Botnet

To read history see http://certifiedbug.com/blog/tag/estdomains/

October Press releases:
EstDomains, Inc Takes Next Step in Combating Spam and Malware
http://www.prweb.com/releases/2008/10/prweb1504344.htm

EstDomains, Inc Combating Cyber Crime — Thousands Domain Names Suspended
http://www.prweb.com/releases/2008/10/prweb1511704.htm

Edit
The Spamhaus Project.
SBL68934
89.108.95.135/32 agava.ru
24-Oct-2008 10:41 GMT estdomains.com / esthost.com / Cernel - dirty host/registrar

SBL68935
89.108.73.87/32 agava.ru
24-Oct-2008 09:03 GMT estdomains.com / esthost.com / Cernel - dirty host/registrar

SBL68936
89.108.74.33/32 agava.ru
24-Oct-2008 09:04 GMT estdomains.com / esthost.com / Cernel - dirty host/registrar

SBL68937
83.171.76.96/28 ptt.spb.ru
24-Oct-2008 10:41 GMT estdomains.com / esthost.com / Cernel - dirty host/registrar

http://www.spamhaus.org/sbl/index.lasso

{ 0 comments }

Researching, I paid a visit to the rogue site ‘pc-antispypro’ which promptly ran a scan and informed me I had 14 unspecified infections. Which didn’t vary on another clean machine.

Not as dramatic as most rogues that give dire warnings of infections in the hundreds, none the less the .exe carried a payload named by Antivir as TR/Dropper.Gen.

First, one is presented with the EULA and a click yes to download.

If one ignored the anti virus program’s warning.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com
Domain Name: PC-ANTISPYPRO.COM

Certifiedbug: September 23, 2008. EstDomains PR. Improved detection-prevention

Certifiedbug: September 15, 2008. EstDomains, Inc declares opposition to malware mongers

Priority estdomains domain suspension requests
http://www.malwarebytes.org/forums/index.php?showtopic=6159&st=80

Update: Topic at Nanog by Konstantin Poltev from Esthost.
Hostexploit report/Intercage/Esthost

{ 0 comments }

Gadi Evron’s Time for self reflection after the downfall of Atrivo-Intercage.

{ 0 comments }

Backbone provider Global Crossing, which previously “de-peered” from Atrivo/Intercage, More on Atrivo-Intercage-Estdomains, has negated the decision by transit provider UnitedLayer to give Intercage upstream service.

“It has come to our attention that United Layer is now routing traffic for Intercage (AS 27595) over the Global Crossing network,” Andrew Ramsey, Global Crossing’s manager of information security operations, wrote in an email sent to UniterLayer on Wednesday morning. “Intercage was removed from our network for violating our acceptable use policy, and is not welcome to return under any circumstance.”

The Register: Net pariah Intercage back among the dead

Edit:
Robert McMillan, IDG News Service.

After being notified of more problems on the network this week, UnitedLayer pulled the plug on Intercage late Thursday afternoon, said UnitedLayer Chief Operating Officer Richard Donaldson. “We decided that, given the stuff that was going on and with a couple of infractions that we were made aware of, that they needed to purge themselves of any [malicious] stuff that remained,” he said.

Notorious ISP Intercage goes dark again

Hat Tip to Sandi at Spyware Sucks: Atrivo/Intercage have been knocked offline again?

The Report for AS27595 remains as it was before UnitedLayer became Intercage’s provider.
Certifiedbug; September 22, 2008. Atrivo-Intercage offline

{ 0 comments }

Apprantly IP transit provider UnitedLayer has agreed to provide upstream service to Intercage after Intercage agreed to completely sever ties with Esthost.

Intercage, Inc’s website has a holding page, it looks strangely familiar…

UnitedLayer operates out of the same San Francisco colocation facility as Intercage and Pacific Internet Exchange (PIE).

Kind of reminds me of Lizards that give up their tail to escape.

Is anyone else feeling dizzy yet.

Sources:
Report for AS27595
Controversial ISP Intercage now back online
‘Malware-friendly’ Intercage back among the living

{ 0 comments }

EstDomains, Inc: Improved Detection and Prevention System is Live

EstDomains, Inс (http://estdomains.com), announces the launch of new improved and even more efficient version of detection and prevention system oriented to the avoidance of potentially fraudulent transactions, spamming and harmful software distribution that might be performed from the company customers’ accounts.

