USA Internet community fighting against botnet purveyors

It’s been for some time so far that a number of independent and volunteer online security research groups have been releasing reports on criminal activities supported by such ISPs as Intercage, a network provider based in California and EstDomains, a domain name registrar allegedly located in Delaware. Researches conducted by HostExploit, StopBadware.org, Spamhaus and Knujon divulged the facts about the involvement of Intercage also known as Atrivo and EstDomains into the cyber crime business including malware download to unsuspecting users, porno products and steroids distribution and spyware installation to rob users of their financial data. An independent study was also initiated by Brian Krebs that leads Security Fix section at Washington Post. The latter was turned into a kind of a forum where disgraced firms posted their confutation to the information presented by the security researchers while their customers, obviously Russians, touched on the raw expressed their despite towards American consolidated efforts directed to weaken adverse impact of criminal syndicates on Internet subscribers in the US.

Within a couple of weeks after the release of those reports Atrivo was discarded by all the possible and impossible traffic upstream providers. The first to de-peer from the infamous hosting company was Global Grossing. Then one by one direct Internet connectivity to Intercage was cut off by the other two providers namely Costa Mesa, Calif. based Bandcon and WVFiber out of Boca Raton, Fla. Yet two more companies to render their assistance emerged on the scene after the brainchild of Emil Kacperski went unreachable on the Internet. Pacific Internet Exchange (PIE) agreed to provide its service to Intercage on certain conditions. According to PIE president David Grieshaber that had a talk with Brian Krebs he and Atrivo's founder Emil Kacperski had been good friends for several years, and that PIE and Atrivo also share the same building in San Francisco. Grieshaber confided that while he thought Kacperski was treated unfairly, he nevertheless decided to lay some ground rules as a precondition of their agreement.

On September 21, PIE abruptly reversed course and pulled the plug on Atrivo, effectively knocking offline all of the sites hosted with Atrivo (including its biggest and most vilified client - EstDomains.com). Kacperski says PIE's Grieshaber took action due to pressure from his other clients.

Later UnitedLayer transit provider accepted to strike a peering deal with Intercage, under certain costly conditions. In order to secure this deal, Intercage had to pay big time by terminating their hosting contract with Esthost, a hosting service owned by EstDomains that was considered the biggest source of illegal activity on their network. Alas, this relationship didn’t prove to last longer than the previous one. Global Grossing which is one of UnitedLayer’s upstream providers sent an e-mail message to the company expressing their concern over the situation. "It has come to our attention that United Layer is now routing traffic for Intercage (AS 27595) over the Global Crossing network," said the e-mail. "Intercage was removed from our network for violating our acceptable use policy, and is not welcome to return under any circumstance," added Andrew Ramsey, Global Crossing's manager of information security operations, in the same e-mail.

After Global Grossing sent numerous well documented abuse reports to UnitedLayer the company decided to reconsider and terminate the contract with Intercage.

Meantime EstDomains go on living with indirect peering with Global Crossing. ZAO Petersburg Transit Telecom (PTT) (AS31353) - upstream from ASN-SPBNIT OJSC North-West Telecom Autonomous System (AS8997) - upstream from RETN-AS (AS9002) - upstream from GBLX Global Crossing Ltd. (AS3549).

Richard Donaldson, COO of co-location provider UnitedLayer noted: "All you've done is force Esthost go more underground and become less visible, less containable and less capable of even being approached by law enforcement. So the community can certainly cheer that they've in essence targeted this company, but the root of the problem has not been fixed."

EstDomains – ‘a US-based domain name Registrar’

“Wilmington, DE (PRWEB) September 14, 2008 -- EstDomains, Inc (http://estdomains.com), a US-based domain name Registrar, officially declares opposition to malware mongers in order to protect Internet users from attacks on their computers or stealing of their important data. EstDomains, Inc pays special attention to domain name holders' private data protection and secure money transaction operations. It can be said in all modesty that EstDomains, Inc has succeed in protecting its customers from any possible occurrence of fraudulence or cracking. However, being an eminent member of interactive community, EstDomains, Inc management along with other giants of online industry continues its struggle against malicious software distribution and is giving its best to work out even more efficient solutions for detecting malware sources.”

Further in the same press release we read about five thousand domain names that were detected and ruthlessly suspended by EstDomains, Inc only within one week. It is very interesting in light of the fact that harmful and illegal sites were detected several years after the domain was invaded by this kind of vermin and only a few weeks after above mentioned security consulting agencies released their reports.

At the end of August Knujon shared its discoveries concerning the nature of some illicit domains exuberant with EstDomains registrar. It was revealed that EstDomains makes heavy use of the PrivacyProtect.org service for masking the ownership of fake pharmacy domains. Customers visiting a pharmacy site can notice such signs as "FDA Approved" and "Trusted by VeriSign." Still they cannot find trusted information on the ownership of it whereas the advertisement itself comes as a spam from zombie botnets.

