Report Slams U.S. Host as Major Source of Badware

[Rob]

Report Slams U.S. Host as Major Source of Badware
Brian Krebs


Last week, I examined a series of Web services that make profiting from cyber crime a point-and-click exercise that even the most novice hackers can master. Today, I'd like to highlight the activities of Atrivo, a Concord, Calif., based network provider that hosts some of these services.

Several noted security researchers are releasing a report today that stems from many months of investigating malicious activity emanating from Atrivo's customers. Security experts say that Atrivo, also known as "Intercage," has long been a major source of spyware, adware, viruses and fake anti-virus products.

The report is an exhaustive and well-researched analysis of Atrivo and its operations. Some of the statistics on active exploits cited in that report come from data sets I commissioned during my own investigation of Atrivo and later shared with Jart Armin, the principal author of the report and curator of the blog hostexploit.com.

Looking back several years, Atrivo's various networks were used heavily by the Russian Business Network, an ISP formerly based in St. Petersburg, Russia. RBN had gained notoriety for providing Web hosting services catering exclusively to cyber criminals. But after increased media attention, RBN dispersed its operations to other, less conspicuous corners of the Internet.

The portions of Atrivo most heavily used by RBN were Hostfresh -- which provides routing for Atrivo through Hong Kong and China -- and UkrTeleGroup (also known as Inhoster) out of Ukraine. These two networks remain core components of Atrivo's operation, and recent data suggests the company's reputation for supporting online criminals hasn't diminished since the disappearance of the RBN last year. As of last December, Atrivo boasted the largest concentration of malicious activity of any hosting company, according to a report released by security intelligence firm iDefense.

"While Intercage has legitimate clients and professes intolerance for abuse, it continues to turn a blind eye to massive amounts of cyber crime," iDefense analysts wrote. "Intercage Inc. previously operated as Atrivo Inc.; it was already infamous for abuse then and has not improved its reputation since changing names."

Emil Kacperski, Atrivo's founder, said he has been trying to clean up the company's image.

"I work very hard to make sure that everything is kept at bay," Kacperski said in an e-mail to Security Fix. "Unfortunately as you can understand being a dedicated server provider there isn't a way for us to control the content on the servers. We can only respond to abuse reports and then proceed to shut down a server or take other action."

Atrivo appears to have very recently made some strides in policing its network. According to StopBadware.org, a partnership between Google, AOL, Verisign and researchers from Harvard and Oxford, close to six percent of Atrivo's IP space was malicious back in February. Today, Google flags about half as much Atrivo IP space as hostile.

Maxim Weinstein, manager of StopBadware, said Armin's research raises questions about the degree to which firms such as Atrivo, are aware of, and ignore, badware activity on their systems.

"Some of the companies included in the report have built a reputation in the security community as being havens for this type of activity," Weinstein wrote in an entry on the StopBadware blog.

Then, I checked out Atrivo's reputation as measured by StopBadware, whose Google-fed database listed 35,449 mostly legitimate, hacked Web sites that were pulling down malicious software from addresses on Atrivo's IP space. On just one of dozens of blocks of Internet addresses routed through Atrivo (a set of 256 IPs belonging to Hostfresh), Google found more than 221,000 Trojan horse programs, 9,773 Web browser exploits, and nine computer worms.

One of those legitimate, hacked sites listed by StopBadware was www.journeyblueheaven.com. In late June, Peter Pitchford, a Web site designer from New York, was redesigning the site for a friend when he discovered Google was flagging it as a distributor of malicious software. Digging through the site's code, he found that it was attempting to infect any visiting PCs with "XPAntivirus," a notorious fake anti-virus product. The code that hackers had inserted into the site downloaded the malware from an address assigned to Atrivo.

But in attempting to cleanse the Web site of the offending code, Pitchford accidentally infected his own Windows PC with XPAntivirus. He said it took him nearly two days of work to disinfect his machine, mainly because the program blocked him from accessing popular security Web sites that might host useful tools to help remove the invader.

