Network News

X My Profile
View More Activity

Report Slams U.S. Host as Major Source of Badware

Last week, I examined a series of Web services that make profiting from cyber crime a point-and-click exercise that even the most novice hackers can master. Today, I'd like to highlight the activities of Atrivo, a Concord, Calif., based network provider that hosts some of these services.

Several noted security researchers are releasing a report today that stems from many months of investigating malicious activity emanating from Atrivo's customers. Security experts say that Atrivo, also known as "Intercage," has long been a major source of spyware, adware, viruses and fake anti-virus products.

The report is an exhaustive and well-researched analysis of Atrivo and its operations. Some of the statistics on active exploits cited in that report come from data sets I commissioned during my own investigation of Atrivo and later shared with Jart Armin, the principal author of the report and curator of the blog

Looking back several years, Atrivo's various networks were used heavily by the Russian Business Network, an ISP formerly based in St. Petersburg, Russia. RBN had gained notoriety for providing Web hosting services catering exclusively to cyber criminals. But after increased media attention, RBN dispersed its operations to other, less conspicuous corners of the Internet.

The portions of Atrivo most heavily used by RBN were Hostfresh -- which provides routing for Atrivo through Hong Kong and China -- and UkrTeleGroup (also known as Inhoster) out of Ukraine. These two networks remain core components of Atrivo's operation, and recent data suggests the company's reputation for supporting online criminals hasn't diminished since the disappearance of the RBN last year. As of last December, Atrivo boasted the largest concentration of malicious activity of any hosting company, according to a report released by security intelligence firm iDefense.

"While Intercage has legitimate clients and professes intolerance for abuse, it continues to turn a blind eye to massive amounts of cyber crime," iDefense analysts wrote. "Intercage Inc. previously operated as Atrivo Inc.; it was already infamous for abuse then and has not improved its reputation since changing names."

Emil Kacperski, Atrivo's founder, said he has been trying to clean up the company's image.

"I work very hard to make sure that everything is kept at bay," Kacperski said in an e-mail to Security Fix. "Unfortunately as you can understand being a dedicated server provider there isn't a way for us to control the content on the servers. We can only respond to abuse reports and then proceed to shut down a server or take other action."

Atrivo appears to have very recently made some strides in policing its network. According to, a partnership between Google, AOL, Verisign and researchers from Harvard and Oxford, close to six percent of Atrivo's IP space was malicious back in February. Today, Google flags about half as much Atrivo IP space as hostile.

Maxim Weinstein, manager of StopBadware, said Armin's research raises questions about the degree to which firms such as Atrivo, are aware of, and ignore, badware activity on their systems.

"Some of the companies included in the report have built a reputation in the security community as being havens for this type of activity," Weinstein wrote in an entry on the StopBadware blog.


James McQuaid, one of the researchers who contributed to the Atrivo report, said Atrivo has a history of "shuffling the deck" when security experts complain loud enough about malicious Web sites. McQuaid said when Atrivo does respond to abuse complaints, it is usually for sites that have already been blacklisted by many ISPs and are no longer receiving much traffic.

"To the extent Atrivo does respond to complaints, it does so very selectively," McQuaid said.

Case in point: The report concludes by listing several abuse reports published online earlier this year by CastleCops, a volunteer group that fights malware and phishing activity. The oldest of those reports date back to January 2007, and name malicious sites hosted at Atrivo that are still active to this day.

Detailed stats on the badness found at Atrivo after the jump.

I began taking a second look at Atrivo in March, when a friend had his personal Web site compromised by malicious software that was pulling down updates from an Atrivo address. Security experts at Sunbelt Software determined that a large number of fake anti-virus and DNS changer malware was being hosted at Atrivo sites.

At the time, slightly more than 26,000 Internet addresses were routed through Atrivo. I wanted to know just how much of that space was malicious or hostile. So, I took a random sampling of 2,600 active domains hosted by Atrivo, and asked several security experts to crawl the addresses with various anti-virus scanners and intrusion detection tools to see how many were flagged as malicious.

Matt Jonkman, founder of, scanned that list of 2,600 domains with the latest threat signatures from Snort, an open-source intrusion detection and prevention system. Among other results, Jonkman found 113 Atrivo addresses being used as "command and control" servers directing the operations of separate botnets, or agglomerations of thousands of hacked PCs that are used for everything from spamming to phishing to attacking others online. Keep in mind, that's 113 botnet C&Cs found in just 10 percent of Atrivo's address space.

I sent the same list to Secure Computing Corp., a San Jose based security provider. After crawling that same sample of Atrivo's IP space, analysts at Secure Computing found it easier to list the few dozen or so sites that weren't malicious or promoting illegal pharmacies and pirated software (the kind of sites often advertised via junk e-mail). The rest were either inactive "parked" pages or porn sites, Secure Computing found.


Then, I checked out Atrivo's reputation as measured by StopBadware, whose Google-fed database listed 35,449 mostly legitimate, hacked Web sites that were pulling down malicious software from addresses on Atrivo's IP space. On just one of dozens of blocks of Internet addresses routed through Atrivo (a set of 256 IPs belonging to Hostfresh), Google found more than 221,000 Trojan horse programs, 9,773 Web browser exploits, and nine computer worms.

One of those legitimate, hacked sites listed by StopBadware was In late June, Peter Pitchford, a Web site designer from New York, was redesigning the site for a friend when he discovered Google was flagging it as a distributor of malicious software. Digging through the site's code, he found that it was attempting to infect any visiting PCs with "XPAntivirus," a notorious fake anti-virus product. The code that hackers had inserted into the site downloaded the malware from an address assigned to Atrivo.

