After links to cybercrime, Latvian ISP is cut off

A Latvian ISP linked to online criminal activity has been cut off from the Internet, following complaints from Internet security researchers.

Real Host, based in Riga, Latvia was thought to control command-and-control servers for infected botnet PCs, and had been linked to phishing sites, Web sites that launched attack code at visitors and were also home to malicious "rogue" antivirus products, according to a researcher using the pseudonym Jart Armin, who works on the Hostexploit.com Web site. "This is maybe one of the top European centers of crap," he said in an e-mail interview.

"It was a cesspool of criminal activity," said Paul Ferguson a researcher with Trend Micro.

The ISP was disconnected from the Internet by its upstream provider, Junik, on Monday, after its provider, TeliaSonera told it to stop servicing Real Host or face sanctions Armin said.

Real Host was considered a "bullet proof" hosting provider, that would allow customers to remain online even after they had been linked to malicious activity. It had been linked to the Zeus botnet-making software.

This isn't the first time this type of hosting provider has been knocked offline. In the past year, at least three U.S. ISPs: Atrivo, McColo and 3FN have been unplugged after security researchers built cases against them. Atrivo and McColo were also taken offline by their upstream providers. 3FN was shut down by the U.S. Federal Trade Commission.

But according to Armin, this may be the "first time an international group has achieved this across borders and in Eastern Europe."

In the past, these takedowns have had a serious affect on spam. And while some observers reported a noticeable drop in spam over the weekend, security experts say that this was probably not attributable to the Real Host takedown.

Observers expect to see the criminal activity linked to Real Host resume soon, but they say that the takedown puts some pressure on the bad guys and the networks that provide service to them. "The precedent that's being set right now is that you need to take some responsibility for your network," said Lawrence Baldwin, owner of security research firm Mynetwatchman. "There actually are some consequences now for allowing an obviously heavy concentration of criminal activity on your networks. It's just not going to be accepted anymore."

The IDG News Service is a Network World affiliate.