In a follow-up post, Security Fix will examine the activities of Atrivo's largest customer: domain name registrar ESTDomains.

By Brian Krebs | August 28, 2008; 1:51 PM ET Fraud , From the Bunker , Latest Warnings , Misc. , Safety Tips , Web Fraud 2.0
Previous: White House Imposes New Security Mandate for Federal Agencies | Next: FBI Warns of Hit Man Scam Resurgence


James McQuaid, one of the researchers who contributed to the Atrivo report, said Atrivo has a history of "shuffling the deck" when security experts complain loud enough about malicious Web sites. McQuaid said when Atrivo does respond to abuse complaints, it is usually for sites that have already been blacklisted by many ISPs and are no longer receiving much traffic.

"To the extent Atrivo does respond to complaints, it does so very selectively," McQuaid said.

Case in point: The report concludes by listing several abuse reports published online earlier this year by CastleCops, a volunteer group that fights malware and phishing activity. The oldest of those reports date back to January 2007, and name malicious sites hosted at Atrivo that are still active to this day.

Detailed stats on the badness found at Atrivo after the jump.

I began taking a second look at Atrivo in March, when a friend had his personal Web site compromised by malicious software that was pulling down updates from an Atrivo address. Security experts at Sunbelt Software determined that a large number of fake anti-virus and DNS changer malware was being hosted at Atrivo sites.

At the time, slightly more than 26,000 Internet addresses were routed through Atrivo. I wanted to know just how much of that space was malicious or hostile. So, I took a random sampling of 2,600 active domains hosted by Atrivo, and asked several security experts to crawl the addresses with various anti-virus scanners and intrusion detection tools to see how many were flagged as malicious.

Matt Jonkman, founder of EmergingThreats.net, scanned that list of 2,600 domains with the latest threat signatures from Snort, an open-source intrusion detection and prevention system. Among other results, Jonkman found 113 Atrivo addresses being used as "command and control" servers directing the operations of separate botnets, or agglomerations of thousands of hacked PCs that are used for everything from spamming to phishing to attacking others online. Keep in mind, that's 113 botnet C&Cs found in just 10 percent of Atrivo's address space.

I sent the same list to Secure Computing Corp., a San Jose based security provider. After crawling that same sample of Atrivo's IP space, analysts at Secure Computing found it easier to list the few dozen or so sites that weren't malicious or promoting illegal pharmacies and pirated software (the kind of sites often advertised via junk e-mail). The rest were either inactive "parked" pages or porn sites, Secure Computing found.

Story Here

[Rob]

Cybercrime's U.S. Hosts

2008-08-29 10:02 GMT, by Vincent Hanna

When cybercrime is mentioned it never takes long for Russia and the Ukraine to enter the picture. However, while a lot of cybercriminals are based in those countries, a lot of their infrastructure is housed in the west, in the United States to be precise.

Without exception, all of the major security organizations on the Internet agree that the 'Home' of cybercrime in the western world is a place known as Atrivo/Intercage. We ourselves have not come to this conclusion lightly but from many years of dealing with criminal operations hosted by Atrivo/Intercage, gangs of cybercriminals - mostly Russian and East European but with several US online crime gangs as well - whose activities always lead back to servers run by Atrivo/Intercage. We have lost count of the times we have tracked a major virus botnet's "command and control" to Atrivo/Intercage servers, readers can view here some of the current and historic SBL records for Atrivo for a taste of what has been happening in this network. At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage.

The person who runs Atrivo/Intercage, Emil Kacperski is an expert at playing the "surprised janitor", unaware of every new criminal enterprise found on his servers and keen to show he gets rid of some criminals once their activities on his network are exposed. His Internet hosting career first came to the attention of most anti-abuse organizations when he pinched (or 'purchased stolen goods' as he put it) and routed an unused block of 65,536 IP addresses belonging to the County of Los Angeles.

