What kinds of domains does Intercage host?

So… what kind of domains are on Intercage? 

Gary Warner wanted to find out and has now posted the Mother of all Lists of (almost) all Intercage domains.

From Gary: “The domains listed … all came from the sites above, but it is not an entirely complete result.  My tool would only allow 2,000 domains per IP, and there were two IPs that exceeded that limit.  69.50.188.3 had 3,978 domains listed, and 69.50.160.211 had more than 10,000 domains listed.  Both of those result sets were truncated as a result.” (More explanation here).

At any rate, the list, sans those two IPs, is here (txt).

Nice work, Gary.  A very useful list indeed.

Alex Eckelberry

EstDomains declares global war on malware

Wow.  Just… wow.   

EstDomains, Inc: Global Struggle Against Malware Distribution

EstDomains, Inc, a US-based domain name Registrar, officially declares opposition to malware mongers in order to protect Internet users from attacks on their computers or stealing of their important data. EstDomains, Inc pays special attention to domain name holders’ private data protection and secure money transaction operations. It can be said in all modesty that EstDomains, Inc has succeed in protecting its customers from any possible occurrence of fraudulence or cracking. However, being an eminent member of interactive community, EstDomains, Inc management along with other giants of online industry continues its struggle against malicious software distribution and is giving its best to work out even more efficient solutions for detecting malware sources.

More here (thanks Ferg).

Alex Eckelberry

Scam sites update III

Heads up to Patrick Jordan for the information. Now the rest of the story.

Zlob Trojan Distributing site:
77.91.231.183 Classicmediapl. com

Scam Internet Security Page:
91.203.92.11 Sweathomepage. com

404ErrorpageScam:
91.203.92.12 Amistypedurl. com

Security Guide Scam Page:
91.203.92.12 Linkfordesktop. com

Ad-Server-Gate Pages:
91.203.92.11 Yuiqd. com
91.203.92.11 Hfnvp. com

Protection Center Scam Page:
91.203.92.12 Observesecure. com

Scam Security Toolbar site:
91.203.92.12 Aglobaltoolbar. com

IE AntiSpywareStore site:
216.255.179.244 Enhancedie. com

Other sites used in this scam

Antivirus 2009 Fake/Scanner page:
78.159.118.168 Prtectionactivescan. com

Please stay clear of these sites.

Bharath M N

Scam sites update II

Zlob Trojan Distributing site:
77.91.231.201 Immediallc. com
77.91.231.183 Softlayerdll. com

Scam Internet Security Page:
85.255.116.210 Dailyhomesite. com

404ErrorpageScam:
85.255.116.214 Nowherepage. com

Security Guide Scam Page:
85.255.118.34 Firstaidclicks. com

Ad-Server-Gate Pages:
85.255.118.37 Oryfn. com
85.255.118.38 Eufks. com

Protection Center Scam Page:
85.255.118.34 Aprotectionhelp. com

Scam Security Toolbar site:
85.255.118.211 Safensecurebar. com

IE AntiSpywareStore site:
216.255.179.245 Ieextend. com

Please stay clear of these sites.

Bharath M N

New Rogues: The Clone Mania

List of new cloned rogue security products.

Windows Antivirus
92.241.163.30 Windows-av. com

Windows Antivirus is a clone of Windows AntiVirus 2008
Windows Antivirus

Micro Antivirus 2009
91.208.0.223 Microantivirus2009. com

Micro Antivirus 2009 is a clone of MS Antivirus
MicroAntivirus

Antivirus Security
78.159.114.116 Antivirussecurity-solution. com

Antivirus Security is a clone of XP antivirus and the home page looks similar to that of Internet Antivirus
Antivirus Security

Bharath M N

Scam sites update

Zlob Trojan Distributing site:

IP: 77.91.231.201
Intervidd. com

IP: 77.91.231.183
Pwrware. com

The Zlob trojan downloads and installs a new Variant of MS Antivirus rogue security application

IP: 92.62.101.55
Ms-avc. com
MSX AV

Scam Internet Security Page:

IP: 85.255.116.212
Homepagetoday. com

404Errorpage Scam:

IP: 85.255.118.243
Brokenurls. com

Security Guide Scam Page:

IP: 85.255.118.210
Desklinks.com

Ad-Server-Gate Pages:

IP: 85.255.118.212
Rycsp. com

IP: 85.255.118.213
Cusln. com

Scam Security center site:

IP: 85.255.118.36
Pcsdefender. com

Scam Security Toolbar site:

IP: 85.255.118.35
Webprobar. com

Another component Site used in the Internet Explorer tools menu to redirect to other scam page

IP: 216.255.179.245
Ieextend. com

Please stay clear of these sites.

Bharath M N

New rogue: Antispyware PRO XP

A clone of the Antispyware 2008 XP/WinSpywareProtect family.