Knujon continues: “Using pornography to lure unsuspecting Internet users into unknowingly downloading malware is an old trick, but one that continues to work. However, KnujOn has found an array of EstDomains sponsored, PrivacyProtect.org shielded domains that combine drugs, porn and malware. Several former steroids EstDomains sites have metadata that appears to offer Schedule 3 substances like Morphine, Testosterone, and Vicodin but redirects the user's browser to youtube-free-videos.com (also sponsored by EstDomains), a porn site that attempts download malware in the guise of a "player update." The scripting vigorously prevents the user from navigating away from the page or closing it. The content of youtube-free-videos.com is served from best-of-searcht.com (also sponsored by EstDomains), another porn site that has links to another fake pharmacy: world-pharmacy-online.com (also sponsored by EstDomains).”

One more source of illegal activity supported by EstDomains is fake anti-virus and fake anti-spyware Web sites as claimed by Brian Krebs, Knujon and others. Chief among these fake security products is the infamous XPAntivirus family of scareware.

Typically, hackers are paid to compromise legitimate Web sites and silently redirect any visitors to these fake security software sites. Those sites in turn download malicious software that bombards the victim with incessant, bogus messages warning that his or her computer is infected with multiple privacy and security threats.

It blocks access to the Control Panel, Registry Editor, hard drive, removable media, Task Manager, Run, and just about any utility someone might use to fix their PC or remove the malware. It also blocks installation and running of legitimate anti-virus packages. Once infected your PC can only be used as a botnet node or a doorstop.

Keen searcher Brian Krebs found that the head of Rove Digital, an entity that claims ownership of EstDomains had a rather shadowy past in its native town in Estonia. Thus Brian reports that the company “was founded in Tartu, the second largest city in Estonia (although the corporation is officially registered in Delaware). The chief executive of EstDomains is 27-year-old Vladimir Tsastsin”.

Brian points to the facts received from the local media in Estonia showing that the court in Tartu sentenced Tsastsin to three years in an Estonian prison after being found guilty of credit card fraud, document forgery, and money laundering. Details can be found in Brian’s entry.

The last bun not the least aspect that speaks not to the credit of EstDomains is that the company refuses disclosing its true location and continues alleging that it is based in Delaware. Here is what Knujon notes apropos of this: “For those not familiar with U.S. geography, Delaware is a tiny state that earns its keep by being very business-friendly. Typically, any business incorporated in Delaware is not actually there. This means there are scant details publicly available for who owns EstDomains.”

Malware, illegal drug trade, porn, criminal leader and disguised address – these are the brightest features attributed today to the 49th largest domain name registrar, with more than 270,000 domains as per RegistrarStats.com. now partners, customers and representatives of the company are making poor efforts to collect the bits to where their reputation came.

Another American attack?

While current USA president George Bush exhausts the state budget on wars in Iraq and national conflicts on a post-Soviet area, American Congress is busy with the economic slump, outgoing Secretary of State Condoleeza Rice makes vain statements shaking her fist at Russia and presidential contender Barack Obama clamours about Russian aggressive politics American people just as Russians and other in the world are trying to protect their interests against fraud and crime.

As of today there is no Internet Authority that has a legitimate power to control evildoers and enforce penalties for them. Existing research and advisory agencies can only conduct their studies and share the data received. The latest stir around Intercage and EstDomains is a desperate attempt of independent analysts to help in thwarting cyber crime schemes on the Internet. And this is not the case to discuss a centuries-old opposition of the two governments drawing their people into the conflict. Comments posted on the Brian’s blog indicate prejudices and biases implanted in the hearts of both nation representatives. Americans being right on one hand call all the Russians as thieves and criminals while Russians with some of them being simple small businesses injured by this scandalous investigation charge ‘Americosas’, as they say, with all the problems in the world.

One Russian citizen Dmitry spoke on behalf of Rustelekom and made a very reasonable remark: “While we all need to stop spam and illegal active please be polite and do not call all Russian Business and their partners as RBN and RBN affiliated. When few Russian social network sites was infected by Trojan to about 300 000 visitors from Russia malware have been installed and many zombied Russian PC's still alive. So, it is not Russians cyberwar against the world - it is problem for all of us - internet users and professionals and we need cooperate to get cyber crime down.”

Cyber crime just as other types of crime is a problem that can emerge in any state but what is meaningful is that ordinary residents have nothing to do with the behavior of their Chiefs of State. Hence, it would be incorrect and ignorant of anyone who tries to constitute a link between the problems occurring amid customers to intergovernmental issues. Customers in all the states should conjointly fight against common threats as their governments as always in the history will be busy pursuing their own interests under the pretext of the national welfare.

Tell your opinion