Originally Posted by
ipaq
They're also in jail now. Enjoy.
Last case I dealt with it took ~24h (about 5 proxeis) to get back to the C&C VM at a wholesale cloud hoster, which the idiot was paying with his own Credit Card.
Then it was a matter of getting the paper work to tap his Cable connection and monitor him going to the VM. And ding. 5y in jail.
In this case, mostly west European mafia type renting their south America botnets. I actually got a sample, on Monday, of AAAA DNS exploit intended for dnsmasq which is very popular in un-patched routers (both Cable/DSL) in places like Brazil.
And the source of the C&C program was downloaded using tftp from a OVH VM, exactly like those nubs showed on CloudFlare.