Atrivo/Intercage's disconnection briefly disrupts spam levels

Atrivo/Intercage's disconnection briefly disrupts spam levels

Summary: After years of operation, California based ISP Atrivo/Intercage, a well known Russian Business Network darling, faced the music and was disconnected from the Internet by its upstream provider at the end of September. What happened according to MessageLabs's latest intelligence report, was a brief decline of spam due to the fact that the malware infected hosts couldn't reach the ISP's netblock.

SHARE:
TOPICS: Security
9

Atrivo Intercage BotnetsAfter years of operation, California based ISP Atrivo/Intercage, a well known Russian Business Network darling, faced the music and was disconnected from the Internet by its upstream provider at the end of September. What happened according to MessageLabs's latest intelligence report, was a brief decline of spam due to the fact that the malware infected hosts couldn't reach the ISP's netblock. Logically, within the next couple of days Intercage's customers quickly switched hosting locations of their botnet's command and control servers, and cybercrime activity quickly got back to normal :

"Charged with providing a safe-haven for online scammers, cyber crooks and malware distributors, California-based ISP Intercage (aka Atrivo) was disconnected from the internet on September 20. Pacific Internet Exchange, Intercage’s upstream provider, terminated the service and after a few days, UnitedLayer, another service provider, agreed to host Intercage. But on September 25, after deciding Intercage still had too many on-going problems, UnitedLayer also terminated service.

It can be seen from the chart above that the botnet controllers are quick to respond to any degradation of their service, and can re-point their bots at a new command and control channel in a matter of days. Therefore MessageLabs expects this decline in spam to be short-lived, especially in anticipation of Halloween in October and Thanksgiving in the US in November, both of which are traditionally seasonal favorites for spammers."

What's particularly disturbing in Intercage's case is not just the fact that it's a U.S based ISP undermining the "lack of international cybercrime cooperation" excuse for not shutting it down earlier, but also, the fact that ATRIVO/Intercage's uptime is a great example of how marginal thinking and relatively high average time it takes to shut them down, is nonetheless still keeping their business in the game. How come? For the past year, ATRIVO/Intercage has had 10 different Internet Service Providers, so controversially to the common wisdom that being on the run is supposed to make your job harder, it doesn't really matters as the average time for ATRIVO to remain online seems to be above their customers' averages :

"The following graph shows that Atrivo has had 10 different Internet providers over the past year. The number of Renesys peers selecting each provider is shown over time. Most providers didn't stick around for long, but a few like WV Fiber (AS 19151) did hang in there for much of the year. For a couple of days recently, Atrivo had zero providers and were hence effectively out of business, but then United Layer (AS 23342) became their latest — and currently only — provider. We'll see how long this lasts and if others step up to provide Atrivo with some redundancy. Of course, those who are convinced Atrivo is up to no good can simply block access to their IP addresses (prefixes) as they have a relatively modest allocation."

Do bullet-proof cybercrime friendly providers have a future? Naturally, since it's the simple market forces that are going to keep both fronts busy for years to come. With ATRIVO/Intercage now shut down, what's next? Lessons learnt for the bad guys realizing that it's about time they start taking advantage of basic OPSEC (operational security) processes like decentralizing their networks, and increasing the lifecycle of their customer's cybercrime activities by taking advantage of fast-fluxing. The bottom line, despite that Intercage remains offline, but the concepts of cybercrime content hosting, and the Russian Business Network as a franchise, are always going to be there.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Whose side are you on? (nt)

    nt = no text
    CobraA1
    • Whose side are you on? (nt)

      On the objective one.
      ddanchev
      • Objective?

        I dunno, it sounds to me like you're:

        a) Giving them advice on what to do next

        and

        b) Telling the rest of us how useless it is to fight them

        "objective"?
        CobraA1
        • Re: Objective?

          a) they are not that desperate to take "tips" from the community. Fast-fluxing is the natural evolution of such type of hosting services, and managed fast fluxing hosting providers are already starting to emerge. As for decentralization, it's been happening even since the RBN's centralized network went dark

          b) how exactly were "you" fighting them at the first place? Fighting them is not useless in general, certain approaches are however, useless in the long-term, but easy to appreciate in the short-term. They are not going away, and so isn't the community/industry. Try using "real life" crime as an analogy
          ddanchev
          • Well . . .

            "Fighting them is not useless in general, certain approaches are however, useless in the long-term, but easy to appreciate in the short-term."

            Well, I recently nailed a long-term solution against comment spam in one of my blogs. The latest versions of WordPress are more flexible and give more options. Basically, everybody needs to register now and I'm using reCaptcha, which so far has shown itself to be more effective than other types of captcha. In addition, registrations have to confirm their email and I personally have to approve them. So far, zero spammers have made it through.

            I think we can eventually do a nearly perfect job protecting against the automated attacks that are common today. Sure, a few may still get through, but I'm confident we can make them rare enough that it's not profitable.

            We don't need to stop every spam ever sent (this part is impossible) - we just need to make it rare enough that it's not profitable (I think this part is entirely possible).
            CobraA1
          • Are you an idiot, or do you just play on on the internet

            a)

            So because 1 or 2 spammers has figured it out, they ALL have?

            Sorry, I agree with the other commenter -- you're giving the less clued-in spammers advice on how to minimize their downtime.
            akulkis
      • RE: Atrivo/Intercage's disconnection briefly disrupts spam levels

        I wish you the best of luck!<a href="http://www.replicawatchesonline.co.uk">replica watch uk</a>
        tank33
  • RE: Atrivo/Intercage's disconnection briefly disrupts spam levels

    The technology is already available to disregard spam. If it is used at a large scale, soon enough spammers will give up. Here is the link. Try it out:
    http://exclusive-email.sedfasoft.com
    Exclusive-Email
  • RE: Atrivo/Intercage's disconnection briefly disrupts spam levels

    ewet dedim ama neyse
    http://www.bbgporn.com/
    http://www.hmmtube.com/
    dogru deme
    http://www.erotiktube.org/
    http://www.52tube.com/
    http://www.wctube.com/
    http://www.cameporn.com/
    http://www.escortbayan9.com/
    tamam dedim
    myclub