RBN - Farewell to EstDomains

In the wake of the demise of Atrivo we now see the demise of EstDomains by an emboldened ICANN.



Many have shown Estdomains et. al., as a source of domain registration badness and used by cyber criminals for many years. As recently described within the HostExploit.com report “Atrivo - Cyber Crime USA” Sunbelt Software , Spamhaus, to name a few, and followed up by The Washington Post by Brian Krebs “A Superlative Scam and Spam Site Registrar”



Ironically EstDomains has been trying to fight back with press releases such as “EstDomains, Inc Takes Next Step in Combating Spam and Malware” with them stating; “Once again EstDomains, Inc would like to address the interactive community and ask for co-operation to make the Internet clear and safe.”


However, even more relevant to the demise of EstDomains was the later Brian Krebs post “A Sordid History and a Storied CEO” relating to the EstDomains CEO Vladimir Tsastsin

As of today ICANN has issued a formal and we assume irrevocable, notice of termination – see fig 2 below:




The formal letter of termination is available for download from ICANN <here> is based on court records from Estonia.




Of course what will be interesting is what happens to the approximately 281,000 domain names under EstDomains’ management. All registrations sponsored by EstDomains will be transferred to an ICANN-Accredited Registrar in accordance with ICANN’s “De-accredited Registrar Transition Procedure”. ICANN goes on to say “It is ICANN's goal to protect registrants’ from unnecessary harm and we look forward to amicably resolving any domain name transition issues that may arise from this termination.”



Hopefully this does demonstrate an emboldened ICANN which has recently become besieged on security issues, is listening to the community. Perhaps we could persuade ICANN to allow the Internet security community to provide solid advice which of these domains is abusive before any transfer is made?


RBN - Russian Cyberwar on Georgia: Report

"In August 2008, cyberwar associated with the Russian Federation struck once more, this time against Georgia. The DDoS attacks began in the weeks running up to the outbreak of the Russian invasion and continued after the Kremlin announced that it had ceased hostilities on August 12th."


This excerpt is from the 29 page report available for download from HostExploit.com or georgiaupdate.gov.ge this is probably the most thorough analysis available on the cyberwarfare related to Georgia.



Concerning RBN (Russian Business Network)



"The individual, with direct responsibility for carrying out the cyber "first strike" on Georgia, is a RBN operative named Alexandr A. Boykov of Saint Petersburg, Russia. Also involved in the attack was a programmer and spammer from Saint Petersburg named Andrey Smirnov. These
men are leaders of RBN sections and are not "script-kiddies" or "hacktivists," as some have maintained of the cyber attacks on Georgia – but senior operatives in positions of responsibility with vast background knowledge.



Intelligence can suggest further information about these individual cyber-terrorists. According to Spamhaus SBL64881, Mr. Boykov operates a hosting service in Class C Network 79.135.167.0/24. It should be noted that the pre-invasion attacks emanated from 79.135.167.22, clearly showing professional planning and not merely ‘hacktivism.’ Due to the degree of professionalism and the required massive costs to run such operations, a state-sponsor is suspected. Further information gathered also links the RBN to known disruptive websites.



• The IP addresses of the range, 79.135.160.0/19 are assigned to Sistemnet Telecom to provide services to companies who are classified as engaging in illicit activities such as credit card fraud, malware and so on.



• 79.135.160.0/19 Sistemnet Telecom and AS9121 TTNet (Turkey) are associated with AbdAllah_Internet which is linked with cybercrime hosting such as thecanadianmeds.com. These are known Russian Business Network routes. "



The puzzle of StopGeorgia.ru = follow the rabbit?


To add to the report, and shed light on the ongoing puzzle of the attack site StopGeorgia.ru (click on diagrams to enlarge):







Figure 1 - The IP route diagram route for StopGeorgia.ru (note: steadyhoster.com)



Figure 2. - The IP route diagram for SteadyHoster.com (note: for both fig1 /2 74.86.81.232.infomart.reverse.dnska.com)


Protect Details, Inc - (privatecontact@protectdetails.com)
29 Kompozitorov st. Saint Petersburg, 194358 RU







Figure 3. - Welcome to London GB, the IP route diagram for InnovativeITsolutions.com - actual home of 'StopGeorgia.ru' - AKA; dnska.com reseller for AS36351 SOFTLAYER Technologies


Innovation IT Solutions Corp.

Andrey Nesterenko(admin@mirhosting.com)

95 Wilton Road,

London,SW1V 1BZ,GB