Atrivo/Intercage’s disconnection briefly disrupts spam levels

Atrivo Intercage BotnetsAfter years of operation, California based ISP Atrivo/Intercage, a well known Russian Business Network darling, faced the music and was disconnected from the Internet by its upstream provider at the end of September. What happened according to MessageLabs’s latest intelligence report, was a brief decline of spam due to the fact that the malware infected hosts couldn’t reach the ISP’s netblock. Logically, within the next couple of days Intercage’s customers quickly switched hosting locations of their botnet’s command and control servers, and cybercrime activity quickly got back to normal :

“Charged with providing a safe-haven for online scammers, cyber crooks and malware distributors, California-based ISP Intercage (aka Atrivo) was disconnected from the internet on September 20. Pacific Internet Exchange, Intercage’s upstream provider, terminated the service and after a few days, UnitedLayer, another service provider, agreed to host Intercage. But on September 25, after deciding Intercage still had too many on-going problems, UnitedLayer also terminated service.

It can be seen from the chart above that the botnet controllers are quick to respond to any degradation of their service, and can re-point their bots at a new command and control channel in a matter of days. Therefore MessageLabs expects this decline in spam to be short-lived, especially in anticipation of Halloween in October and Thanksgiving in the US in November, both of which are traditionally seasonal favorites for spammers.”

What’s particularly disturbing in Intercage’s case is not just the fact that it’s a U.S based ISP undermining the “lack of international cybercrime cooperation” excuse for not shutting it down earlier, but also, the fact that ATRIVO/Intercage’s uptime is a great example of how marginal thinking and relatively high average time it takes to shut them down, is nonetheless still keeping their business in the game. How come? For the past year, ATRIVO/Intercage has had 10 different Internet Service Providers, so controversially to the common wisdom that being on the run is supposed to make your job harder, it doesn’t really matters as the average time for ATRIVO to remain online seems to be above their customers’ averages :

“The following graph shows that Atrivo has had 10 different Internet providers over the past year. The number of Renesys peers selecting each provider is shown over time. Most providers didn’t stick around for long, but a few like WV Fiber (AS 19151) did hang in there for much of the year. For a couple of days recently, Atrivo had zero providers and were hence effectively out of business, but then United Layer (AS 23342) became their latest — and currently only — provider. We’ll see how long this lasts and if others step up to provide Atrivo with some redundancy. Of course, those who are convinced Atrivo is up to no good can simply block access to their IP addresses (prefixes) as they have a relatively modest allocation.”

Do bullet-proof cybercrime friendly providers have a future? Naturally, since it’s the simple market forces that are going to keep both fronts busy for years to come. With ATRIVO/Intercage now shut down, what’s next? Lessons learnt for the bad guys realizing that it’s about time they start taking advantage of basic OPSEC (operational security) processes like decentralizing their networks, and increasing the lifecycle of their customer’s cybercrime activities by taking advantage of fast-fluxing. The bottom line, despite that Intercage remains offline, but the concepts of cybercrime content hosting, and the Russian Business Network as a franchise, are always going to be there.

[Source: zdnet]