From the very beginning, EstDomains, Inc (http://estdomains.com), a domain name registration services provider, has undertaken the obligations to provide Internet community with most secure solutions for network presence establishment and running of successful and stable online enterprise. The management of the company also realizes the great necessity of keeping the Internet clean of the fraudulence, harmful software or any disposal of obscene materials. According to the Acceptable Usage Policy, valid for EstDomains, Inc (http://estdomains.com), the appropriate measures are taken against customers who take a risk of using provided services for spam delivery, phishing attempts, distribution or storage of data that may damage user’s computer equipment such as viruses or any other kinds of malware, corrupted codes that are designed with an intention to steal personal data and credit card information or any related materials involved in cybercrime arrangements. Carefully elaborated account monitoring system is used to reveal AUP violation cases among company’s customers. The corrupted account holders are deprived of their account without any refund along with the ultimate right of companies’ services further usage.

In order to prevent crooked customers from being able to continue with their illegal enterprises, the new advanced and more efficient account monitoring system has been applied to the services provided for domain name registration. The improved system is equipped with a whole pack of advanced features that use smart schemes for detailed analyses of the activity performed by an account holder, whose account has been suspended due to violation of AUP terms and conditions. On top of everything else, carefully elaborated clusters also reveals accounts that are registered under different name but in reality belong to a person who has been involved in AUP infringements. Various details, such as IP addresses, minute payments descriptions, personal data analysis, accounts sign up logs and so on, are used for the creation of a common pattern, which indicates characteristic features of one particular person. These patterns are indispensable tool in the further investigations that are led in order to recognize corrupted account holders from other law-abiding customers. The revealed accounts violating AUP are deactivated. As usual, in order to avoid wrong accusations, the domain name holder, whose account contains domain names that violate company’s Acceptance Usage Policy, will receive a notification with a warning and further detailed instruction how to report a mistake. The required information proving that the account is not privy to the delinquent activity of any kind must be submitted within 24 hours.

Once again EstDomains, Inc would like to address the interactive community and ask for help in making the Internet space more safe and user-friendly. Please report infringements that involve the activity of EstDomains, Inc customers to: https://support.estdomains.com.

Wilmington, DE (PRWEB) September 21, 2008.
http://www.prweb.com/releases/2008/9/prweb1357644.htm

Uh huh, kept for historical purposes.

{ 0 comments }

Internet Shuns U.S. Based ISP Amid Fraud, Abuse Allegations

“The truth is that nobody’s been reporting this stuff, but it’s illegal for me to just sniff around each and every site on my network and say, ‘Hey, what are you up to?,’” Kacperski said. “But if there’s a complaint, then I can deal with it, I have to deal with it. Instead of complaints, I get people labeling me as some kind of mafia kingpin or crime boss.”

“nobody’s been reporting this stuff,” ?

http://www.google.com/search?hl=en&q=atrivo+malware
http://www.google.com/search?hl=en&q=intercage+malware

No doubt people will keep monitoring…

{ 0 comments }

AS Report.

Report for AS27595

Name

INTERCAGE - InterCage, Inc.

NOT Announced

This AS is not currently used to announce prefixes in the global routing table, nor is it used as a visible transit AS.

Prefixes added and withdrawn by this origin AS in the past 7 days.

- 64.28.176.0/20 Withdrawn
- 67.210.0.0/21 Withdrawn
- 67.210.8.0/22 Withdrawn
- 67.210.14.0/23 Withdrawn
- 69.22.162.0/23 Withdrawn
- 69.22.168.0/21 Withdrawn
- 69.22.184.0/22 Withdrawn
- 69.31.64.0/20 Withdrawn
- 69.50.160.0/19 Withdrawn
- 85.255.113.0/24 Withdrawn
- 85.255.114.0/23 Withdrawn
- 85.255.116.0/22 Withdrawn
- 85.255.120.0/23 Withdrawn
- 85.255.122.0/24 Withdrawn
- 216.255.176.0/20 Withdrawn
- 216.255.176.0/22 Withdrawn
- 216.255.180.0/22 Withdrawn
- 216.255.184.0/22 Withdrawn
- 216.255.188.0/22 Withdrawn

http://cidr-report.org/cgi-bin/as-report?as=AS27595

NANOG:
Atrivo/Intercage: NO Upstream depeered at 2:25am est

Emil Kacperski started this topic: Re: Atrivo/Intercage: NO Upstream depeer

It gets a little heated, I guess this sums it up.

> Anything else you’d like to throw at me here on NANOG?
Sure, but I havn’t figured out how to hit someone with a two-by-four
over the Internet.

{ 1 comment }

Alex Eckelberry,

So… what kind of domains are on Intercage?

Gary Warner wanted to find out and has now posted the Mother of all Lists of (almost) all Intercage domains.

What kinds of domains does Intercage host?

{ 0 comments }