Kneecapped malware host tries to rise again
InterCage (a.k.a., Atrivo), the network provider notoriously fingered as a major purveyor of malware, found its way back online after a days-long shutdown cheered by anti-malware and anti-spam activists.
Could pulling just one firm offline make a noticeable dent in the malware trafficking problem? That may depend on whether Sunday's move by former upstream provider Pacific Internet Exchange (PIE) to cut InterCage's connection makes an impression on owner Emil Kacperski.
Reports on Monday had the ISP's president and CEO bewailing his fate, saying, "I'm basically got to start all over." On Tuesday -- mission apparently accomplished -- a front page for the InterCage site turned up as a client of UnitedLayer Inc...but by late Wednesday, that page had vanished again. As of Wednesday evening, the site's status was uncertain, and representatives of UnitedLayer were unavailable for comment.
Why InterCage? As documented in a report undertaken by multiple anti-malware concerns and put together by HostExploit.com (PDF available here), the California firm sits at a bottleneck in the matrix of registrars, ISPs, and host services that do business with firms trading in botnets and similar unsavory wares.
The 40-page report, issued on August 28, summarizes InterCage's (Atrivo's) reputation bluntly: "A main conduit for financial scams, identity theft, spam and malware." Spamhaus, the anti-spam watchdog, is even more blunt in its own listing for InterCage's IP address: "Too much spam and crime -- routing must cease."
The numbers the report compiled were both hard and harsh. Looking at a sample 10% of Atrivo's 26,000 registered domains, the study mechanisms happened to scoop up 31 binaries -- all of which were known malware. The sample included 910 infected Web sites; 1,130 botnet command-and-control servers, and 7,340 links to malicious or simply fake "security" products, not including porn sites.
In addition, spam-incident reports at CastleCops say that Kacperski has been resistant to accepting and responding to spam complaints. HostExploit's writers snarked, "We have seen an earlier statement from Emil Kacperski on behalf of Atrivo stating, 'We will shut down and take offline any servers that have malicious software or causing harm to anyone. But of course we need proof that this is the case.' -- Well Emil we have the proof."
Kacperski had (unsurprisingly) strongly disputed the findings. But as a succession of upstream providers -- Bandcon, Global Networks, WVFiber -- dropped him in the wake of the report, he turned to PIE for transit services. PIE had only been providing those for a few days when Spamhaus added a block of that company's IP addresses to its famous blocklist; soon after, PIE lost its taste for InterCage's business.
Which suits the writers of the HostExploit report just fine. "It should be stressed such activities could not occur if commercial third parties or other organizations did not collaborate...Within a conventional criminal comparison, the supplier of the unregistered handgun used in a crime is also responsible for that crime."
So did malware propagation levels drop between Sunday morning -- specifically when PIE pulled the plug, and Tuesday when UnitedLayer stepped in? Premlimary reports are unclear. But any beneficial change may linger, if a chastened Kacperski holds to his promise to drop business relations with Esthost, the Eastern European Web host to which much of InterCage's problematic traffic has been linked.
A call to the number listed on the transitory InterCage/Atriva page led to voice mail for, allegedly, Emil Kacperski, but at press time BetaNews had received no response or comment on the status of the service.