« June 2008 · December 2008 · July 2010 »

August 2008
MonTueWedThuFriSatSun
    010203
04050607080910
11121314151617
18192021222324
25262728293031
September 2008
MonTueWedThuFriSatSun
01020304050607
08091011121314
15161718192021
22232425262728
2930     
October 2008
MonTueWedThuFriSatSun
  0102030405
06070809101112
13141516171819
20212223242526
2728293031  

Calendar:

  • 31.10.2008: Conference Update - OWASP AppSec Asia 2008 - Taiwan
  • 30.10.2008: Gimmiv, rocks, worms, and fuzziness
  • 28.10.2008: OWASP AppSec Asia 2008 - Taiwan
  • 27.10.2008: OWASP AppSec Asia 2008 - Taiwan
  • 25.10.2008: Abuse Day - Helsinki, Finland
  • 24.10.2008: Abuse Day - Helsinki, Finland
  • 19.09.2008: NSP-SEC Conference - Rotterdam, Netherlands
  • 18.09.2008: Geographically Identifying SSH Brute Force Attacks
  • 17.09.2008: GOVCERT.NL Conference - Rotterdam, Netherlands
  • 16.09.2008: GOVCERT.NL Conference - Rotterdam, Netherlands
  • 12.09.2008: Internet Security Operations and Intelligence (ISOI5) Conference - Tallin, Estonia
  • 11.09.2008: Internet Security Operations and Intelligence (ISOI5) Conference - Tallin, Estonia
  • 06.09.2008: See below.
  • 05.09.2008: Shadowserver Bot Count Charts
  • 13.08.2008: Georgian Attacks: Remember Estonia?
  • 12.08.2008: Georgian Websites Under Attack - Don't Believe the Hype
  • 11.08.2008: Georgian Websites Under Attack - DDoS and Defacement
Newest first Oldest first

Saturday, 6 September 2008

Atrivo/InterCage - Malware Haven

While the U.S. based Internet hosting provider Atrivo (aka InterCage) has never really fallen off the radar, it has certainly been receiving a lot more attention lately. For the past week it has been the center of attention of a whitepaper at www.hostexploit.com and further profiling from the Washington Post's Security Fix blog. These two are not the first to raise red flags or call people to action about Atrivo. In fact, they are far from it, as Atrivo has long since been a source of attention for those watching the darker side of the Internet. However, they have been putting evidence together and applying pressure, which is arguably exactly what needs to be done.

As a result of all this, we decided to do a little digging from our own data to see what we could come up with. Given that we have been familiar with Atrivo for some time, what we found was not a huge surprise. However, we thought we would provide some more information for anyone that was interested or that was still skeptical. The following information comes right from our own databases and is based upon searches for the ASN 27595 which belongs to Atrivo. 

	Atrivo/InterCage - ASN 27595:
	-----------------------------

	Unique MD5 samples making HTTP connections: 22,626
	Number of HTTP DDoS botnets (by unique IP) we have observed: 3
	Number of DDoS attacks (by unique IP) from it we have observed: 10
	Number of DDoS attacks (by unique IP) against it that we have observed: 26

In plain English this means that we have 22,626 different binaries that made some sort of HTTP-based connection to Atrivo's ASN. The vast majority of our binaries are quite malicious. At least three HTTP-based DDoS botnets we monitored were housed on Atrivo's ASN. From these three different HTTP-based DDos botnets we saw at least ten different attacks issued. Finally, the last statistic which has little weight but might be of interest is that we saw at least twenty-six DDoS attacks against Atrivo from different sources.

As you can see, they have quite a bit of malware talking to them, which in turns mean it has a lot of malware and control centers on it as well. Atrivo ranks #12 on our unique MD5 list by ASN. There are only 11 other ASNs that have more malware making HTTP connections to it than Atrivo. It would appear we still have some work to do, but since one of the top 20 is the center of attention right now, we thought we would throw in our two cents. Finally, we are not saying that all systems or activity on Atrivo's ASN are malicious. However, our data along with the data of others clearly indicate that there is a significant amount of malicious activity going on there that is certainly of concern.