Ukrainian Web Host of Malicious Programs Shutdown

A Web hosting service provider in Ukraine that was supporting an invasive and prolific group of malicious programs for long time has been shutdown after Security Fix abused the firm's ISP.

Security vendor McAfee said that since 2005, or maybe earlier, a company named UkrTeleGroup Ltd. has been hosting several hundred servers that control a large network of PCs infected with 'DNSChanger'. DNSChanger, according to the experts, is a Trojan that modifies the settings of the host computer so that all inbound and outbound Internet traffic of the infected PC is passed through the attackers' servers.

As per a McAfee report, the company identified over 400 DNS servers on the UkrTeleGroup network that seemed to be established to divert the Web traffic to and from systems infected with the DNSChanger or its variants. These servers can also divert the existing domain names towards servers supporting malicious phishing content, or towards servers that change existing content. Besides, the 400 servers are behind 10% of the whole IP series that include only DNS servers. It is believed that although the entire network is even bigger, all the servers within the series are not necessarily responding to DNS queries, McAfee's report notes.

According to security experts, the issue is extremely serious for computers using the malicious DNS servers in Ukraine. Such computers attempt to download updates from the "localhost" server, implying that the miscreants were successful in preventing access to critical patches. Once a malicious attacker controls the DNS settings, he could perform unlimited bad activities, McAfee said.

Meanwhile, following McAfee's warning, Miami-based FPL FiberNet LCC terminated a client when the company discovered it was providing Internet bandwidth to UkrTeleGroup. Notably, UkrTeleGroup has been using the same address space that a client of FPL FiberNet LCC was using.

Tim Fitzpatrick, Vice President of Corporate Communications, FPL Group, said that the company found UkrTeleGroup's activities going against its agreed terms. Consequently, the company informed its client that it was withdrawing its service, as reported by WashingtonPost on January 30, 2009.

Related article: Ukraine-based Server found Loaded with Personal Data

» SPAMfighter News - 2/15/2009