Posts Tagged:

May 13

Conversations with a Bulletproof Hoster

Criminal commerce on the Internet would mostly grind to a halt were it not for the protection offered by so-called “bulletproof hosting” providers — the online equivalent of offshore havens where shady dealings go ignored. Last month I had an opportunity to interview a provider of bulletproof services for one of the Web’s most notorious cybercrime forums, and who appears to have been at least partly responsible for launching what’s been called the largest cyber attack the Internet has ever seen.'s intro to Darkode’s intro post to Darkode

Earlier this year, the closely-guarded English-language crime forum was compromised and came under a series of heavy distributed denial-of-service (DDoS) attacks aimed at keeping it offline. Around that same time, welcomed a new member — a bulletproof hosting broker aptly named “” — who promised to defend the site from future DDoS attacks. also said he could offer more robust and crime-friendly hosting services than darkode’s previous provider — Santrex, literally an offshore hosting facility located in the Seychelles, a 115-island country that spans an archipelago in the Indian Ocean.’s timing was perfect: Darkode desperately needed both, and seemed to know his stuff, so he was admitted to the forum and given stewardship of the site’s defense and hosting. recruits Stophaus members on darkode. recruits Stophaus members on darkode.


Of course, to successfully defend a network against DDoS attacks one must know a great deal about how to launch such assaults. Indeed, was an integral member of Stophaus, an upstart group of bulletproof hosters that banded together in March to launch a massive Internet attack against anti-spam group

Hundreds of ISPs route or deny traffic based in part on Spamhaus’s blacklists of known, cybercrime-friendly ISPs, and Stophaus formed in response to Spamhaus’s listing of bulletproof hosting provider in particular: A network known alternatively as CB3ROB, a.k.a. “Cyberbunker” because it operated from a heavily fortified NATO bunker in The Netherlands. is moderator of the Stophaus forum, and not long after joining, he was recruiting fellow darkode members for the Stophaus cause. Stophaus’s records show that another core member was “0ptik,” a competing bulletproof hosting provider. Spamhaus had listed dozens of Optik’s domains, as well as virtually all of the IP address ranges had rented at abuse-friendly Romanian hosting provider Voxility. It was payback time.

In late March, Spamhaus became the target of what experts called one of the largest computer attacks on the Internet. The method of attack — a DNS amplification attack — was similar to that first seen used in attacks more than a decade ago that targeted the heart of the Internet’s routing system, except that it was by most accounts much larger. calls Spamhaus assault "our prank." calls Spamhaus assault “our prank.”

“DNS amplification attacks can bring up to 140 Gbps to a single resource from a single controller,” wrote in a posting less than 24 hours after the attack on Spamhaus began. “The beauty of it [is] that the ‘bots’ are just open DNS resolvers in the world.” Linking to a writeup from about the attack, stated that “Some BP hosters were lately united, check out our latest prank.”

Last month, authorities in Spain arrested Sven Kamphuis, a 35-year-old Dutch man, thought to be responsible for coordinating the unprecedented attack on Spamhaus. According to Spamhaus, Kamphuis made claims about being his own independent country in the Republic of Cyberbunker. But according to, Kamphuis was just the public face of the movement. “Sven didn’t attack anyone,” wrote in an online chat with KrebsOnSecurity.

If Kamphuis was just a mouthpiece, who was responsible for the attack? What is interesting about the Stophaus movement is that very well may have prompted Spamhaus to finally place CB3ROB/Cyberbunker at the top of its World’s Worst Spam-Support ISPs list, a move that helped to precipitate this conflict.

According to Spamhaus, while Cyberbunker and Spamhaus certainly have a bit of a history together, Cyberbunker wasn’t really a focus of Spamhaus’s blocking efforts until the fall of 2012. That’s when Spamhaus began noticing a large number of malware and botnet control servers being stood up inside of Cyberbunker’s Internet address ranges.

