A report from a trio of known open source security analysts is out and covers the US-based Atrivo, aka Intercage. Dubbed the “US RBN” by some, Atrivo has been, to quote someone in the business:
“At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage.”
Source: Vincent Hanna, Spamhaus.org.
After the research article’s publication, Global Exchange de-peered with them after only a day or two (GBLX had been a BGP peer providing transit, one of two or three distinct ASNs doing so). It’s unknown what debates went on inside GBLX before this action, but the suggestion is pretty clear: public analysis of overtly hostile networks with a long history of security issues can lead to changes. Last year’s collection of reports on RBN (from iDefense, Shadowserver, and others) lead to the dissolution of RBN.
On my team, we’ve been seeing a lot of Atrivo over the years: rogue DNS servers that will send the user to a malicious website if they should typo, configured through DnsChanger malware; lots of fake AV product hosting lately; malcode drops and pickups. Our database is full of these droppings of information.
The fact that this network is supposedly hosted in the US – in the bay area, in fact – is especially surprising. It is unclear to me why they were permitted to operate without any significant investigation by law enforcement. Perhaps it was a lack of priority, or a lack of complaints. Ultimately this is a drop in the bucket in the battle against malicious network operations. We can’t be naïve and think that they’ll simply cease operations, we should expect that they’ll be back and relocate. The question is where.