YAY! Re: Atrivo/Intercage: NO Upstream depeer

Pedram M pmessri at gmail.com
Wed Sep 24 03:36:48 CDT 2008


It's actually starting to look like WHT.

On Wed, Sep 24, 2008 at 1:35 AM, Pedram M <pmessri at gmail.com> wrote:

>
> define:nanog
>
> North American Network Operators Group A membership organization that
> provides for the exchange of tecnical information among public, commercial
> ...
>
> I think this conversation should have ended way long time ago.
>
> My $0.50 cents + $1.00 or $2
>
> Regards,
> Pedram
>
>
> On Wed, Sep 24, 2008 at 1:29 AM, Russell Mitchell <russm2k8 at yahoo.com>wrote:
>
>> Hello Mark,
>>
>> What's YOUR motivation to consistantly attack my company?
>>
>> What's my motivation to continue working @ InterCage?
>> To keep a roof over my family's heads, and to keep them well-fed:
>> 1.) Myself
>> 2.) My Wife
>> 3.) My near 2 year old Son (November)
>> 4.) My near 3 week old Daughter (Born Sept. 4th)
>>
>> It's great that you finally accepted the claim of InterCage being
>> associated with the famed "RBN" as being "alledged".
>> You've taken the first step into seeing how much BS information has been
>> spread out about our company.
>>
>> Whether you support me in my anti-abuse endeavor or not, as long as you
>> get FACTUAL information, I'm happy.
>> However someday, I trust you will find and accept the truth about
>> InterCage. From what I see now from the claims your making, that day may not
>> come soon.
>>
>> Thank you for your time. Have a great day.
>>  ---
>> Russell Mitchell
>>
>> InterCage, Inc.
>>
>> ----- Original Message ----
>> From: Mark Foo <mark.foo.dog at gmail.com>
>> To: Russell Mitchell <russm2k8 at yahoo.com>
>> Cc: Bruce Williams <williams.bruce at gmail.com>; Christopher Morrow <
>> christopher.morrow at gmail.com>; nanog at nanog.org; Joe Greco <
>> jgreco at ns.sol.net>
>> Sent: Wednesday, September 24, 2008 1:14:01 AM
>> Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
>>
>> Russell:
>>
>> Oh I got the memo, you'll be getting served one soon too.
>>
>> I just wonder why you don't consider playing both sides of the fence
>> -- with your
>> knowledge of who's who in the cyber crime field, you could probably get
>> paid
>> more as an informant (either to LEO or one of the "Intel" companies than
>> whatever you're doing for Emil and (allegedly) the  RBN. You can't
>> possible
>> sleep well knowing what your up to now so I figure it's the money that
>> motivates you.
>>
>> Or, maybe you don't really know anyone, you just respond to their demands
>> and
>> they end up with all the money, pr0n chicks, etc. Doesn't that bother
>> you -- don't
>> you want more?
>>
>> Plus, no one would know you were pulling two pay checks -- you manage
>> systems
>> on one side and pass info to the other. It's actually fairly simple --
>> maybe you already
>> know this ;).
>>
>> If not, please explain this:
>>
>> http://www.spamhaus.org/news.lasso?article=636
>>
>> Without exception, all of the major security organizations on the
>> Internet agree that the 'Home' of cybercrime in the western world is a
>> firm known as Atrivo/Intercage, based in California. We ourselves have
>> not come to this conclusion lightly but from many years of dealing
>> with criminal operations hosted by Atrivo/Intercage, gangs of
>> cybercriminals - mostly Russian and East European but with several US
>> online crime gangs as well - whose activities always lead back to
>> servers run by Atrivo/Intercage. We have lost count of the times we
>> have tracked a major virus botnet's "command and control" to
>> Atrivo/Intercage servers, readers can view here some of the current
>> and historic SBL records for Atrivo for a taste of what has been
>> happening in this network. At almost every Internet security
>> conference, or law enforcement seminar on cyber-crime, a presentation
>> will detail some attack, exploit, phish or financial crime that has
>> some nexus at Atrivo/Intercage.
>>
>> The person who runs Atrivo/Intercage, Emil Kacperski is an expert at
>> playing the "surprised janitor", unaware of every new criminal
>> enterprise found on his servers and keen to show he gets rid of some
>> criminals once their activities on his network are exposed. His
>> Internet hosting career first came to the attention of most anti-abuse
>> organizations when he pinched (or 'purchased stolen goods' as he put
>> it) and routed an unused block of 65,536 IP addresses belonging to the
>> County of Los Angeles.
>>
>> Spamhaus has dealt with over 350 incidents of cyber-crime hosting on
>> Atrivo/Intercage and its related networks in the last 3 years alone,
