Criminal Hideouts for Lease Bulletproof Hosng Services

BPHSbullet proof hosting services Maxim Goncharov

2015 Maxim Goncharov [email protected] What is BPHS?

Hardware VPS

Any type of content

С2 Spam Adult DMCA SEO Drop

2015 Maxim Goncharov [email protected] 2 Infrastructure of BPHS?

Attacker Germany Victime

2015 Maxim Goncharov [email protected] 3 Infrastructure of BPHS?

Attacker Victime

Panama Russia

BPHS Target

2015 Maxim Goncharov [email protected] 4 BPHS Categorisation

CAT 1 CAT 2 CAT 3

2015 Maxim Goncharov [email protected] 5 BPHS Categorisation

CAT 1 Done on purpose

CAT 2 Stolen credentials

CAT 3 Violating the terms of service

2015 Maxim Goncharov [email protected] 6 CAT 1 Done on purpose

They know what they’re doing

Describe what they do not doing

Explain geographical specification

All types of activities

2015 Maxim Goncharov [email protected] 7 CAT 2 Stolen credentials

Bruteforce

proxy malicious traffic

SEO activities

Drop zones

2015 Maxim Goncharov [email protected] 8 CAT 2 Stolen credentials

2015 Maxim Goncharov [email protected] 9 CAT 3 Violating the terms of service

2015 Maxim Goncharov [email protected] 10 BPHS advertising

SEO

2015 Maxim Goncharov [email protected] 11 2015 Maxim Goncharov [email protected] 12 BPHS advertising

VPN

Dedicated

2015 Maxim Goncharov [email protected] 13 2015 Maxim Goncharov [email protected] 14 BPHS advertising

DMCA

Digital Millennium Copyright Act

2015 Maxim Goncharov [email protected] 15 BPHS advertising

Digital Millennium Copyright Act

2015 Maxim Goncharov [email protected] 16 2015 Maxim Goncharov [email protected] 17 BPHS advertising

C2

my.Galkahost.com

2015 Maxim Goncharov [email protected] 18 2015 Maxim Goncharov [email protected] 19 BPHS advertising

SPAM

spamz.ru

2015 Maxim Goncharov [email protected] 20 2015 Maxim Goncharov [email protected] 21 Types of Activities?

Child Pornography

C2

Exploit

Malware Dropzone

SPAM

Brutforce

VPN

SEO

Torrents

DMCA

Fake

2015 Maxim Goncharov [email protected] 22 BPHS Toxic levels

Child Pornography

C2

Exploit

Malware Dropzone

SPAM

Brutforce

VPN

SEO

Torrents

DMCA

Fake

2015 Maxim Goncharov [email protected] 23 Some BPHS operational details

Types of ads on the forums

Legitimate search engine ads

underground forums

2015 Maxim Goncharov [email protected] 24 Some BPHS operational details

Support at BPHS

ICQ

Jabber

Javascript

24/7

2015 Maxim Goncharov [email protected] 25 Some BPHS operational details

DDoS mitigation at BPHS

2015 Maxim Goncharov [email protected] 26 Some BPHS operational details

Hide Real IP

Multi Level Proxy protection

White Hat services

2015 Maxim Goncharov [email protected] 27 Political/Regional specifications.

“We do not accept/allow on our servers child pornography and projects which can cause damage to Russian Federation / Ukraine / Belorussia. We also will not be happy in case of our IP addresses will appear to often in Blacklists of Spamhaus. Violation of these two rules can cause permanent interruption in the services you rent from us. All other activities not mentioned - are allowed.”

2015 Maxim Goncharov [email protected] 28 Use Case

2015 Maxim Goncharov [email protected] 29 2015 Maxim Goncharov [email protected] 30 2015 Maxim Goncharov [email protected] 31 Host anything Radware

Child Pornography no go, but… Cacti/Zabbix

Location decided by sales/support Out of the box configuration for:

No Attacks on RU or UA Zeus

Citadel

Carberp 2015 Maxim Goncharov [email protected] 32 2015 Maxim Goncharov [email protected] 33 nickname sosweet

