Maxim Goncharov, BPHS pac_sec

2015 Maxim Goncharov [email protected]

BPHSMaxim Goncharov

bullet proof hosting services

CriminalHideoutsforLeaseBulletproofHos4ngServices


2

What is BPHS?

Hardware VPS

Any type of content

С2 Spam Adult DMCA SEO Drop

mailto:[email protected]


Germany

3

Infrastructure of BPHS?

Attacker Victime



RussiaPanama

4

Infrastructure of BPHS?

Attacker Victime

BPHS Target



5

BPHS Categorisation

CAT 1 CAT 2 CAT 3



6

BPHS Categorisation

Done on purpose

Stolen credentials

Violating the terms of service

CAT 1

CAT 2

CAT 3



7

They know what they’re doing

Describe what they do not doing

Explain geographical specification

All types of activities

Done on purposeCAT 1



8

Bruteforce

proxy malicious traffic

SEO activities

Drop zones

Stolen credentialsCAT 2



9

CAT 2 Stolen credentials



10

CAT 3 Violating the terms of service



11

BPHS advertising

SEO



12



13

BPHS advertising

Dedicated

VPN



14



15

BPHS advertising

DMCA

Digital Millennium Copyright Act



16

BPHS advertising

Digital Millennium Copyright Act



17



18

BPHS advertising

C2

my.Galkahost.com



19



20

BPHS advertising

SPAM

spamz.ru



21



22

Types of Activities?

Fake

DMCA

Torrents

SEO

VPN

Brutforce

SPAM

Malware Dropzone

Exploit

C2

Child Pornography



23

BPHS Toxic levels

Fake

DMCA

Torrents

SEO

VPN

Brutforce

SPAM

Malware Dropzone

Exploit

C2

Child Pornography



24

Some BPHS operational details

Types of ads on the forums

Legitimate search engine ads

underground forums



25


Support at BPHS

ICQ

Jabber

Javascript

24/7



26


DDoS mitigation at BPHS



27


Hide Real IP

White Hat services

Multi Level Proxy protection



28

Political/Regional specifications.

“We do not accept/allow on our servers child pornography and projects which can cause damage to Russian Federation / Ukraine / Belorussia. We also will not be happy in case of our IP addresses will appear to often in Blacklists of Spamhaus. Violation of these two rules can cause permanent interruption in the services you rent from us. All other activities not mentioned - are allowed.”



29

Use Case



30



31



32

Child Pornography no go, but…

Location decided by sales/support

Host anything

No Attacks on RU or UA

Radware

Cacti/Zabbix

Out of the box configuration for:

Zeus

Citadel

Carberp



33



34

nickname sosweet



35

randservers.comrandservers.com



36



37

randservers

sosweet



38



39



We hold absolute every type of content if we hosting in Ukraine



43

randservers

BPHS Classification

Toxic Level T1

Category CAT1

GEO Loc UA

GEO Act GLOBAL

Price $100/$300

Popularity High

Longevity 7 years



44

Detection



45



46



47

AS7643VietNam Data Communication Company (VDC)

http://vinahost.vn/



48



49



50

“Bad” site

ASN

Check Malware with IP range

CAT1 CAT2 CAT3

Conclusion

algorithm #1



51

Domain Name Registrar

ASN

Reverse DNS

“Bad” domain name

Name Server

algorithm #2



52

OVH Statistics

Unique IPs seen All IPs researched

Botnet IPs seen

1.080.576185.311

1.238



53

OVH Statistics



54

c2 zeus asproxgrum festi salitystorm zeroaccess koobfacebagle flame kelihoscutwail gumblar virutakbot bredolab mariposanitol waledac lethic

Name of Botnet IPsc2 688

zeus 185asprox 129

grum 74festi 30

sality 30storm 30

zeroaccess 22koobface 10

bagle 6flame 6

kelihos 5cutwail 4

gumblar 4virut 4

akbot 2bredolab 2mariposa 2

nitol 2waledac 2

lethic 1

OVH Statistics



55

1 ccihosting.com Panama Credit Card, PayPal, Bank Transfer, Liberty Reserve, Western Union

5 N/A N/A

2 goip.com Beliz -> Netherlands PayPal, Skrill CC 3 Elcatel internetbs.net

3 webcare360.com Pakistan / Romaina PayPal, Moneybookers, Payza (AlertPay)

4 N/A N/A

4 cinipac.com Malaysia -> USA / Malaysia / Romania / Iceland Paysafecard, Ukash, Liberty Reserve, Webmoney, Moneybookers, Bitcoin, Paypal, Cash by Post

3 N/A N/A

5 panamaserver.com Panama All 10 N/A N/A

6 katzglobal.com US / Malaysia -> India / Malaysia / China / Hong Kong / Singapore / Australia / USA

All 10 N/A N/A

7 shinjiru.com Malaysia -> Malaysia / Singapore / Netherlands / Luxembourg / Lithuania

Credit Card, Western Union, Paypal, Liberty Reserve, Wired Transfer, Mail Payment, Moneybookers

6 N/A N/A

8 offshorehosting.com Hong Kong / Malaysia -> Hong Kong N/A 10 N/A N/A

10 wrzhost.com USA-> Netherlands / Russia / Germany / Switzerland / Hong Kong

MoneyBookers, Liberty Reserve, PayPal, Payza

9 N/A N/A

11 koddos.com Belize / Netherlands -> Netherlands PayPal, Credit Card, Liberty Reserve, Perfectmoney, SolidTrustPay

9 N/A N/A

12 prq.se Sweden PayPal, Credit Cards, Wiretransfer

10 N/A N/A

13 hostingpanama.com Panama N/A 8 N/A N/A

14 hostimvse.ru Romania / Russia -> Netherlands All 10 Elcatel / Voxility N/A

15 uxar-host.ru Litva -> USA / NEtherlands All 5 N/A N/A

16 bulletproof-web.ru Europe N/A 10 OVH / Hetzner N/A

17 blackservers.org Russia -> Romania Webmoney Qiwi Bitcoin 25 N/A N/A


http://ccihosting.com

http://goip.com

http://shinjiru.com

http://wrzhost.com

http://prq.se

http://hostingpanama.com

http://hostimvse.ru

http://uxar-host.ru


56

Questions


Maxim Goncharov, BPHS pac_sec

Internet

Transcript of Maxim Goncharov, BPHS pac_sec