Spamhaus has dealt with over 350 incidents of cyber-crime hosting on Atrivo/Intercage and its related networks in the last 3 years alone, all of which involved criminal operations such as malware, virus spreaders and botnet command and control servers. Malware found by Spamhaus on Atrivo/Intercage/Cernel/Hostfresh just in the last few months included the Storm Worm installer and controller and a MySpace spambot amongst others. Spamhaus currently sees a large amount of activity related to malicious software and exploits being hosted on Atrivo/Intercage which include DNS hijack malware, IFRAME browser attacks, dialers, pirated software websites and blatantly criminal services.

We assume that every law enforcement agency with a cyber-crimes division has a dossier bursting at the seams on Atrivo/Intercage and its tentacles such as Esthost, Estdomains, Cernel, Hostfresh. The only question on everyone's mind is which agency will beat the others to shutting the whole place down and indicting the people behind it. Because if shut down, one thing is certain: the amount of malware-driven crime on the Internet would drop overnight as cyber-criminals rush to find a new crime-friendly host - difficult to find in the US, as Atrivo/Intercage is one of the very few remaining dedicated crime hosting firms whose customer base is composed almost, or perhaps entirely, of criminal gangs. More importantly, millions of Internet users currently being targeted by the malware gangs operating from Atrivo/Intercage will be, for a while, safer.

Perhaps one may be wondering about the costs of hosting at Atrivo/Intercage or how to sign up? Well, don't expect to find this information at the company's websites as they were empty for years and for the last year have just shown "Website Coming Soon."

http://www.atrivo.com => "InterCage, Inc. INTENSE SERVERS. Website Coming Soon:"
Last Updated: Thursday, September 06, 2007 4:32:59 PM

http://www.intercage.com => "InterCage, Inc. INTENSE SERVERS. Website Coming Soon:"
Tuesday, September 04, 2007 6:45:52 PM

At one time after being asked, "how on earth does your company get business?" an Atrivo/Intercage representative coyly said, "by word of mouth." That seems to be quite obvious.

Story here

[Rob]

A Superlative Scam and Spam Site Registrar

By Brian Krebs | September 8, 2008; 1:07 PM E

A Superlative Scam and Spam Site Registrar

Over the past week, a number of the Internet's largest data carriers have ceased providing online connectivity to Atrivo (a.k.a. "Intercage"), an ISP that security experts say is home to a huge number of scammers and spammers. This week, I'm turning the spotlight on EstDomains Inc., Atrivo's most important customer and the single biggest reason so many experts have condemned Atrivo.

According to RegistrarStats.com, EstDomains is the 49th largest domain name registrar, with more than 270,000 domains. Security Fix is still working on cataloging all of those domains, but for the purposes of this analysis we'll examine some 10,000 Web site names that are both registered through EstDomains and using the company's various domain name servers to route traffic to them.

I chose to focus on that particular subset of 10,000 domains mainly so that EstDomains could not simply disavow knowledge of the sites' activities by claiming it serves as nothing more than a registrar for those domains.

Turns out, at least one-third of those domains (.CSV) are currently blacklisted by SURBL.org, which tracks Web site names that are advertised in junk e-mail.

Have a look at the complete list of those 10,000 names -- which I've made available at this link here (.CSV file) -- and it should quickly become evident why so many are blacklisted.

