NEWS FROM THE LAB - Wednesday, October 29, 2008

Case EstDomains Posted by Mikko @ 14:45 GMT

EstDomains is a domain registrar operating from Estonia. They've been on our map for years as they've been the largest registrar used by online criminals for their domain name registration needs.


Yesterday we received good news.

ICANN has (finally!) pulled the plug on EstDomains, and is removing EstDomains from the list of ICANN-accredited registrars.

See below for the official letter.

EstDomains Letter

EstDomains Letter

We probably first ran into EstDomains in 2005, when investigating the infamous WMF vulnerability. Initially the main site distributing malicious WMF files, unionseek.com, was registered via this new Estonian registrar.

Since then, tens of thousands of malicious domains have been registered with EstDomains. These include drive-by-download sites, botnet command-and-control servers, spammed domains and so on.

example of a malicious domain

Many of the recent fake antivirus tools as well as rogue codecs have been running via EstDomains.

In fact, EstDomains is among the largest registrars in the world and they've registered over 280,000 domains. Not all of them are bad, of course. But a big part of them are.


The EstDomains operation is run by Mr. Vladimir Tšaštšin, from the EstDomains office in downtown Tartu.

Lai, Tartu, Tartumaa 51005, Estonia

Vladimir Tšaštšin (aka "SCR") was sentenced earlier this year to six months of jail for credit card fraud, money laundering, and related charges.

image copyright  Maris Ojasuu, �rip�ev

Mr. Tšaštšin is also the CEO and largest owner of Rove Digital. Rove generates revenues of several million Euros a year, as shown in this listing of TOP Estonian IT companies by the �rip�ev magazine:


And EstDomains is just a small part of a larger picture, outlined here by the researchers at Hostexploit.com.


For more on Atrivo and EstDomains, see this article at Security Fix.

Thank you ICANN, for doing the right thing.