Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Mark, It really seems YOU _DID_ miss the memo. I think that since no one else is responding to your non-sense, there is no reason for me to either. If you have something accurate to say, I'll be happy to listen. Until then, there's not much I can say. There's no sense in repeating myself. --- Russell Mitchell InterCage, Inc. ----- Original Message ---- From: Mark Foo <mark.foo.dog@gmail.com> To: Russell Mitchell <russm2k8@yahoo.com> Cc: Bruce Williams <williams.bruce@gmail.com>; Christopher Morrow <christopher.morrow@gmail.com>; nanog@nanog.org; Joe Greco <jgreco@ns.sol.net> Sent: Wednesday, September 24, 2008 12:27:50 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Russell: Ferg was just being coy -- what you don't understand is there are about 3 other security mailing lists plotting to TAKE YOUR SERVICE DOWN. You FAIL. Law Enforcement might not take action against you (but appear to be interested now), but the community can. GET OFF THE NET WITH YOUR MALWARE! You mistake me for someone who believes you pack of lies! Don't you understand each time you post to this list gives those of us who know the opportunity to post MORE EVIDENCE of your MALWARE? You disconnected Hostfresh and think that's the extent of your cimes? Gimme a break. Only those who are easily socially engineered would believe your pathetic claims of innocence. You've BEEN HOSTING MALWARE since 2003 -- SEE Nanog post: Re: The in-your-face hijacking example http://www.irbs.net/internet/nanog/0305/0038.html
Let me know if there's anything else you'd like me to state to the public.
Answer Ferg's question -- Why are you moving to CERNAL? Do you think this is going to work? That's just another of Emil's networks.
We're on a rocky road right now. But it IS starting to smooth out.
That's just the calm before the storm. Go ahead and post a response to each of these allegations: Cybercrime's US Hosts http://www.spamhaus.org/news.lasso?article=636 Report Slams U.S. Host as Major Source of Badware http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as... A Superlative Scam and Spam Site Registrar http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html?nav=rss... ICANN cast as online scam enabler http://www.theregister.co.uk/2008/09/03/cyber_crime_reports/ 'Malware-friendly' Intercage back with the living http://www.theregister.co.uk/2008/09/24/intercage_back_online/ On Tue, Sep 23, 2008 at 11:50 PM, Russell Mitchell <russm2k8@yahoo.com> wrote:
Hello John Doe,
I welcome any further comments you have. We have to get past people such as yourself, and your blasphemous and false statements.
This is the same issue with the recent media and self-proclaimed "Security Researchers". Fly-by-night mind you.
To help you out in your claims: Yes, we did house a client whom had quite a run with their client's from various locations, such as Russia. That Client is no longer hosted on our network. I myself spent all of monday afternoon, night, and tuesday morning shutting off EVERY machine they had leased in our Billing System. I'm currently working to scan further and see if there's anything I may have missed.
Yes, Russia is very well known for Virus and Malware writer's.
Yes, we have had issues with malware distribution from our network. This was directly and near singularly related to the former client of ours. We did have another client, Hostfresh, whom had their share of malware issues.
Both have been completely and effectively removed. The server's leased to both of them have been canceled, and their machines have been shutoff.
Let me know if there's anything else you'd like me to state to the public. We're on a rocky road right now. But it IS starting to smooth out.
Thank you for your time. Have a great day. --- Russell Mitchell
InterCage, Inc.
----- Original Message ---- From: Mark Foo <mark.foo.dog@gmail.com> To: Bruce Williams <williams.bruce@gmail.com> Cc: Christopher Morrow <christopher.morrow@gmail.com>; nanog@nanog.org; Joe Greco <jgreco@ns.sol.net> Sent: Tuesday, September 23, 2008 11:08:21 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
NANOG:
Look, the people posting here who are trashing Intercage are pure security analysts -- they know and understand the evil that is Intercage. STOP TRYING TO ASSIST INTERCAGE -- you are effectively aiding and abetting the enemy.
Intercage/Atrivo hosts the malware c&c botnets that DDoS your systems and networks.
Intercage/Atrivo hosts the spyware that compromises your users' passwords.
Intercage/Atrivo hosts the adware that slows your customers' machines.
Don't take my word for it, DO YOUR OWN RESEARCH: http://www.google.com/search?hl=en&q=intercage+malware
You don't get called the ***American RBN*** for hosting a couple bad machines. They have and will continue to host much of the malware pumped out of America. THEY ARE NOT YOUR COMRADES..
These people represent the most HIGHLY ORGANZIED CRIME you will ever come across. Most people were afraid to speak out against them until this recent ground swell.
This is the MALWARE CARTEL. GET THE PICTURE?
Many links have been posted here that prove this already -- instead of asking what customers they cut off, let them show WHAT CUSTOMERS ARE LEGIT-- because there are NONE.