Antispyware PRO XP_GUI

85.255.119.14    scan.antispyware-free-scanner com
Not Active         as-pro-xp-download com
78.157.142.79    files.as-pro-xp-download com
92.241.163.32    spypreventers com
77.244.220.134  online-security-systems com
77.244.220.134  xpprotector com
77.244.220.134  av-xp2008 net

 

 

Dancing in the streets (almost): Intercage going down in flames

Intercage, the reviled ISP that has a fairly repulsive track record of turning a blind eye to hosting of malware, looks like it might finally be going down in flames.

Too soon for massive partying and dancing in the streets, but it’s certainly acceptable to have a little happy dance.

Stay tuned to Brian Krebs’ blog, where he is giving the blow-by-blow. Like this update this morning:

Update, Monday, Sept 8, 12:00 p.m. ET: Todd Braning, vice president of BandCon, just e-mailed me to say that BandCon also has stopped providing connectivity to Atrivo/Intercage. From his e-mail: “Intercage, a new customer, was connected to the BandCon Network for total of about a week. Once we recognized and issue with Intercage, BandCon took immediate action and terminated services. We are no longer providing services to AS27595. This can be confirmed here.”

WVFiber is the only company still providing direct connectivity to Atrivo, and as stated before they plan to pull the plug by Thursday at the latest, so it appears that Atrivo will have to find another network provider or it will very soon cease to be reachable on the Internet.

Brian also just wrote another blog post about Estdomains, where he mentions Sunbelt’s Patrick Jordan’s work in the area of tracking bad websites. Nice work Patrick.

And to Brian: Thank you for your continued hard work in uncovering these issues. Your work is making a difference.

Alex Eckelberry

Norwich Bulletin calls for Julie Amero resolution

A bit of a surprise…(If you’ll recall, the Norwich Bulletin could not have been described as a friend of Julie’s in the past.)

Prosecute, or drop charges
If the New London State’s Attorney’s Office is still sure it has a solid case against Amero, it should present that case at trial and allow Amero’s defense to refute the evidence. If not, then the state has an obligation to drop the charges and allow Amero to get on with her life without this cloud hanging over her.

To do nothing is an injustice.

This case generated worldwide publicity at the time of Amero’s arrest nearly four years ago. It has resulted in hundreds of people coming to her defense, including a cadre of computer experts who claim Amero was the victim, not the perpetrator. The computer experts claim it was the school that was at fault for not providing the computers with the firewall protections against the unseen spyware and adware that caused the images to appear.

The state, meanwhile, maintains it was Amero surfing the Web looking for pornographic material during class, and allowing students to be exposed to it.

It’s time for the state to prove its claims or drop the charges.

Link here, with additional commentary by Rick Green of the Hartford Courant here.

Alex Eckelberry
(And if you’re not familiar with Julie Amero, this search result will give you an idea.)

The Atrivo/Intercage saga continues

More breaking news from Brian Krebs at the Washington Post. This is getting really interesting…

Update, Sunday, Sept. 7, 8:02 p.m.: I spoke today with Randy Epstein, president of WVFiber and co-founder of Host.net, which acquired WVFiber just six weeks ago. Epstein said after reading reports from Security Fix, Hostexploit.com, Spamhaus.org and others about cyber crime activities at Atrivo, WVFiber has decided to drop Atrivo as a customer. WVFiber plans to stop providing upstream connectivity to Atrivo by Wednesday or Thursday at the latest, Epstein said. That would leave Atrivo with just a single upstream provider — Bandcon.

Update, Sunday, Sept. 7, 9:15 p.m.: nLayer Communications, a company that owns a significant slice of the Internet addresses used by Atrivo/Intercage, is demanding that Atrivo vacate the space and return the addresses by Sept 30.

“Atrivo/Intercage has not been a direct customer of nLayer Communications since December 2007, but they still have some legacy reallocations from our IP space,” wrote nLayer co-founder Richard A. Steenbergen, in an e-mail to Security Fix. “Since they are no longer a customer, we require that they return our non-portable IP space, and have given them a deadline of September 30th to do so. If the IP space is not returned by that point, we will follow standard procedure to reclaim it, including null routing the space, and sending cease and desist letters to any network who still transits it without our permission.”

According to Steenbergen, Atrivo/Intercage must return roughly 7,400 IP addresses.

Link here.

Alex Eckelberry
(Thanks, Ferg)

How to make notepad.exe a malicious file

As is well known, malware authors routinely use packers (aka “protectors) to disguise their files (as well as decrease their file size).

A number of AV products simply blacklist anything that’s packed, thus not having to bother with emulating the executable and finding out what’s really inside. (Like many AV companies, we do this for some obvious malware packers ourselves, but it has to be done with an extensive in-house whitelist to verify that you’re not going to get false positives.)

Just as a curious experiment, I recently packed notepad.exe into a variety of packer formats and submitted them to VirusTotal. (I’m not the first to do this exercise, either — a similar exercise was by shown by VirusBuster at CARO in May.)

This is a miniscule sample, but it allows you to see the various levels of aggressiveness on detecting packers by AV engines. It also shows why some engines have incredibly high detection rates on VirusTotal.

Notepad.exe packed with MEW (packing with FSG will likely show similar results as well).