>> all of which involved criminal operations such as malware, virus
>> spreaders and botnet command and control servers. Malware found by
>> Spamhaus on Atrivo/Intercage/Cernel/Hostfresh just in the last few
>> months included the Storm Worm installer and controller and a MySpace
>> spambot amongst others. Spamhaus currently sees a large amount of
>> activity related to malicious software and exploits being hosted on
>> Atrivo/Intercage which include DNS hijack malware, IFRAME browser
>> attacks, dialers, pirated software websites and blatantly criminal
>> services.
>>
>> We assume that every law enforcement agency with a cyber-crimes
>> division has a dossier bursting at the seams on Atrivo/Intercage and
>> its tentacles such as Esthost, Estdomains, Cernel, Hostfresh. The only
>> question on everyone's mind is which agency will beat the others to
>> shutting the whole place down and indicting the people behind it.
>> Because if shut down, one thing is certain: the amount of
>> malware-driven crime on the Internet would drop overnight as
>> cyber-criminals rush to find a new crime-friendly host - difficult to
>> find in the US, as Atrivo/Intercage is one of the very few remaining
>> dedicated crime hosting firms whose customer base is composed almost,
>> or perhaps entirely, of criminal gangs. More importantly, millions of
>> Internet users currently being targeted by the malware gangs operating
>> from Atrivo/Intercage will be, for a while, safer.
>>
>> Perhaps one may be wondering about the costs of hosting at
>> Atrivo/Intercage or how to sign up? Well, don't expect to find this
>> information at the company's websites as they were empty for years and
>> for the last year have just shown "Website Coming Soon."
>>
>>     http://www.atrivo.com => "InterCage, Inc.. INTENSE SERVERS. Website
>> Coming Soon:"
>>     Last Updated: Thursday, September 06, 2007 4:32:59 PM
>>
>>     http://www.intercage.com => "InterCage, Inc. INTENSE SERVERS.
>> Website Coming Soon:"
>>     Tuesday, September 04, 2007 6:45:52 PM
>>
>> At one time after being asked, "how on earth does your company get
>> business?" an Atrivo/Intercage representative coyly said, "by word of
>> mouth." That seems to be quite obvious.
>>
>>
>>
>>
>> On Wed, Sep 24, 2008 at 12:45 AM, Russell Mitchell <russm2k8 at yahoo..com>
>> wrote:
>> > Hello Mark,
>> >
>> > It really seems YOU _DID_ miss the memo.
>> > I think that since no one else is responding to your non-sense, there is
>> no reason for me to either.
>> >
>> > If you have something accurate to say, I'll be happy to listen.
>> > Until then, there's not much I can say. There's no sense in repeating
>> myself.
>> >  ---
>> > Russell Mitchell
>> >
>> > InterCage, Inc.
>> >
>> >
>> >
>> > ----- Original Message ----
>> > From: Mark Foo <mark.foo.dog at gmail.com>
>> > To: Russell Mitchell <russm2k8 at yahoo.com>
>> > Cc: Bruce Williams <williams.bruce at gmail.com>; Christopher Morrow <
>> christopher.morrow at gmail.com>; nanog at nanog.org; Joe Greco <
>> jgreco at ns.sol.net>
>> > Sent: Wednesday, September 24, 2008 12:27:50 AM
>> > Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
>> >
>> > Russell:
>> >
>> > Ferg was just being coy -- what you don't understand is there are about
>> 3 other
>> > security mailing lists plotting to TAKE YOUR SERVICE DOWN. You FAIL. Law
>> > Enforcement might not take action against you (but appear to be
>> interested now),
>> > but the community can. GET OFF THE NET WITH YOUR MALWARE!
>> >
>> > You mistake me for someone who believes you pack of lies! Don't you
>> > understand each
>> > time you post to this list gives those of us who know the opportunity
>> > to post MORE EVIDENCE
>> > of your MALWARE?
>> >
>> > You disconnected Hostfresh and think that's the extent of your cimes?
>> > Gimme a break.
>> > Only those who are easily socially engineered would believe your
>> > pathetic claims of innocence.
>> > You've BEEN HOSTING MALWARE since 2003 -- SEE Nanog post:
>> >
>> > Re: The in-your-face hijacking example
>> > http://www.irbs.net/internet/nanog/0305/0038.html
>> >
>> >> Let me know if there's anything else you'd like me to state to the
>> public.
>> >
>> > Answer Ferg's question -- Why are you moving to CERNAL? Do you think
>> this
>> > is going to work? That's just another of Emil's networks.
>> >
>> >> We're on a rocky road right now. But it IS starting to smooth out.
>> >
>> > That's just the calm before the storm.
>> >
>> > Go ahead and post a response to each of these allegations:
>> >
>> > Cybercrime's US Hosts
>> > http://www.spamhaus.org/news.lasso?article=636
>> >
>> > Report Slams U.S. Host as Major Source of Badware
>> >