Pick almost any spammy term that comes to mind and you will find dozens of sites with those terms currently registered at EstDomains and using their name servers. Below are just a few of the terms I picked, and beside each is the number of times the terms appeared in a domain name from the list of 10,000 (a longer list is available here):

pharm-100
viagra-42
casino-62
pill-82
soft (software)-164
rx-57
drug-68
meds-66
jewelry-46
porn-301
teen-120

Snowshoe Domains: Spreading the Love

Security experts at anti-spam group Spamhaus.org say EstDomains is a pioneer in setting up domains and domain name servers to accommodate a practice known as "snowshoe spamming." Spamhaus explains:

Like a snowshoe spreads the load of a traveler across a wide area of snow, some spammers use many frequently-changing IP addresses and domains to spread out the spam load in order to dilute recipient reputation metrics and evade filters. Conversely, legitimate mailers try hard to build their brand reputation based on a known domain and a small permanent range of sending IPs. Snowshoers also use anonymized or unidentifiable WHOIS records, whereas legitimate senders are proud to provide their real identity.

A stellar example of an operation primed for snowshoe spamming can be seen in the network set up by an entity called extendedhost.com That domain name is merely a placeholder: extendedhost.com doesn't actually have an official Web site, and all of its domain names are registered at EstDomains.

Could EXTendedhost be the same company as ESTdomains (which also owns a hosting service called ESThost)? The registration records for Extendedhost.com aren't much help, placing the company variously in Canada, Panama, and the Ukraine. But a domain name server history search on extendedhost.com shows it most recently used the DNS servers of a company called Bakler.com. Bakler is a domain auction service owned by Rove Digital, an entity that claims ownership of EstDomains (I'll have more on Rove Digital in follow-up blog post).

All 500 numeric Internet addresses assigned to extendedhost.com are blacklisted by Spamhaus for sending spam. But look a bit deeper into the entity's operations, and you'll notice that each spam domain has its own distinct name server.

Why bother assigning a unique domain name server to resolve each unique spam Web site name? For starters, anti-spam groups can blacklist thousands of spam sites in one fell swoop just by listing the handful of domain name servers that all of the sites have in common. But when each spam site has its own name server, it creates far more work for anti-spam groups.

"I call it 'horizontal scaling,'" said Suresh Ramasubramanian, head of anti-spam operations at Hong Kong based Outblaze.com. "You can pump up [spam] volume one of two ways: tons more from one or two sources, or spread the load across several sources, like a snowshoe spreads the weight of your feet across the snow."

Porn, Scareware, and Search Traffic Hijacking

Fake anti-virus and fake anti-spyware Web sites comprise the most persistent nuisance and source of illegal activity emanating from EstDomains today. Chief among these fake security products is the infamous XPAntivirus family of scareware, as exemplified by the still-active antivirus2008xp.com, pictured at right.

Typically, hackers are paid to compromise legitimate Web sites and silently redirect any visitors to these fake security software sites. Those sites in turn download malicious software that bombards the victim with incessant, bogus messages warning that his or her computer is infected with multiple privacy and security threats. Spy-partners.com, registered through EstDomains, is just one example of a company that pays affiliates to redirect traffic to its stable of scareware sites.

Experts say EstDomains also is the single largest source of domains affiliated with fake "codec," scam sites. These are mainly adult Web sites (or hacked, legitimate sites seeded with pornography) that tell visitors they need to install a special video codec in order to view the featured movies. The malware served by these fake codec sites also is fed by affiliate programs, such as cashcodec.com, ruler-cash.com, and vcstats.com (bonus points if you already figured out that each of these domains is active and registered through EstDomains).

One function of these codecs is to install software that changes the victim's domain name service settings, so that some percentage of their Web site and search engine traffic gets redirected to Web sites and search engines controlled by the attackers. The criminals in control of machines infected with these codecs can trivially hijack any victim traffic destined for online banking and other e-commerce Web sites.

At the end of my post last week on Atrivo/Intercage, I mentioned that I planned to take a hard look at EstDomains. A number of readers took that as an invitation to post in the comments section lists of sites registered at EstDomains that were serving up fake codecs and bogus security software.

Konstantin Poltev, the registry liason for EstDomains, responded to each of those posts individually, saying he had suspended them all. However, I found a couple hundred more, detailed at this list here. It's worth noting again that I found these domains in a sample of 10,000 domains registered through EstDomains - or out of roughly 3.5 percent of EstDomains' total domain portfolio.

