Winter is raging throughout Europe, but russian fraudsters find it rather "cool".

Indeed, the "coolwinter.ru" domain name has been recently registered to serve as a command and control server for a ZeuS trojan horse variant. The pirate, nicknamed "Foxtrot", advertises its services (bulletproof hosting and domain registration, XRumer reselling, etc.) on various well-known russian underground forums and through websites such as www.foxtrot1.biz. A rather small prey for law enforcement. Its ZeuS malware is not very interesting either: standard banks targeted, medium AV detection, and a few hundred infected machines at the most.

But this domain's name servers (ns1 and ns2.bestofthehost.com) host almost 100% illicit content (rogue AV software, fake pharmacies, HYIP, malware propagation and C&C, etc.) using Baltconn's IP addresses. Baltconn is a recent Internet provider, based in Latvia, that gets its connectivity through few upstream network providers such as GBLX (Global Crossing). This name sounded familiar to my ears, as it indeed provided connectivity to Atrivo/Intercage or McColo in the past. Last year they pulled the plug of these bulletproof hosting providers, when reports of their fraudulent behavior became public.

Facts are yet insufficients to determine if Baltconn is a laxist or just heavily abused provider. But the abuse reports sent by email to baltconn.lv obviously won't go very far, as their domain name expired last October.

We might be able to ask CERT NIC Latvia their opinion on this company when we meet them during the next joint FIRST and TERENA TF-CSIRT meeting they host in Riga in a few days.