2015 Maxim Goncharov [email protected] 34 randservers.comrandservers.com

2015 Maxim Goncharov [email protected] 35 2015 Maxim Goncharov [email protected] 36 randservers

sosweet

2015 Maxim Goncharov [email protected] 37 2015 Maxim Goncharov [email protected] 38 2015 Maxim Goncharov [email protected] 39 2015 Maxim Goncharov [email protected] 2015 Maxim Goncharov [email protected] We hold absolute every type of content if we hosting in Ukraine

2015 Maxim Goncharov [email protected] randservers

BPHS Classification

Toxic Level T1

Category CAT1

GEO Loc UA

GEO Act GLOBAL

Price $100/$300

Popularity High

Longevity 7 years

2015 Maxim Goncharov [email protected] 43 Detection

2015 Maxim Goncharov [email protected] 44 2015 Maxim Goncharov [email protected] 45 2015 Maxim Goncharov [email protected] 46 AS7643 http://vinahost.vn/ VietNam Data Communication Company (VDC)

2015 Maxim Goncharov [email protected] 47 2015 Maxim Goncharov [email protected] 48 2015 Maxim Goncharov [email protected] 49 algorithm #1

“Bad” site

ASN

Check Malware with IP range

CAT1 CAT2 CAT3

Conclusion

2015 Maxim Goncharov [email protected] 50 algorithm #2

“Bad” domain name

Domain Name Registrar

ASN

Reverse DNS

Name Server

2015 Maxim Goncharov [email protected] 51 OVH Statistics

All IPs researched 1.080.576 Unique IPs seen 185.311 Botnet IPs seen 1.238

2015 Maxim Goncharov [email protected] 52 OVH Statistics

2015 Maxim Goncharov [email protected] 53 Name of Botnet IPs c2 688 zeus 185 OVH Statistics asprox 129 c2 zeus asprox grum 74 grum festi sality festi 30 storm zeroaccess koobface sality 30 bagle flame kelihos storm 30 cutwail gumblar virut zeroaccess 22 akbot bredolab mariposa koobface 10 nitol waledac lethic bagle 6 flame 6 kelihos 5 cutwail 4 gumblar 4 virut 4 akbot 2 bredolab 2 mariposa 2 nitol 2 waledac 2 lethic 1

2015 Maxim Goncharov [email protected] 54 1 Panama Credit Card, PayPal, Bank 5 N/A N/A ccihosting.com Transfer, Liberty Reserve, Western Union 2 goip.com Beliz -> Netherlands PayPal, Skrill CC 3 Elcatel internetbs.net

3 Pakistan / Romaina PayPal, Moneybookers, 4 N/A N/A webcare360.com Payza (AlertPay)

4 Malaysia -> USA / Malaysia / Romania / Iceland Paysafecard, Ukash, Liberty 3 N/A N/A cinipac.com Reserve, Webmoney, Moneybookers, Bitcoin, Paypal, Cash by Post 5 panamaserver.com Panama All 10 N/A N/A

6 US / Malaysia -> India / Malaysia / China / Hong All 10 N/A N/A katzglobal.com Kong / Singapore / Australia / USA

7 Malaysia -> Malaysia / Singapore / Netherlands / Credit Card, Western Union, 6 N/A N/A shinjiru.com Luxembourg / Lithuania Paypal, Liberty Reserve, Wired Transfer, Mail Payment, Moneybookers 8 offshorehosting.com Hong Kong / Malaysia -> Hong Kong N/A 10 N/A N/A

10 USA-> Netherlands / Russia / Germany / Switzerland MoneyBookers, Liberty 9 N/A N/A wrzhost.com / Hong Kong Reserve, PayPal, Payza

11 Belize / Netherlands -> Netherlands PayPal, Credit Card, Liberty 9 N/A N/A koddos.com Reserve, Perfectmoney, SolidTrustPay

12 Sweden PayPal, Credit Cards, 10 N/A N/A prq.se Wiretransfer 13 hostingpanama.com Panama N/A 8 N/A N/A

14 hostimvse.ru Romania / Russia -> Netherlands All 10 Elcatel / Voxility N/A

15 uxar-host.ru Litva -> USA / NEtherlands All 5 N/A N/A

16 bulletproof-web.ru Europe N/A 10 OVH / Hetzner N/A

17 blackservers.org Russia -> Romania Webmoney Qiwi Bitcoin 25 N/A N/A

2015 Maxim Goncharov [email protected] 55 Questions

2015 Maxim Goncharov [email protected] 56