Poltev said his company responds to abuse complaints within 24 hours. "However, sometimes making any decision is nearly impossible as there is an obvious lack of evidences, which prove the reported domain name's involvement in the infringement of the registration agreement," Poltev said in an e-mail to Security Fix. "In general, such complicated cases are brought into court, and it must be mentioned that we are strictly bound by our policy to discharge our obligations before court decisions."

"There are some cases that force court, federal agency, police or any other authority to make an official request for providing them with all the information available for the disputed domain name or its owner," Poltev said. As to criticisms that EstDomains welcomes cyber criminal activity on its network: "I am at a loss and cannot understand why someone should confer our company the rank of cyber space criminals."

The Role of Directi

No single security company has tracked the fake anti-malware and porn codec epidemic emanating from EstDomains more thoroughly than Clearwater, Fla., based Sunbelt Software. Patrick Jordan, a senior spyware researcher for Sunbelt, maintains a massive database that charts the connections between thousands of criminal Web sites as they've come and gone over the years.

Jordan's database illustrates what he calls the "Blackweb Network," an alliance of sites erected to push fake anti-spyware and anti-spyware products, porn, and to hire affiliates who get paid people to spread this junk.

Jordan said that most of the sites in his database were registered either at EstDomains or at Directi, a domain registrar based in India that does business as Public Domain Registry. As it happens, EstDomains is a reseller of Directi's registration services. Among the services Directi offers is privacyprotect.org, which allows domain name registrants to obscure their contact details from the public.

"Most of the fake anti-malware and DNS changer guys are all registered through EstDomains using privacyprotect.org," Jordan said.

In June, Security Fix covered an analysis from anti-spam outfit Knujon that indicated some 15,000 Web site names advertised in junk e-mail were registered using Directi's privacyprotect.org service. Last week, Knujon released another report detailing what it called 48 "phatom domain name registrars" that cater exclusively to spammers and virus writers and trace back to Directi.

Knujon's report coincided with a separate report from security researchers at Hostexploit.com that tied Directi to cyber crime operations.

Chris Barton, lead scientist at McAfee Avert Labs, joined the chorus of criticism against Directi, with a strongly worded blog post that asked Directi's founders: "When will you completely stop supporting the illegal acts of EST[domains] and other very obvious darkside entities and kick the bad apples out?"

Directi vehemently denied turning a blind eye to abuses by EstDomains, and said it had stopped offering the registrar the use of privacyprotect.org services. Directi chief executive Bhavin Turakhia said the company considered dropping EstDomains as a customer entirely, but decided against it. "We are forced to reconsider ONLY for the sake of the several hundred thousand innocent domain registrants that happened to have registered their domain through EST. Pulling the plug on them can lead to the potential destabilization of several thousand innocent websites."

For its part, EstDomains appears to have already found a way to obscure the registrant information for new spam and scam domains, launching its own anonymity service called protectdetails.com. For example, sh0pp0rtal.net, an EstDomains-registered Web Fraud 2.0 service Security Fix previewed this month that lets cyber crooks verify the credit limits on stolen credit and debit cards -- now shields its registrants' data using protectdetails.com.

On Sunday, Directi, Hostexploit.com and Knujon declared a truce after a week's worth of squabbling in media coverage about the reports. In a post to its corporate blog Sunday, Directi said it had suspended a list of domains provided by Hostexploit and Knujon, including loads.cc, a Web Fraud 2.0 featured site that has long been a place where scam artists can go to rent botnets, or large groupings of compromised PCs.

That post from Directi's blog concludes with these promising words:

"HostExploit and Knujon did share with Directi a separate list of additional web sites known for badware that belong to Atrivo, enabling Directi's abuse team to swiftly suspend them. Directi HostExploit and Knujon intend to continue this information exchange to speedily resolve abuse issues, and to further demonstrate transparency the community can contact either Directi or / and HostExploit to ensure action is taken."


