14 DAY TRIAL // A white paper written by security researcher Jart Armin, in collaboration with James McQuaid and Matt Jonkman, analyzes the inner-workings of the biggest cyber crime hosting company in US, Atrivo, and its associates. The paper leads to the conclusion that such companies have influence over Internet authorities. At the same time, a security report released by KnujOn, an anti-spam project, examines the issue of “phantom” domain registrars that function uninhibited right under ICANN's (Internet Corporation for Assigned Names and Numbers) nose.
Atrivo is an autonomous systems (AS) provider based in Concord, California. The company offers many services, from hosting co-located servers to domain name registration through its child companies or partners. Atrivo is also known in the security industry as the company that provided hosting for the infamous Russian Business Network, a major hub for cyber crime. However, after attracting a lot of media attention, the RBN slowly faded away, and Atrivo changed its name to Intercage in an attempt to clear its image.
Jart Armin's research shows that old/bad habits die hard, even if hidden under a new name, and that Atrivo continues to provide a home for spam, viruses, spyware, illegal adult content, botnet servers etc. Around 26,000 IP addresses are routed through Atrivo and, according to journalist Brian Krebs from the Washington Post, an analysis on a random set of 256 such addresses revealed “more than 221,000 Trojan horse programs, 9,773 Web browser exploits, and nine computer worms.” Also StopBadware has registered a number of 35,449 hacked legit websites that were serving malware hosted by IPs belonging to Atrivo.
Interesting enough is that one of ICANN's sponsors, LogicBoxes, has indirect ties with Atrivo. Emil Kacperski, Atrivo's owner, explained in an e-mail to Security Fix that "unfortunately, as you can understand being a dedicated server provider there isn't a way for us to control the content on the servers. We can only respond to abuse reports and then proceed to shut down a server or take other action.” However, James McQuaid, one of the paper's authors, claims that the company only takes actions against such websites that are already registering a low traffic. "To the extent Atrivo does respond to complaints, it does so very selectively," he noted.
The KnujOn report tackles another issue related to cyber crime, having gathered a list of 48 domain registrars that are accredited by ICANN, but which do not legally exist. The addresses provided for the companies that own these services are all fake and confusing at the same time – such as is "15 West 47th Street New York, NY 10036 Oregon," with a California-listed phone number.
These registrars offer domain registration through a service called PrivacyProtect, which protects the identity of domain owners. Many of these domains are used to host fake online pharmacies. According to the report, all these 48 domain registrars belong to the Directi Group and they clearly violate the ICANN policy, yet remain accredited. Directi disclaims all allegations in the KnujOn report as baseless and factually incorrect.
Another domain registrar KnujOn wrote extensively about, which also uses PrivacyProtect to hide the owners of spam-related domain names registered through them, is EstDomains. EstDomains and EstHost are listed in Mr. Armin's research paper as being directly connected with Atrivo.
