Sponsored by..

Thursday, 21 October 2010

Evil network: DG Holding SIA / ALTNET-LV AS41390 (195.3.144.0/22)

DG Holding SIA / ALTNET-LV is another evil network, and it's no surprise to see that it is in Latvia. The 195.3.144.0/22 hosts sites involved in hacking, malware distribution, MLM scams, fake goods and porn plus a number of ZeuS C&C servers.

There are a small number of legitimate customers in this block, but they most cater for Latvian users only.. if you are outside of Latvia, then very little will be lost by blocking this entire /22 (195.3.144.0 - 195.3.147.255).

There's a listing of domains, IPs and MyWOT ratings here [csv] if you want to probe more deeply and avoid blocking the handul of legitimate sites.. otherwise, I would recommend blocking the lot.

6 comments:

Thomas said...

Hello!
I happen to be CTO at altnet.lv, so it seems that it's me in charge there. so, let me say a couple of words. We, basically, are co-location provider, not hosting provider, so we (until recent days) did not check what happens inside hosted/co-located boxes. what we did care about was connectivity and flawless work of hardware - the job, that most datacenters do. we reacted on abuse reports, warned our clients, they had content cleaned up, and so far it seemed, that everything is OK. however, it seems now, that such actions has "paid off" in some of our users actually reselling service to spamers/abusers and migrating abusive content from one site to another.
we really value what internet was intended to be, and are against any cybercrime, so be generous, and drop a line to our abuse(at)altnet(dot)lv. from now on we try to look closer on various report-sites, however, we do not want to miss something out, so, please report, if you spot something bad. we will get that cleaned and get rid of (ab)user.
you've got my word.

Raitis Nugumanovs, Altnet.lv CTO.

p.s. just in case something urgent happens - i can be contacted by by email - raitis at altnet dot lv (no mail harvesting here!) and by voice - + 371 two double 7 eight double 9 double 6 (go away, numberhungry robots!). Take care, and thanks for reading.

Agnieszka said...

Conrad, appreciate your findings- they are very useful. However I wonder about a cause. Do you guys (Conrad, Thomas) have any ideas about such a concentration of malicious stuff within Latvian netspace? Could it be due to permissive ISP's attitude?

Conrad Longmore said...

@Agnieszka

There is concentration of bad stuff in Latvian IP ranges, although those ranges are fragmented and it is quite difficult to get an overall picture.

The people behind it are almost definitely Russian, there seems to be a pattern of using facilities that are physically close to Russia but not actually in the Country because as soon as anything goes cross-jurisdictional it gets more difficult for law enforcement.

The guys at alnet.lv deserve a second chance, I will rescan the IP range when I can.

Agnieszka said...

It's interesting. Could you please post some data showing such a pattern? Do you have any idea which way physical nearness of infrastructure could be beneficial for cybercrime actors, especially taking into account quite small Latvia's territory?

nobody said...

Good day!

Please remove name of our company from topic header, as we are not connected to this AS anymore. Current end user of resource is company "RN Data SIA", which operates this resources already from January. As information about our company is making troubles with relationships with our clients, we will be glad to assist with any requested information to remove this information (about company name).

With regards, Alexander from DG.

Conrad Longmore said...

But you were running it at the time, weren't you Alexander? Those malware sites were there on your watch.