Atrivo bulletproof host thrown under the spots

A new article from the excellent Brian Krebs has been published today on the Washington Post.

The article is spreading Jart Armin's whitepaper about ATRIVO, a famous hosting company ... Well when I say "famous" I should say famous to fraudsters and computer security researchers.

The case is quite similar to the RBN case at the end of last year : a bulletproof hosting company, acting for years, suddenly gets in the spotlights. Several things have been said concerning RBN. Having studied the organisation for a while, I have to say some releases about RBN have been upsetting me. According to almost the whole security community, RBN had disappeared...Only to be spotted and mentionned everywhere for any fraudulent action taking place in the malware/phishing/fraud world. RBN has spread all worldwide malware, has done every phishing case, has hosted all illegal content worldwide, and has attacked Georgia... Crap.

It just seems that most researchers have simply forgotten one thing: RBN had customers. When RBN "died", I heard shouts that they had gone to "AbdAllah" host for example. I think that's totally untrue ; people noticed fraudulent domains had moved from ex-RBN to AbdAllah, and claimed it was a RBN move, which wasn't, in my opinion.
Instead, it was only a move from customers, from one bulletproof hoster to another.

Now Atrivo is "following" the RBN case, being shown as an evil host. Emil K, its founder, is declaring just like Tim Jaret did for RBN, that he is responding to the abuse requests. But he doesn't. He's quite following the same politic of communication than Jaret.

As for Jart's paper, I don't agree totally with him, thought I respect his work. I won't say more, and let you read his paper. What will Atrivo's future be, now that all eyes are on them ? Will they vanish just like RBN did ? Time will tell...

Edit: (2008-09-01) It seems that some people are reacting fast (speaking of GLBX). Read this excellent article from Jose Nazario.
Edit: (2008-09-05) An excellent investigation from Knujon about Directi can be read here. Excellent work.
Edit: (2008-09-08) It seems that everyone is running away from Atrivo :
http://sunbeltblog.blogspot.com/2008/09/more-interesting-atrivointercageestdoma.html
http://voices.washingtonpost.com/securityfix/2008/09/scam-heavy_us_isp_grows_more_i.html
Edit: (2008-09-09) Another striking article from Brian about EstDomains this time. Brian is very active recently against cybercrime hosting companies and registrar, and it seems to work fine. This shows us all the power of the press... But it shouldn't go too far, since it could ruin some LE investigations. I hope it will not be the case.

Update: (2008-09-15): EstDomains declares global war against malware... Can you really believe it ? Article here.

Update (2008-09-15): Thanks to Communautech for a nice french article here.

Update (2008-09-17): Gary Warner has done a great work, showing us a huge amount of domain names pointing to Intercage. Here is the result.
Update (2008-09-22): Atrivo seems to be down for the moment. link here and here.
Update (2008-09-22): Atrivo is back tonight. Some new peering appeared, as can be seen here:

Report for AS27595
Name
INTERCAGE - InterCage, Inc.
AS Adjancency Report
In the context of this report "Upstream" indicates that there is an adjacent AS that lines between the BGP table collection point (in this case at AS2.0) and the specified AS. Similarly, "Downstream" refers to an adjacent AS that lies beyond the specified AS. This upstream / downstream categorisation is strictly a description relative topology, and should not be confused with provider / customer / peer inter-AS relationships.
27595 INTERCAGE - InterCage, Inc.
Adjacency: 1 Upstream: 1 Downstream: 0
Upstream Adjacent AS list
AS23342 UNITEDLAYER - Unitedlayer, Inc.

Thanks to cidr-report.org as usual for the info :-)

Commentaires

1. Le dimanche 7 septembre 2008, 09:57 par Bruno Kerouanton

Thanks for your watching and commenting at such information, I admit I don't have the time to follow those RBN and other bulletproof hosters closely, so I enjoy your feedback.
Are there any similar companies in Switzerland ?!

2. Le lundi 8 septembre 2008, 14:11 par Cédric Pernet

Thank you Bruno. I never heard of any bulletproof hosting company in Switzerland, but it doesn't mean there are none ... I never studied swiss law concerning such matters, therefore I really have no idea ...

3. Le jeudi 11 septembre 2008, 18:08 par Vincent

Hi Cédric,

Thanks for your article.

That sounds like the case about China. After the US agencies, China is now supposed to be behind any cyber attack on the US information system...

Regarding the visibility of RBN, do you believe that it is just because of media hype, or do some fraudsters have interests in pointing RBN as a scapegoat ?

4. Le vendredi 12 septembre 2008, 15:00 par Cédric Pernet

@ Vincent : Thank you. Seeing how quickly it has been done, I think RBN had prepared their disappearance, and were about to move when all the buzz around them started. I don't think fraudsters had interest in pointing RBN as you say. Some fraudulent competitor could have had such interest, but I doubt it's been the case.

Ajouter un commentaire

Le code HTML est affiché comme du texte et les adresses web sont automatiquement transformées.

Fil des commentaires de ce billet