A funny thing happened the day after I posted my last article - the
UralNet IP block was
removed from the global routing table. I didn't
see any notifications in the press or on any network operations lists
(although I am not on any RIPE-specific listservs), so my suspicion
is that they are simply lying low for a bit. I assume that if
they had their plug forcibly pulled then the responsible party would
want to be recognized (rightfully) for taking a step against
cyber-crime in the region.
Another reason why I believe they are lying low is
that an AS that had been dormant (unrouted) for months came back
online this week and immediately started hosting much of the malware
that used to be on UralNet. They've only been back on the Bloc for a week, have
a mere /24 (256 IPs), don't have a corporate homepage, and yet,
already have quite a few criminal customers.