Security Fix would like to thank Jart Armin, Nicholas Bourbaki, Matt Jonkman and James McQuaid for contributing to this story.

Story here.

[Rob]

EstDomains: A Sordid History and a Storied CEO

By Brian Krebs | September 8, 2008; 4:14 PM ET

In this second part to an ongoing investigation into the notorious Web site host and domain name registrar EstDomains Inc., Security Fix examines the company's history, the legacy of its current chief executive, and its future prospects.

The "Est" in EstDomains is a nod to the company's origins: It was founded in Tartu, the second largest city in Estonia (although the corporation is officially registered in Delaware). The chief executive of EstDomains is 27-year-old Vladimir Tsastsin, pictured below.

Tsastsin also is named as the head of Rove Digital, a company that appears to encompass a domain auction service named Bakler.com, and a recently launched Web traffic-shaping service called Zmot.

It seems Mr. Tsastsin has a rather colorful past, and is no stranger to organized crime. According to the local court and news media, he was recently sentenced to three years in an Estonian prison after being found guilty of credit card fraud, document forgery, and money laundering.

A Feb. 6 story from Eesti Päevaleht -- "Estonian Daily," one of Estonia's two major dailies - explains the backstory. I couldn't find any version of this story that had ever been published in English, so I had it professionally translated by Koit Ojamaa, a former Estonian citizen who now lives near the Washington D.C. area.

Mr. Ojamaa translates:

Tartu County Court just found a man working as the acting manager of an IT company guilty of entering illegal data into card payment systems of Internet stores for the purpose of material gain, creating forged documents, using forged documents, and money laundering.

The court sentenced 27 year old Vladimir Tsastsin to three years imprisonment of which 6 months and 11 days must be served , according to Tartu County Court press office.

Since Tsastsin already spent that much time in pretrial detention, it will be counted as time served.

The remaining time was suspended with parole for three years beginning from the time of sentencing.

In addition, the property which Tsastsin acquired through criminal activity was confiscated: money in his bank account, two cars, and a computer.

Tsastsin has to pay court costs totally over 23,000 kroons. [$2,300]

According to the indictment, in November 2001, Vladimir Tsastsin opened bank accounts using many different names at Eesti Ühispank and forwarded data to an accomplice, who hacked into the payment systems of Internet retail businesses in order to alter payment data.

Due to this false information, the bank incorrectly credited over 1.3 million kroons to many bank accounts.

In 2002, using the same scheme, he attempted to use a Hansapank credit card to defraud the bank of nearly 1.4 million kroons in his own as well as under a dummy name. Thanks to steps taken by bank employees, the bank did not suffer any losses.

In order to hide the ownership and source of the money obtained through fraud, the defendant transferred funds among many different personal accounts from which he made cash withdrawals.

As a result of computer fraud and money laundering, Tsastsin obtained 609,890 kroons in cash belonging to others.

Tsastsin is also accused of falsifying names, personal data, and signatures in the fall of 2001 in order to set up accounts and to utilize financial services in a foreign bank.

Tsastsin confessed to forging documents and to using forged documents, but denied all other charges.

In e-mail exchanges with Security Fix, Tsastsin declined to comment on the above article, except to call it "yellow journalism." He also declined to discuss or even acknowledge his incarceration. However, Security found more or less the same statements about Tsastsin on the Estonia Ministry of Justice's own Web site.

At any rate, I wondered why would a company like EstDomains keep a chief executive on who was sent to prison for cyber fraud? Tsastsin is quoted in a Rove Digital press releases as late as July 2008.

I asked that very question of Hillar Aarelaid, team director of the Estonian Computer Emergency Response Team (CERT Estonia). Aarelaid maintains that Tsastsin long ago ceded control of EstDomains to organized cyber criminals in Russia.

