Download - Maxim Goncharov, BPHS pac_sec
2015 Maxim Goncharov [email protected]
BPHSMaxim Goncharov
bullet proof hosting services
CriminalHideoutsforLeaseBulletproofHos4ngServices
2015 Maxim Goncharov [email protected]
2
What is BPHS?
Hardware VPS
Any type of content
С2 Spam Adult DMCA SEO Drop
2015 Maxim Goncharov [email protected]
RussiaPanama
4
Infrastructure of BPHS?
Attacker Victime
BPHS Target
2015 Maxim Goncharov [email protected]
6
BPHS Categorisation
Done on purpose
Stolen credentials
Violating the terms of service
CAT 1
CAT 2
CAT 3
2015 Maxim Goncharov [email protected]
7
They know what they’re doing
Describe what they do not doing
Explain geographical specification
All types of activities
Done on purposeCAT 1
2015 Maxim Goncharov [email protected]
8
Bruteforce
proxy malicious traffic
SEO activities
Drop zones
Stolen credentialsCAT 2
2015 Maxim Goncharov [email protected]
22
Types of Activities?
Fake
DMCA
Torrents
SEO
VPN
Brutforce
SPAM
Malware Dropzone
Exploit
C2
Child Pornography
2015 Maxim Goncharov [email protected]
23
BPHS Toxic levels
Fake
DMCA
Torrents
SEO
VPN
Brutforce
SPAM
Malware Dropzone
Exploit
C2
Child Pornography
2015 Maxim Goncharov [email protected]
24
Some BPHS operational details
Types of ads on the forums
Legitimate search engine ads
underground forums
2015 Maxim Goncharov [email protected]
25
Some BPHS operational details
Support at BPHS
ICQ
Jabber
Javascript
24/7
2015 Maxim Goncharov [email protected]
27
Some BPHS operational details
Hide Real IP
White Hat services
Multi Level Proxy protection
2015 Maxim Goncharov [email protected]
28
Political/Regional specifications.
“We do not accept/allow on our servers child pornography and projects which can cause damage to Russian Federation / Ukraine / Belorussia. We also will not be happy in case of our IP addresses will appear to often in Blacklists of Spamhaus. Violation of these two rules can cause permanent interruption in the services you rent from us. All other activities not mentioned - are allowed.”
2015 Maxim Goncharov [email protected]
32
Child Pornography no go, but…
Location decided by sales/support
Host anything
No Attacks on RU or UA
Radware
Cacti/Zabbix
Out of the box configuration for:
Zeus
Citadel
Carberp
2015 Maxim Goncharov [email protected]
2015 Maxim Goncharov [email protected]
2015 Maxim Goncharov [email protected]
We hold absolute every type of content if we hosting in Ukraine
2015 Maxim Goncharov [email protected]
43
randservers
BPHS Classification
Toxic Level T1
Category CAT1
GEO Loc UA
GEO Act GLOBAL
Price $100/$300
Popularity High
Longevity 7 years
2015 Maxim Goncharov [email protected]
47
AS7643VietNam Data Communication Company (VDC)
http://vinahost.vn/
2015 Maxim Goncharov [email protected]
50
“Bad” site
ASN
Check Malware with IP range
CAT1 CAT2 CAT3
Conclusion
algorithm #1
2015 Maxim Goncharov [email protected]
51
Domain Name Registrar
ASN
Reverse DNS
“Bad” domain name
Name Server
algorithm #2
2015 Maxim Goncharov [email protected]
52
OVH Statistics
Unique IPs seen All IPs researched
Botnet IPs seen
1.080.576185.311
1.238
2015 Maxim Goncharov [email protected]
54
c2 zeus asproxgrum festi salitystorm zeroaccess koobfacebagle flame kelihoscutwail gumblar virutakbot bredolab mariposanitol waledac lethic
Name of Botnet IPsc2 688
zeus 185asprox 129
grum 74festi 30
sality 30storm 30
zeroaccess 22koobface 10
bagle 6flame 6
kelihos 5cutwail 4
gumblar 4virut 4
akbot 2bredolab 2mariposa 2
nitol 2waledac 2
lethic 1
OVH Statistics
2015 Maxim Goncharov [email protected]
55
1 ccihosting.com Panama Credit Card, PayPal, Bank Transfer, Liberty Reserve, Western Union
5 N/A N/A
2 goip.com Beliz -> Netherlands PayPal, Skrill CC 3 Elcatel internetbs.net
3 webcare360.com Pakistan / Romaina PayPal, Moneybookers, Payza (AlertPay)
4 N/A N/A
4 cinipac.com Malaysia -> USA / Malaysia / Romania / Iceland Paysafecard, Ukash, Liberty Reserve, Webmoney, Moneybookers, Bitcoin, Paypal, Cash by Post
3 N/A N/A
5 panamaserver.com Panama All 10 N/A N/A
6 katzglobal.com US / Malaysia -> India / Malaysia / China / Hong Kong / Singapore / Australia / USA
All 10 N/A N/A
7 shinjiru.com Malaysia -> Malaysia / Singapore / Netherlands / Luxembourg / Lithuania
Credit Card, Western Union, Paypal, Liberty Reserve, Wired Transfer, Mail Payment, Moneybookers
6 N/A N/A
8 offshorehosting.com Hong Kong / Malaysia -> Hong Kong N/A 10 N/A N/A
10 wrzhost.com USA-> Netherlands / Russia / Germany / Switzerland / Hong Kong
MoneyBookers, Liberty Reserve, PayPal, Payza
9 N/A N/A
11 koddos.com Belize / Netherlands -> Netherlands PayPal, Credit Card, Liberty Reserve, Perfectmoney, SolidTrustPay
9 N/A N/A
12 prq.se Sweden PayPal, Credit Cards, Wiretransfer
10 N/A N/A
13 hostingpanama.com Panama N/A 8 N/A N/A
14 hostimvse.ru Romania / Russia -> Netherlands All 10 Elcatel / Voxility N/A
15 uxar-host.ru Litva -> USA / NEtherlands All 5 N/A N/A
16 bulletproof-web.ru Europe N/A 10 OVH / Hetzner N/A
17 blackservers.org Russia -> Romania Webmoney Qiwi Bitcoin 25 N/A N/A