vendredi 29 août 2008
Par Cedric Pernet le vendredi 29 août 2008, 17:34 - Cybercrime
The article is spreading Jart Armin's whitepaper about ATRIVO, a famous hosting company ... Well when I say "famous" I should say famous to fraudsters and computer security researchers.
The case is quite similar to the RBN case at the end of last year : a bulletproof hosting company, acting for years, suddenly gets in the spotlights. Several things have been said concerning RBN. Having studied the organisation for a while, I have to say some releases about RBN have been upsetting me. According to almost the whole security community, RBN had disappeared...Only to be spotted and mentionned everywhere for any fraudulent action taking place in the malware/phishing/fraud world. RBN has spread all worldwide malware, has done every phishing case, has hosted all illegal content worldwide, and has attacked Georgia... Crap.
It just seems that most researchers have simply forgotten one thing: RBN had customers. When RBN "died", I heard shouts that they had gone to "AbdAllah" host for example. I think that's totally untrue ; people noticed fraudulent domains had moved from ex-RBN to AbdAllah, and claimed it was a RBN move, which wasn't, in my opinion.
Instead, it was only a move from customers, from one bulletproof hoster to another.
Now Atrivo is "following" the RBN case, being shown as an evil host. Emil K, its founder, is declaring just like Tim Jaret did for RBN, that he is responding to the abuse requests. But he doesn't. He's quite following the same politic of communication than Jaret.
As for Jart's paper, I don't agree totally with him, thought I respect his work. I won't say more, and let you read his paper. What will Atrivo's future be, now that all eyes are on them ? Will they vanish just like RBN did ? Time will tell...
Edit: (2008-09-01) It seems that some people are reacting fast (speaking of GLBX). Read this excellent article from Jose Nazario.
Edit: (2008-09-05) An excellent investigation from Knujon about Directi can be read here. Excellent work.
Edit: (2008-09-08) It seems that everyone is running away from Atrivo :
Edit: (2008-09-09) Another striking article from Brian about EstDomains this time. Brian is very active recently against cybercrime hosting companies and registrar, and it seems to work fine. This shows us all the power of the press... But it shouldn't go too far, since it could ruin some LE investigations. I hope it will not be the case.
Update: (2008-09-15): EstDomains declares global war against malware... Can you really believe it ? Article here.
Update (2008-09-15): Thanks to Communautech for a nice french article here.
Update (2008-09-17): Gary Warner has done a great work, showing us a huge amount of domain names pointing to Intercage. Here is the result.
Update (2008-09-22): Atrivo seems to be down for the moment. link here and here.
Update (2008-09-22): Atrivo is back tonight. Some new peering appeared, as can be seen here:
Report for AS27595
INTERCAGE - InterCage, Inc.
AS Adjancency Report
In the context of this report "Upstream" indicates that there is an adjacent AS that lines between the BGP table collection point (in this case at AS2.0) and the specified AS. Similarly, "Downstream" refers to an adjacent AS that lies beyond the specified AS. This upstream / downstream categorisation is strictly a description relative topology, and should not be confused with provider / customer / peer inter-AS relationships.
27595 INTERCAGE - InterCage, Inc.
Adjacency: 1 Upstream: 1 Downstream: 0
Upstream Adjacent AS list
AS23342 UNITEDLAYER - Unitedlayer, Inc.
Thanks to cidr-report.org as usual for the info :-)