Recently I mentioned ISPs hosting spyware and said "Everyone in the anti-spyware community knows who these ISPs are." Now we have a perfect example. It starts with a SANS post today recommending to unblock an IP range they previously recommended blocking.
Based on feedback from Intercage customers, we no longer recommend to block them. Please let us know if you see any problems from 184.108.40.206/19 and we will try to facility contact and a resolution.
SANS had previously posted:
I hate block lists... maybe because I have been on the 'wrong end' of them in the past. But after careful consideration, we do recommend blocking traffic from these two netblocks:
InterCage Inc.: 220.127.116.11/19 (18.104.22.168 - 22.214.171.124)
Inhoster: 126.96.36.199/20 (188.8.131.52 - 184.108.40.206)
The list may be updated later. We do not expect to make this a "regular feature". But at this time we find that it is necessary to point out these particular two netblocks.
They have been associated with a number of high profile criminal activities in the past. A good number of WMF exploits use name servers or other resources in these netblocks. They have been non responsive to current and past requests to remove malicious content.
When I read the SANS update this morning, I shook my head. This afternoon, I saw that I wasn't alone in my thinking. SunbeltBLOG has posted screenshots of malware being downloaded from InterCage and Inhoster IP addresses. The screenshot of the domain at Inhoster shows a wmf file along with the system tray pop-up for a rogue anti-spyware program, like what we've seen with SpyAxe. There are some interesting comments on the blog post, notably one from Johannes Ullrich of SANS saying "This range appears to be more on "auto pilot" then "malicious on purpose". My reply to that was it doesn't matter if the range is on auto pilot or malicious on purpose, the end result is the same for anyone with an unprotected computer. Boom!! Infected with spyware and malware. Apparently legitimate customers of the ISPs were complaining about being blocked. I see that like good people living in a bad neighborhood. If there are gang shootouts or drive-by shootings, the good guys will likely get hurt too eventually. If it were me, I'd get the hell out - out of the bad neighborhood or the rogue ISP/hosting company.
Andrew Clover of Doxdesk.com, well known for his parasite list left a comment. Andrew has been tracking spyware, malware and the pushers for years now, before a lot of us heard about spyware. He wrote:
Atrivo/Intercage do have *some* legitimate customers, and they can be very vocal. But the sheer quantity of abuse in their netblock, from exploits to fraud to KP to spam of all forms, outweighs the legit material by a mile IMO.
And it's no accident: they are unresponsive to complaints, and have admitted they won't can Esthost - their biggest customer, CWS epicentre and #1 blackhat host in the world - despite being aware of the immense abuse they are responsible for.
The other block listed by SANS, 'Inhoster', appears to be the same company as Esthost - as are Critical Internet, Estdomains and Web-Namez. This netblock used also to be Atrivo's; it's not clear to me whether that block is operated by Esthost themselves or by Atrivo for Esthost.
Blocking single domain names is barely feasible any more: there are thousands to block and more new ones all the time. I consider blocking entire netblocks operated by Esthost and Atrivo a very reasonable and measured move.
Andrew mentions other companies like Pilosoft and Netcathost but they will be the subject of another blog. So what about InterCage, formerly Atrivo or Atrivo Technologies? A quick Google search turns up hits like this one.
And, in fact, that up to half of Atrivo's income is dependent on criminal activities, and that Atrivo knowingly (if passively) permits that criminal activity to continue.
That's not an admission calculated to inspire trust. You have another job lined up somplepace, Russ? I'd say the final nail is now in Atrivo's coffin.
The fine folks at esthost/atrivo are hosting a web site which distributes a variation of the W32/Apher.AE69-tr trojan at hxxp://24-7-search.com/12.hta then same URL cmdexe.exe.
Anyway, the author thoughtfully included a web bug in the hta file so that he, and consequently we, can watch the hits come in on his lovely little baby.
There are complaints about spam, blog comment spam and even wiki spam from InterCage/Atrivo. Webhelper lists some 200 to 300, maybe more, known CoolWebSearch domains hosted on InterCage IPs, domain names that are so disgusting I wouldn't post them here. Interestingly enough, forum members at Webhostingtalk.com speak highly of InterCage and its owner, Emil Kacperski.
Atrivo is the best place to get a server. Excellent Support, no downtimes ..
We work with Emil extensively and he is a super cool guy.
I don't know about that. I've personally checked a number of domains on InterCage IP's and got hit with spyware through exploits. InterCage.com has no visible information on their website, just a blank white page, and InterCage.net is parked at GoDaddy, as is InterCage.biz. The whois info shows the same registrant and lists the contact as Emil Kacperski for all three domains.