I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or it's probably easiest (depending on the network gear of course) to just put the lan port into an isolated VLAN. It's not the 100% solution (some badness rm's itself once it loses connectivity to the internets) but it'd make things simpler for the client/LEA when they need to figure out what happened.
-chris
Russell: Oh I got the memo, you'll be getting served one soon too. I just wonder why you don't consider playing both sides of the fence -- with your knowledge of who's who in the cyber crime field, you could probably get paid more as an informant (either to LEO or one of the "Intel" companies than whatever you're doing for Emil and (allegedly) the RBN. You can't possible sleep well knowing what your up to now so I figure it's the money that motivates you. Or, maybe you don't really know anyone, you just respond to their demands and they end up with all the money, pr0n chicks, etc. Doesn't that bother you -- don't you want more? Plus, no one would know you were pulling two pay checks -- you manage systems on one side and pass info to the other. It's actually fairly simple -- maybe you already know this ;). If not, please explain this: http://www.spamhaus.org/news.lasso?article=636 Without exception, all of the major security organizations on the Internet agree that the 'Home' of cybercrime in the western world is a firm known as Atrivo/Intercage, based in California. We ourselves have not come to this conclusion lightly but from many years of dealing with criminal operations hosted by Atrivo/Intercage, gangs of cybercriminals - mostly Russian and East European but with several US online crime gangs as well - whose activities always lead back to servers run by Atrivo/Intercage. We have lost count of the times we have tracked a major virus botnet's "command and control" to Atrivo/Intercage servers, readers can view here some of the current and historic SBL records for Atrivo for a taste of what has been happening in this network. At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage. The person who runs Atrivo/Intercage, Emil Kacperski is an expert at playing the "surprised janitor", unaware of every new criminal enterprise found on his servers and keen to show he gets rid of some criminals once their activities on his network are exposed. His Internet hosting career first came to the attention of most anti-abuse organizations when he pinched (or 'purchased stolen goods' as he put it) and routed an unused block of 65,536 IP addresses belonging to the County of Los Angeles. Spamhaus has dealt with over 350 incidents of cyber-crime hosting on Atrivo/Intercage and its related networks in the last 3 years alone, all of which involved criminal operations such as malware, virus spreaders and botnet command and control servers. Malware found by Spamhaus on Atrivo/Intercage/Cernel/Hostfresh just in the last few months included the Storm Worm installer and controller and a MySpace spambot amongst others. Spamhaus currently sees a large amount of activity related to malicious software and exploits being hosted on Atrivo/Intercage which include DNS hijack malware, IFRAME browser attacks, dialers, pirated software websites and blatantly criminal services. We assume that every law enforcement agency with a cyber-crimes division has a dossier bursting at the seams on Atrivo/Intercage and its tentacles such as Esthost, Estdomains, Cernel, Hostfresh. The only question on everyone's mind is which agency will beat the others to shutting the whole place down and indicting the people behind it. Because if shut down, one thing is certain: the amount of malware-driven crime on the Internet would drop overnight as cyber-criminals rush to find a new crime-friendly host - difficult to find in the US, as Atrivo/Intercage is one of the very few remaining dedicated crime hosting firms whose customer base is composed almost, or perhaps entirely, of criminal gangs. More importantly, millions of Internet users currently being targeted by the malware gangs operating from Atrivo/Intercage will be, for a while, safer. Perhaps one may be wondering about the costs of hosting at Atrivo/Intercage or how to sign up? Well, don't expect to find this information at the company's websites as they were empty for years and for the last year have just shown "Website Coming Soon." http://www.atrivo.com => "InterCage, Inc. INTENSE SERVERS. Website Coming Soon:" Last Updated: Thursday, September 06, 2007 4:32:59 PM http://www.intercage.com => "InterCage, Inc. INTENSE SERVERS. Website Coming Soon:" Tuesday, September 04, 2007 6:45:52 PM At one time after being asked, "how on earth does your company get business?" an Atrivo/Intercage representative coyly said, "by word of mouth." That seems to be quite obvious. On Wed, Sep 24, 2008 at 12:45 AM, Russell Mitchell <russm2k8@yahoo.com> wrote:
Hello Mark,
It really seems YOU _DID_ miss the memo. I think that since no one else is responding to your non-sense, there is no reason for me to either.
If you have something accurate to say, I'll be happy to listen. Until then, there's not much I can say. There's no sense in repeating myself. --- Russell Mitchell
InterCage, Inc.
