Atrivo/Intercage Called Out as US RBN

A report from a trio of known open source security analysts is out and covers the US-based Atrivo, aka Intercage. Dubbed the “US RBN” by some, Atrivo has been, to quote someone in the business:

“At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage.”

Source: Vincent Hanna, Spamhaus.org.

After the research article’s publication, Global Exchange de-peered with them after only a day or two (GBLX had been a BGP peer providing transit, one of two or three distinct ASNs doing so). It’s unknown what debates went on inside GBLX before this action, but the suggestion is pretty clear: public analysis of overtly hostile networks with a long history of security issues can lead to changes. Last year’s collection of reports on RBN (from iDefense, Shadowserver, and others) lead to the dissolution of RBN.

On my team, we’ve been seeing a lot of Atrivo over the years: rogue DNS servers that will send the user to a malicious website if they should typo, configured through DnsChanger malware; lots of fake AV product hosting lately; malcode drops and pickups. Our database is full of these droppings of information.

The fact that this network is supposedly hosted in the US – in the bay area, in fact – is especially surprising. It is unclear to me why they were permitted to operate without any significant investigation by law enforcement. Perhaps it was a lack of priority, or a lack of complaints. Ultimately this is a drop in the bucket in the battle against malicious network operations. We can’t be naïve and think that they’ll simply cease operations, we should expect that they’ll be back and relocate. The question is where.

4 Responses to “Atrivo/Intercage Called Out as US RBN”

September 12, 2008 at 2:25 pm, Computer Security Research - McAfee Avert Labs Blog said:

[…] several researchers announce the dissolution of RBN and with the Atrivo and Directi disclosures, we gave new kicks into the anthill. But all these […]

September 14, 2008 at 4:26 am, If RBN is dead, their customers are still alive | CHARGED's 24/7 News Aggregator said:

[…] several researchers announce the dissolution of RBN and with the Atrivo and Directi disclosures, we gave new kicks into the anthill. But all these […]

September 16, 2008 at 3:03 am, Rogue Registrars’ Demise Migrates Miscreant Clients said:

[…] [2] ArborNetworks: Atrivo/Intercage Called Out as US RBN […]

September 23, 2008 at 5:14 pm, Links to check out at Word to the Wise said:

[…] hosting. Atrivo/Intercage are notorious amongst the folks who fight malware and bots and have been called the American version of the Russian Business Network. « Appropriating […]

Comments are closed.