Re: [anti-abuse-wg] Fwd: Re: botnet controllers
This statement is simply not correct to put it mildly! When we contacted you regarding C2 of Netwire malware you replied and I quote: "To make long things short: Because we have no logs, there isn't much we can do in order to solve this case." Tonu CERT-EE On 10.07.2020 13:07, i...@fos-vpn.org wrote: > To answer your last question: If we receive a valid abuse report i.e. > from a CERT we temporarily close the regarding Port on the particular IP. > If the customer then starts to complain we send him a copy of the > report and point out that another violation of our ToS will result in > a termination of the account without a prior warning and without the > option of a refund. >
Re: [anti-abuse-wg] Fwd: Re: botnet controllers
>In message <20b290b5003cafb91745b7db6d31c...@fos-vpn.org>, info@fos- >vpn.org writes [various message about abuse issues around VPNs without logging] In message , Richard Clayton writes >I can understand the attractions to you of that business model. List readers may be interested in what I found when I decided to have a look at the "fos-vpn" website (I find that it is invariably interesting to see what people actually publish in T etc) http://www.fos-vpn.org redirects to torservers.net (where there is lots to read, so anyone interested can have a look). However https://www.fos-vpn.org does not redirect to the same website! (easy mistake to make) instead it serves up the website codevest.sh (which appears also to be known as codevest.to). There's not a whole lot on the codevest website to explain what it is about, however some Googling will reveal that it is a licensing system widely advertised on HackForums (a well-known gathering place for all sorts of hackers, both good and bad ... you may have heard of it as the place where the Mirai source code was first published). I leave it to the reader to explore HackForums, but to save you a bit of time the PaloAltoNetworks Unit42 people had this to say about codevest in October 2019, in their review (if that's the right word) of "Blackremote" an expensive RAT (remote access trojan) being sold by a Swedish actor: Blackremote utilizes the third-party "CodeVEST" licensing system, also peddled on underground forums. The licensing system validates by connecting to codevest[.]sh. "CodeVEST" seems to take the place of "Netseal" as a registration service used by commodity malware. The author of "Netseal", Taylor Huddleston, was charged in 2017 for that operation together with the sale of his own commodity malware, "Nanocore RAT." The same person who offers the "Codevest" licensing service, also profits from a crypting service "Cyber Seal". This highlights the role in the commodity malware ecosystem of not only the malware sellers, but also service providers such as the licensing services they use, and the crypting services they purchase to avoid detection of the malware that they build. I found that fascinating, but cannot vouch for its accuracy except to say that I have a high regard for Unit42. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] Fwd: Re: botnet controllers
So you're ignoring abuse reports from other network operators? Or do you mean that you view reports from a CERT as being the only type of report you'll take seriously? -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, R93 X265,Ireland Company No.: 370845 On 10/07/2020, 11:04, "anti-abuse-wg on behalf of i...@fos-vpn.org" wrote: To answer your last question: If we receive a valid abuse report i.e. from a CERT we temporarily close the regarding Port on the particular IP. If the customer then starts to complain we send him a copy of the report and point out that another violation of our ToS will result in a termination of the account without a prior warning and without the option of a refund.
Re: [anti-abuse-wg] Fwd: Re: botnet controllers
In message <20b290b5003cafb91745b7db6d31c...@fos-vpn.org>, info@fos- vpn.org writes >To answer your last question: If we receive a valid abuse report i.e. >from a CERT we temporarily close the regarding Port on the particular >IP. For clarity (and I appreciate that English is probably not your first language...) do you mean "i.e." (the only abuse reports you consider to be valid are from CERTs) or did you actually mean "e.g." (an example of the sort of entity that sends valid abuse reports). Also .. by "close the regarding Port" do I take it that you mean that you block outgoing traffic (of a particular type) to a particular IP or do you mean you block all outgoing traffic (for example, all tcp/25) ? >If the customer then starts to complain we send him a copy of the report >and point out that another violation of our ToS will result in a >termination of the account without a prior warning and without the >option of a refund. Since, as I understand it, you keep no record of what customers do, you are effectively describing a system for preventing complaints from customers (viz: a customer who reports to you on two occasions that their activity has been the subject of a valid abuse complaint will be terminated). I can understand the attractions to you of that business model. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
[anti-abuse-wg] New on RIPE Labs: Help to Understand Secure Email Around the Globe
Dear colleagues, Olamide Omolola and Tobias Fiebig are studying the degree to which email systems are configured securely. And they need your help: they want to receive emails from as many different mail providers around the world as possible. You can find more details in this RIPE Labs article: https://labs.ripe.net/Members/mirjam/help-to-understand-secure-email-around-the-globe Kind regards, Mirjam Kühne RIPE Labs Editor
Re: [anti-abuse-wg] Fwd: Re: botnet controllers
To answer your last question: If we receive a valid abuse report i.e. from a CERT we temporarily close the regarding Port on the particular IP. If the customer then starts to complain we send him a copy of the report and point out that another violation of our ToS will result in a termination of the account without a prior warning and without the option of a refund.
Re: [anti-abuse-wg] Fwd: Re: botnet controllers
Yes we have: Prohibited Activities We prohibit the use of any of our services in any of the following ways: * Spamming (e-mail, Usenet, message boards, etc.) * Copyright, trademark, and patent infringement. * Defamatory or abusive language * IP Spoofing * Illegal or unauthorized access to other computers or networks * Distribution of Internet viruses, worms or other destructive activities * Export control violations * All other illegal activities