----- Original Message ---- From: Mark Foo <mark.foo.dog@gmail.com> To: Russell Mitchell <russm2k8@yahoo.com> Cc: Bruce Williams <williams.bruce@gmail.com>; Christopher Morrow <christopher.morrow@gmail.com>; nanog@nanog.org; Joe Greco <jgreco@ns.sol.net> Sent: Wednesday, September 24, 2008 12:27:50 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Russell:
Ferg was just being coy -- what you don't understand is there are about 3 other security mailing lists plotting to TAKE YOUR SERVICE DOWN. You FAIL. Law Enforcement might not take action against you (but appear to be interested now), but the community can. GET OFF THE NET WITH YOUR MALWARE!
You mistake me for someone who believes you pack of lies! Don't you understand each time you post to this list gives those of us who know the opportunity to post MORE EVIDENCE of your MALWARE?
You disconnected Hostfresh and think that's the extent of your cimes? Gimme a break. Only those who are easily socially engineered would believe your pathetic claims of innocence. You've BEEN HOSTING MALWARE since 2003 -- SEE Nanog post:
Re: The in-your-face hijacking example http://www.irbs.net/internet/nanog/0305/0038.html
Let me know if there's anything else you'd like me to state to the public.
Answer Ferg's question -- Why are you moving to CERNAL? Do you think this is going to work? That's just another of Emil's networks.
We're on a rocky road right now. But it IS starting to smooth out.
That's just the calm before the storm.
Go ahead and post a response to each of these allegations:
Cybercrime's US Hosts http://www.spamhaus.org/news.lasso?article=636
Report Slams U.S. Host as Major Source of Badware http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as...
A Superlative Scam and Spam Site Registrar http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html?nav=rss...
ICANN cast as online scam enabler http://www.theregister.co.uk/2008/09/03/cyber_crime_reports/
'Malware-friendly' Intercage back with the living http://www.theregister.co.uk/2008/09/24/intercage_back_online/
On Tue, Sep 23, 2008 at 11:50 PM, Russell Mitchell <russm2k8@yahoo.com> wrote:
Hello John Doe,
I welcome any further comments you have. We have to get past people such as yourself, and your blasphemous and false statements.
This is the same issue with the recent media and self-proclaimed "Security Researchers". Fly-by-night mind you.
To help you out in your claims: Yes, we did house a client whom had quite a run with their client's from various locations, such as Russia. That Client is no longer hosted on our network. I myself spent all of monday afternoon, night, and tuesday morning shutting off EVERY machine they had leased in our Billing System. I'm currently working to scan further and see if there's anything I may have missed.
Yes, Russia is very well known for Virus and Malware writer's.
Yes, we have had issues with malware distribution from our network. This was directly and near singularly related to the former client of ours. We did have another client, Hostfresh, whom had their share of malware issues.
Both have been completely and effectively removed. The server's leased to both of them have been canceled, and their machines have been shutoff.
Let me know if there's anything else you'd like me to state to the public. We're on a rocky road right now. But it IS starting to smooth out.
Thank you for your time. Have a great day. --- Russell Mitchell
InterCage, Inc.
----- Original Message ---- From: Mark Foo <mark.foo.dog@gmail.com> To: Bruce Williams <williams.bruce@gmail.com> Cc: Christopher Morrow <christopher.morrow@gmail.com>; nanog@nanog.org; Joe Greco <jgreco@ns.sol.net> Sent: Tuesday, September 23, 2008 11:08:21 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
NANOG:
Look, the people posting here who are trashing Intercage are pure security analysts -- they know and understand the evil that is Intercage. STOP TRYING TO ASSIST INTERCAGE -- you are effectively aiding and abetting the enemy.
Intercage/Atrivo hosts the malware c&c botnets that DDoS your systems and networks.
Intercage/Atrivo hosts the spyware that compromises your users' passwords.
Intercage/Atrivo hosts the adware that slows your customers' machines.
Don't take my word for it, DO YOUR OWN RESEARCH: http://www.google.com/search?hl=en&q=intercage+malware
You don't get called the ***American RBN*** for hosting a couple bad machines. They have and will continue to host much of the malware pumped out of America. THEY ARE NOT YOUR COMRADES..
These people represent the most HIGHLY ORGANZIED CRIME you will ever come across. Most people were afraid to speak out against them until this recent ground swell.
This is the MALWARE CARTEL. GET THE PICTURE?
Many links have been posted here that prove this already -- instead of asking what customers they cut off, let them show WHAT CUSTOMERS ARE LEGIT-- because there are NONE.
I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or it's probably easiest (depending on the network gear of course) to just put the lan port into an isolated VLAN. It's not the 100% solution (some badness rm's itself once it loses connectivity to the internets) but it'd make things simpler for the client/LEA when they need to figure out what happened.
-chris
Russell, Thanks to the efforts of the people on this list, you've known Estdomains/Esthost was bad news for several weeks or more. Why are you only now shutting them down? Thank you for proving that our research was not for naught, and that Atrivo/Intercage is a black hat operation which needs to be permanently disconnected from the Internet at all costs. Drive Slow, Paul Wall
Hi!