"To understand EstDomains, one needs to understand the role of organized crime and the investments coming from that, their relations to hosting providers in Western nations and the criminals who ply their trade through these services," Aarelaid said.

Indeed, for years EstDomains appeared to be the registrar of choice for the infamous Russian Business Network. You could hardly look up malicious Web site hosting nasties like CoolWebSearch and other spyware programs without finding records that traced back to EstDomains.

That is, until the RBN's disappearing act late last year, when this publication and others began exposing RBN's ties to child pornography and financial fraud Web sites.

While the RBN may have faded into the background, experts say EstDomains still remains among the top registrars for spam and scam Web sites, as well as child pornography. Working with several security experts who help law enforcement officials track down child porn sites, Security Fix identified at least two Web sites registered through EstDomains that are currently selling access to child porn.

Tsastsin said he would investigate the child porn claims, and terminate any other reported sites that violate the company's abuse agreement.


"Our projects are totally legitimate and they are not involved in any shady activities. As we have thousand of domain names it is nearly impossible to trace all activity on all of them, so the best manner to trace some shady domain is the abuse report," Tsastsin wrote. "As soon as we get one, we deal with it very seriously. Moreover, we investigate the account, which contained the abusive domain, and in case of any suspicious domain's disclosure, we suspend the whole account, and after that we are looking for possible connections to other accounts, which we suspend as well. That is our policy and we follow it strictly."

Tsastsin called claims that EstDomains is somehow involved with Russian organized crime "rubbish." Konstantin Poltev, registry liaison with EstDomains, also scoffed at the accusation.

"I sincerely hope that you will chose Google for your further investigation and gather the information without using the sources you have indicated as reliable," Poltev wrote to Security Fix. "I assume that the independent investigation shall definitely show you that the person, who granted us the 'cybercrime registrar' title, has made a mistake."

For his part, Aarelaid said he hopes security experts can keep the pressure on registrars like EstDomains to increase their costs and potentially to put them out of business.

"If the total cost of ownership goes up -- and upstream [Internet backbone] providers stop routing for them, they may go to another place, move to a new project," he said. "These guys are not evil, they are just after big and easy money. If your investment is returning 10,000 percent and then it starts to eat money, it's not big and easy anymore."

Last week, within hours of our feature on cyber fraud routed through Internet service provider Atrivo (a.k.a. Intercage) -- EstDomains' ISP -- two of Atrivo's largest backbone providers abruptly dropped all direct connectivity to the company, leaving it with just one major upstream provider. On Sunday, that remaining provider -- Boca Raton, Fla. based WVFiber, said it would sever ties with Atrivo by Thursday at the latest.

Tsastsin says he's not too concerned if Atrivo drops offline. "If the Intercage will nevertheless be cut off from the Internet, it won't affect EstDomains much. Our infrastructure is so compact and well-organized so we can easily move to another location in less than 24 hours. So we see no sense in pressing Intercage as it will be better for all of us to solve the problems and to get rid of problematic customers together."

In a blog post last month about the relationship between EstDomains and Atrivo, anti-spam organization Spamhaus.org suggested law enforcement action against the two entities was long overdue.

"We assume that every law enforcement agency with a cyber-crimes division has a dossier bursting at the seams on Atrivo/Intercage and its tentacles such as Esthost, Estdomains, Cernel, Hostfresh," Spamhaus wrote. "The only question on everyone's mind is which agency will beat the others to shutting the whole place down and indicting the people behind it. Because if shut down, one thing is certain: the amount of malware-driven crime on the Internet would drop overnight as cyber-criminals rush to find a new crime-friendly host - difficult to find in the US, as Atrivo/Intercage is one of the very few remaining dedicated crime hosting firms whose customer base is composed almost, or perhaps entirely, of criminal gangs. More importantly, millions of Internet users currently being targeted by the malware gangs operating from Atrivo/Intercage will be, for a while, safer."