>> http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html?nav=rss_blog
>> >
>> > A Superlative Scam and Spam Site Registrar
>> >
>> http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html?nav=rss_blog
>> >
>> > ICANN cast as online scam enabler
>> > http://www.theregister.co.uk/2008/09/03/cyber_crime_reports/
>> >
>> > 'Malware-friendly' Intercage back with the living
>> > http://www.theregister..co.uk/2008/09/24/intercage_back_online/
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Tue, Sep 23, 2008 at 11:50 PM, Russell Mitchell <russm2k8 at yahoo.com>
>> wrote:
>> >>
>> >> Hello John Doe,
>> >>
>> >> I welcome any further comments you have.
>> >> We have to get past people such as yourself, and your blasphemous and
>> false statements.
>> >>
>> >> This is the same issue with the recent media and self-proclaimed
>> "Security Researchers". Fly-by-night mind you.
>> >>
>> >> To help you out in your claims:
>> >> Yes, we did house a client whom had quite a run with their client's
>> from various locations, such as Russia.
>> >> That Client is no longer hosted on our network. I myself spent all of
>> monday afternoon, night, and tuesday morning shutting off EVERY machine they
>> had leased in our Billing System. I'm currently working to scan further and
>> see if there's anything I may have missed.
>> >>
>> >> Yes, Russia is very well known for Virus and Malware writer's.
>> >>
>> >> Yes, we have had issues with malware distribution from our network.
>> >> This was directly and near singularly related to the former client of
>> ours. We did have another client, Hostfresh, whom had their share of malware
>> issues.
>> >>
>> >> Both have been completely and effectively removed. The server's leased
>> to both of them have been canceled, and their machines have been shutoff.
>> >>
>> >> Let me know if there's anything else you'd like me to state to the
>> public.
>> >> We're on a rocky road right now. But it IS starting to smooth out.
>> >>
>> >> Thank you for your time. Have a great day.
>> >>  ---
>> >> Russell Mitchell
>> >>
>> >> InterCage, Inc.
>> >>
>> >>
>> >>
>> >> ----- Original Message ----
>> >> From: Mark Foo <mark.foo.dog at gmail.com>
>> >> To: Bruce Williams <williams.bruce at gmail.com>
>> >> Cc: Christopher Morrow <christopher.morrow at gmail.com>; nanog at nanog.org;
>> Joe Greco <jgreco at ns.sol.net>
>> >> Sent: Tuesday, September 23, 2008 11:08:21 PM
>> >> Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
>> >>
>> >> NANOG:
>> >>
>> >> Look, the people posting here who are trashing Intercage are pure
>> security
>> >> analysts -- they
>> >> know and understand the evil that is Intercage. STOP TRYING TO ASSIST
>> >> INTERCAGE
>> >> -- you are effectively aiding and abetting the enemy.
>> >>
>> >> Intercage/Atrivo hosts the malware c&c botnets that DDoS your systems
>> and
>> >> networks.
>> >>
>> >> Intercage/Atrivo hosts the spyware that compromises your users'
>> passwords.
>> >>
>> >> Intercage/Atrivo hosts the adware that slows your customers' machines.
>> >>
>> >> Don't take my word for it, DO YOUR OWN RESEARCH:
>> >> http://www.google.com/search?hl=en&q=intercage+malware
>> >>
>> >> You don't get called the ***American RBN*** for hosting a couple bad
>> >> machines. They
>> >> have and will continue to host much of the malware pumped out of
>> America.
>> >> THEY
>> >> ARE NOT YOUR COMRADES..
>> >>
>> >> These people represent the most HIGHLY ORGANZIED CRIME you will ever
>> >> come across. Most people were afraid to speak out against them until
>> this
>> >> recent ground swell.
>> >>
>> >> This is the MALWARE CARTEL. GET THE PICTURE?
>> >>
>> >> Many links have been posted here that prove this already -- instead of
>> >> asking
>> >> what customers they cut off, let them show WHAT CUSTOMERS ARE LEGIT--
>> >> because there are NONE.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> > >> I would suggest a different Step 1.  Instead of killing power,
>> simply
>> >> > >> isolate the affected machine.  This might be as simple as putting
>> up a
>> >> > >> firewall rule or two, if it is simply sending outgoing SMTP spam,
>> or
>> >> > > it's probably easiest (depending on the network gear of course) to
>> >> > > just put the lan port into an isolated VLAN. It's not the 100%
>> >> > > solution (some badness rm's itself once it loses connectivity to
>> the
>> >> > > internets) but it'd make things simpler for the client/LEA when
>> they
>> >> > > need to figure out what happened.
>> >> > >
>> >> > > -chris
>> >> > >
>> >> > >
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>>
>>
>>
>>
>>
>



More information about the NANOG mailing list