A hosting provider known for serving malicious content was taken down recently, disrupting some botnet operations, including those tied to the notorious Zeus Trojan.
The upstream provider for the crimeware host, RUNNET.ru, has de-peered Russia-based Volgahost. The action disallows any new uploads from botnet command-and-control servers to zombie machines, wrote Jart Armin, an analyst for HostExploit, a research firm that focuses on Internet hosts and registrars. Volgahost went offline as of January 17, Armin wrote.
Data compiled by stopbadware.org shows the number of reported URLs hosted by Volgahost rose sharply and steadily between Jan. 24, 2010 and July 21, 2010. Afterward, the number leveled off at somewhere just under 500.
Security professionals are uniquely aware of Volgahost. It garnered attention for providing crimeware-hosting servers and has been a target of researchers for some time. In Q4 of 2010, it jumped into the top spot on HostExploit's "Bad Hosts" list. The two quarters prior to attaining the number one spot, Volgahost ranked third on the list, and prior to that, it was no stranger to the top 50.
"VolgaHost is well known to HostExploit," Armin wrote. "It topped our ranking of 'Bad Hosts' for the 4th quarter of 2010, having been ranked third in the two previous quarters."
Armin said it seems to be part of a larger effort to de-peer many of the known, previously "bulletproof," crimeware hosts. As reported by SearchSecurity.com, the Pushdo/Cutwall (Pushdo) botnet was the target of researchers from LastLine Inc. the previous summer.
In August, researchers attempted to bring down the Pushdo botnet by taking out its command-and-control servers. They sought to cripple the malware and phishing distribution system by eliminating its ability to receive instructions. Unfortunately, the researchers were only partially effective. They were able to take down approximately 20 of the 30 command-and-control servers.
"This is a major step in the ongoing fight against botnet hosting and cybercrime as the world's worst host, VolgaHost, and other associated crime servers, have disappeared," Armin wrote.