“We didn’t really notice these guys at CB3ROB much until last fall, when they started hosting botnet controllers, malware droppers and a lot of pharma spam stuff,” said a Spamhaus member who would only give his name as “Barry.” “Before that, it was mainly routing for some Chinese guys — Vincent Chan — fake Chinese products.” sells BP hosting out of Cyberbunker selling BP hosting out of Cyberbunker

Oddly enough, this coincides with’s entrance on the bulletproof hosting scene (at least as advertised on crime forums). In his introduction post to Darkode,  referenced his bulletproof hosting sales threads at two Russian-language forums — and In these threads, which began in Sept. 2012, advertised the ability to host ZeuS and SpyEye botnet command and control networks for between $99 and $199 per month, and bulletproof domain registration from $30 per month. More importantly, proudly announced that he was offering a premiere BP hosting service for $400 a month that was housed in an old NATO bunker in Holland and that used IP addresses assigned to CB3ROB (see screenshot to left).

Continue reading →

Apr 13

Phoenix Exploit Kit Author Arrested In Russia?

The creator of a popular crimeware package known as the Phoenix Exploit Kit was arrested in his native Russia for distributing malicious software and for illegally possessing multiple firearms, according to underground forum posts from the malware author himself.

The last version of the Phoenix Exploit Kit. Source:

The last version of the Phoenix Exploit Kit. Source:

The Phoenix Exploit Kit is a commercial crimeware tool that until fairly recently was sold by its maker in the underground for a base price of $2,200. It is designed to booby-trap hacked and malicious Web sites so that they foist drive-by downloads on visitors.

Like other exploit packs, Phoenix probes the visitor’s browser for the presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader. If the visitor is unlucky enough to have fallen behind in applying updates, the exploit kit will silently install malware of the attacker’s choosing on the victim’s PC (Phoenix targets only Microsoft Windows computers).

The author of Phoenix — a hacker who uses the nickname AlexUdakov on several forums — does not appear to have been overly concerned about covering his tracks or hiding his identity. And as we’ll see in a moment, his online persona has been all-too-willing to discuss his current legal situation with former clients and fellow underground denizens. forum member AlexUdakov selling his Phoenix Exploit Kit. forum member AlexUdakov selling his Phoenix Exploit Kit.

For example, AlexUdakov was a member of, a fairly exclusive English-language cybercrime forum that I profiled last week. That post revealed that the administrator accounts for Darkode had been compromised in a recent break-in, and that the intruders were able to gain access to private communications of the administrators. That access included authority to view full profiles of Darkode members, as well as the private email addresses of Darkode members.

AlexUdakov registered at Darkode using the address “”. That email is tied to a profile at (a Russian version of Facebook) for one Andrey Alexandrov, a 23-year-old male (born May 20, 1989) from Yoshkar-Ola, a historic city of about a quarter-million residents situated on the banks of the Malaya Kokshaga river in Russia, about 450 miles east of Moscow.

ASK-74u rifles. Source: Wikimedia Commons.

AKS-74u rifles. Source: Wikimedia Commons.

That address also is connected to accounts at several Russian-language forums and Web sites dedicated to discussing guns, including and This is interesting because, as I was searching AlexUdakov’s Phoenix Exploit kit sales postings on various cybercrime forums, I came across him discussing guns on one of his sales threads at, a semi-exclusive underground forum. There, a user with the nickname AlexUdakov had been selling Phoenix Exploit Kit for many months, until around July 2012, when customers on began complaining that he was no longer responding to sales and support requests. Meanwhile, AlexUdakov account remained silent for many months.

Then, in February 2013, AlexUdakov began posting again, explaining his absence by detailing his arrest by the Federal Security Service (FSB), the Russian equivalent of the FBI. The Phoenix Exploit Kit author explained that he was arrested by FSB officers for distributing malware and the illegal possession of firearms, including two AKS-74U assault rifles, a Glock, a TT (Russian-made pistol), and a PM (also known as a Makarov).

Continue reading →