Thanks to the efforts of the people on this list, you've known Estdomains/Esthost was bad news for several weeks or more.
[root@control ~]# dig estdomains.com ; <<>> DiG 9.5.0-P2 <<>> estdomains.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2970 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;estdomains.com. IN A ;; ANSWER SECTION: estdomains.com. 86400 IN A 94.102.49.3 inetnum: 94.102.48.0 - 94.102.63.255 netname: NL-ECATEL-20080829 descr: Ecatel LTD country: NL org: ORG-EL38-RIPE admin-c: RvE16-RIPE tech-c: RvE16-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: ECATEL-MNT mnt-routes: ECATEL-MNT source: RIPE # Filtered person: Reinier van Eeden address: Archangelkade 1-3 address: 1013 BE Amsterdam mnt-by: IQARUS-MNT e-mail: r.eeden@nl.iqarus.com phone: +31 64 607 11 12 nic-hdl: RvE16-RIPE source: RIPE # Filtered The same guys were hosting several ROKSO spammers in 2006 allready. This smells badly! Earlier this year they had also this one (also ROKSO) http://www.spamhaus.org/sbl/sbl.lasso?query=SBL65783 The company that Reinier was with was called Icarus earlier, does that ring a bell? 3 of the top 10 ROKSO spammers were hosted there. This is more then just a normal shining. bye, Raymond.
On Wed, Sep 24, 2008 at 04:19:16AM -0400, Paul Wall wrote:
Thanks to the efforts of the people on this list, you've known Estdomains/Esthost was bad news for several weeks or more.
Why are you only now shutting them down?
"several weeks"? Try "several years". And do note the rationale (below) for the refusal to shut them down.
From Russ@Atrivo.com Sun Sep 4 13:58:23 EDT 2005 Newsgroups: news.admin.net-abuse.blocklisting From: Russ@Atrivo.com Subject: Re: Atrivo/InterCage Abuse Approved: NANAB Moderators <moderators@blocklisting.com> Injection-Info: f14g2000cwb.googlegroups.com; posting-host=69.107.73.156; posting-account=2w8xwQ0AAADzda9cIvAir5JUpndTEjLg Nntp-Posting-Date: Fri, 2 Sep 2005 17:48:03 +0000 (UTC) Nntp-Posting-Host: 69.107.73.156 X-Http-Useragent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322),gzip(gfe),gzip(gfe) Organization: http://groups.google.com Message-ID: <1125683278.320264.138150@f14g2000cwb.googlegroups.com> References: <1125616541.094735.138810@z14g2000cwz.googlegroups.com> <11hgs71j941hs0a@corp.supernews.com> X-Trace: posting.google.com 1125683283 16154 127.0.0.1 (2 Sep 2005 17:48:03 GMT) Date: Fri, 2 Sep 2005 19:51:13 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting
Hello fhh,
There is no "network of esthost". The network in which Esthost resides is our network. Esthost is one of our larger clients, They are very successful in the industry of web hosting and domain registration. They just recently became an ICANN Accredited Registrar. I won't comment on "why" they're so successful... But for some, that may be obvious.
I believe an investigation by law enforcement is a very corrective step... That would definately clean Esthost up.
I can honestly say, there are 2 of our major clients who are very successful... and with both of those comes occasional abuse. On one, it's the occasional spam via exploit. The other... Esthost... Well... A lot worse abuse then just spam.
One of the things I find quite rediculous is people have taken all of our business emails from whois etc, and placed them in spam runs. How stupid can you get?... Honestly! You have never received a spam email that came from our business servers... Our clients (like EVERY other companies clients) do get the abuse of spam from their servers. For all of our clients (esthost aside)... This is not very often. We can't please everyone. We try... But when you have to go through and work with a client like esthost who doesn't quite take abuse too seriously... and the only other thing you can do is null their client's server.... it's hard to get a "correct" action taken. The correct action on any intentional spammer is to be immediately removed. As well as intentional virii distributors. This is seen with iframecash.biz... We took reports from P Thompson and demanded their removal... That appeared to be resolved... and then they pop up again.
If I had the ability... I would cut Esthost as a client... But, in doing so, it causes nearly a quarter if not half of the company's monthly revenue to be cut. That is not too good of a move nor reasonably possible ;)
People consider Atrivo/InterCage to be some abuse supporting company... If only any of you knew what the position would be in a company our size.
It's not as easy as you believe it to be ;)
Thank you for your time. Have a great day.
-- Russell Mitchell - Russ[at]Atrivo.com Atrivo Technologies
participants (5)
-
Mark Foo
-
Paul Wall
-
Raymond Dijkxhoorn
-
Rich Kulawiec
-
Russell Mitchell