Notepad.exe packed with UPX (UPX is the most common packer, used for many legitimate applications — it’s a very dangerous packer to blacklist, since false positives will be through the roof.)

Notepad.exe packed with PEspin

Notepad.exe packed with PECompact

In the end, blacklisting packers is going to be old news, because malware authors have changed and are now doing all kinds of exotic custom packing –– and in many cases, not packing at all.

Alex Eckelberry

FTC revamps education site

I got a note from a contact at the FTC last week about their revamped educational site, Onguardonline.

I wanted to let you know that we re-vamped OnGuardOnline.gov, the website about computer security from the federal government and the technology industry.    

A just-released Web 2.0 redesign allows users to grab and embed games and videos, search for topics on the site, take a “show of hands” poll, and have a more interactive experience while getting useful tips and information about computer security.

There are articles and engaging games on sixteen topics – including social networking, phishing, email scams and laptop security; plenty of buttons and banners you can post on your blog; free publications consumers and organizations can order; and links to the OnGuard Online partners from the public and private sector. 

Feel free to take a spin around the site and drop your comments here.

Alex Eckelberry

More interesting Atrivo/Intercage/Estdomains stuff

On the heels of a post by Brian Krebs about Atrivo’s biggest backbone provider pulling the plug, we have this post today from Russ at Intercage on NANOG:

Hello Everyone,

Good morning.
Seeing the activity in regards to our company here at NANOG, I believe this is the most reasonable and responsible place to respond to the current issues on our network. We hope to obtain non-bias opinion’s and good honest and truthful information from the users here.

Being that there are much larger operators here then us, what kind of insight can you give to the issues that have arisen?

We’ve near completely removed (completion monday 09/08/08) Hostfresh from our network. 2 of their /24’s have been removed:
58.65.238.0/24 dropped
58.65.239.0/24 dropped
The machine’s they leased from us have been canceled.

What do you suggest for the next move?

Thank you for your time. Have a great day.

Alex Eckelberry

Interview with Sunbelt Director of Support

Following on my previous post on support, Jamie Hudson is Sunbelt Software’s Director of Technical Support. Larry Jaffe here had the opportunity to sit down with her last week and discover what it is like to run such a vast in-house operation.

What is your objective?

As Director of Technical Support, my objective is to provide the highest quality of service possible to our customers. Our customers are very important to us and quite simply without them we would not be a successful.

One of my goals is to make our support department more visible to our customers. Recently I opened up a board on Getsatisfaction.com to make our company more visible. Customers can log onto that site and report issues on the products or talk about the products. Our support actively monitors this form. Another way we reach out to our customer base is by sending a customer service survey after each ticket has been closed. Each response is personally looked at by me. If a customer is unhappy, I respond to them or if they have feedback, I take that and decide how feasible it would be for our support department. We are very open to customer feedback and are working towards making ourselves more accessible to our customers.

Sunbelt caters to both home and enterprise users, does this require different parameters for each, or is your overall purpose the same.

There are four different departments within support. The first team that all of our customers will encounter is our coordinator team. The coordinators answer all of the incoming calls, create tickets, and then pass the calls onto an available technician. They also make tickets for every single email that we receive in our support inbox. Our other teams are as follows: one supports our home and home office users and one supports our enterprise users. We also have a team that provides specialized install services and onsite installs for our email archiving product. The departments are quite different in their needs but the overall purpose of giving the highest quality of service is universal across all teams.

 What do you look for in support personnel, i.e. what makes a good support person? 

I mentioned this previously, but we have four departments that fall under the umbrella of our support. Each requires a different skill set but in general, I look for individuals with previous technical experience. Of course, this technical experience differs depending on the department they are interviewing for. I also look for people who are very eager to learn. I find this to be a key ingredient to a successful support technician for Sunbelt.

Sunbelt is one of the few companies that is still doing Tech Support in house and in the U.S. Can you tell me why you chose this route? 

Having U.S. based support sets Sunbelt apart from most of our competitors and allows us to provide the highest quality service that we can. Our products are developed internally in the same building that our support resides and this allows us to report issues and get them fixed for our customers in a much more timely fashion. I also believe the quality of service with offshore support is nowhere near the level of support that we already provide. The number one compliment our support receives is how we are in the U.S. and because of this; we can cater to our customers needs more efficiently. For me the old saying of “If it isn’t broken, don’t fix it” applies here.

Isn’t it more expensive? 

I have researched both offshore support and keeping support in our current location. It is a little more expensive to keep it in the U.S but not as expensive as you would think.

 What are the benefits to both the user and to Sunbelt?

There are so many benefits to having our support in the U.S. but I will only list the most important benefits below:

  1. Communicating with our support department is easier for our U.S. based customers
  2. Our support department is in the same building as our development team. This means we can get bugs communicated quicker to development and in turn resolved quicker
  3. Management of a centralized support department is much easier hence the department will run smoother
  4. Sunbelt is able to more easily meet our customer’s needs and desires

Well, of course, I completely agree with Jamie. 

Alex Eckelberry