburg, Sofia Kovalevsaja st. origin:         AS48511 role:           UralNet IP Master address:        Read more...


    Bad Actors Part 4 - HostFresh

    By Alex Lanstein
    There was an excellent report published in 2008 by HostExploit that showed the connections between Atrivo and those for whom it provided downstream services. One of those such customers was a Chinese provider called HostFresh. I thought it might be interesting to look at two IP blocks which were previously part of the Atrivo network - 58.65.232.0/21 and 116.50.8.0/21 - but are now routed by others. Below we can see the information Read more...


    Bad Actors Part 3 - Internet Path/Cernel

    By Alex Lanstein
    Much was made of the Intercage/Atrivo shutdown last year, which was a result of significant research by the security community, and tenacity by the Washington Post's Security Fix technical blog.  While a good chunk of the network was depeered, there are a few netblocks owned by "sister organizations" which remain routed. The connection between Internet Path/Cernel, Intercage/Atrivo, Hostfresh, UkrTeleGroup, etc, is a tangled mess which others have written about extensively.  In this article Read more...


    Bad Actors Part 2 - ZlKon

    By Alex Lanstein
    In this edition of "rooting out the Bad Actors" I'm going to take a look at ZlKon, hosted by "Datoru Express Serviss, Ltd" in Latvia.As you can see, they only have a single /23 address block, but everything I found indicates that the whole range is dedicated to providing services for hosting malware, exploits, and those who profit from them.inetnum:        94.247.2.0 - 94.247.3.255netname:        ZLKONdescr:          ZlKoncountry:        LVrole:           ZlKon HostMasteraddress:        Lilijas iela 4-74address:        Riga, Read more...