But in attempting to cleanse the Web site of the offending code, Pitchford accidentally infected his own Windows PC with XPAntivirus. He said it took him nearly two days of work to disinfect his machine, mainly because the program blocked him from accessing popular security Web sites that might host useful tools to help remove the invader.

In a follow-up post, Security Fix will examine the activities of Atrivo's largest customer: domain name registrar ESTDomains.

By Brian Krebs  |  August 28, 2008; 1:51 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: White House Imposes New Security Mandate for Federal Agencies
Next: FBI Warns of Hit Man Scam Resurgence


Great post, Brian. I've been tracking Atrivo's activities since 2004 and have had some email exchanges Emil Kacperski. When I complained a second time about an exploit site and sent him the video I made of the exploit happening, he said he shut it down. But instead of being shut down, it got moved to a different IP address in another block controlled by Esthost, which is, or was at that time, part of Atrivo. I know some folks who have been tracking badness on Atrivo since 2002. I am very skeptical of Emil's claims of ignorance about the badware on his servers because people have been notifying him for years, it's been written up for years, and large portions of his IPs have been blacklisted off and on for years.

Estdomains is another story...looking forward to that one also.

Posted by: Suzi | August 28, 2008 6:46 PM | Report abuse

Why are companies such as this allowed to exist? Companies like Napster and Kazoo get hammered with lawsuits and are forced out of business, because they provide a service deemed to be illegal. Atrivo and others like it, provide a service that SHOULD be illegal, yet they are allowed to continue on their merry way making life miserable for the rest of us. Methinks the world is so full of greed it's OK to make money in any way, it's just illegal to share it.

Posted by: scipio | August 28, 2008 10:13 PM | Report abuse

It's amazing how this so called research can be done and still publish such mis-information. My favorite was "Hostfresh -- which provides routing for Atrivo through Hong Kong and China --". WOW could you ever be more wrong. Hostfresh has nothing to do with Intercage except "Eric" owner has some servers with Intercage. Certainly never has Intercage been involved with anything that Eric does overseas where he lives. The list goes on but clearly Brain Krebs had his article already written when he contacted me. Certainly I could of corrected a lot of the article but I guess it wouldn't be as juicy. Shame on you Brian what a sellout! What I wrote you back you didn't even have the decency to include it.

Posted by: Emil K. | August 28, 2008 10:16 PM | Report abuse

Scipio don't be so quick to judge. If you go to and look at the top infected networks for August you will see The Planet and SoftLayer who provide dedicated servers just like I do (Intercage, Inc.). They have been providing servers just as long but they aren't highlighted because there lawyers would be quick on the trail. We have absolutely nothing to do with domain registration, virtual hosting or anything to that affect. But with this misinformation writers lump Esthost / HostFresh / Intercage together which would be the furthest from the truth. Anyone can be mad at me for protecting a customer of mine "Esthost" but wouldn't you if you were so wrongly attacked. What if this article was written on ThePlanet or SoftLayer, surely Brian (Author) would be in deep water.

Posted by: Emil K. | August 28, 2008 11:05 PM | Report abuse

Emil -- Thanks for your comments. Allow me to correct you on a couple of points.

I first contacted you on July 7, and you replied that same day. Some of what you said in that reply is included in my piece.

I contacted you again today and you again responded quickly, but declined to answer my questions.

I expected someone would raise the issue that you have. Namely, why pick on Intercage/Atrivo, when StopBadware's report clearly shows that there are 16 other ISPs/hosts that have a far greater number of malicious sites in their IP space.

The fact is, when you take StopBadware's numbers and look at the number of bad Atrivo/Intercage IPs as a percentage of Atrivo/Intercage total IP space, Atrivo has the third-highest concentration of malicious sites of any provider on StopBadware's list (just ahead of Google, I should add).

Posted by: BK | August 28, 2008 11:37 PM | Report abuse

This is great work Brian. Thank you. Looking forward to your next report.

Posted by: anon1 | August 28, 2008 11:43 PM | Report abuse

Brian you can't say that this article was fair under any light. The percentage that StopBadware got I have absolutely zero idea how that was based. Again I am sure they probably bundled Esthost IP's into Intercage and called it the same. For Hostfresh we route only a few blocks, the rest are routed by the owner "Eric" who we have zero to do with. Again was his ip's used in this calculation? Top Infected network blocks clearly shows ThePlanet or SoftLayer in the top list, where we are not even present.

Today you clearly did a hackjob on Intercage, Inc. / Atrivo / Emil Kacperski along with a lot of misinformation contained in this blog post and the white papers contain numerous errors also.

Nobody is going to care about the issue why pick on me because who here is responsible for 30K+ IP's or run a dedicated server company? It's easy to think one way when you have zero clue what the business is like.

I gave you every opportunity to have dialogue with me and ask questions. You had your opinion made before you even asked the first question to me.

StopBadWare has never made any contact with me or anyone else who wrote this article beside Brian on a couple occasions.

Posted by: Emil K. | August 29, 2008 12:56 AM | Report abuse

Hi Brian

Very interesting post..!
I'm reading security fix from Rome.
Keep going on.

Posted by: Carax | August 29, 2008 3:39 AM | Report abuse

Good to hear from Emil, and will be pleased to report his responses, to:

(a) Thank you for the confirmation Hostfresh is involved with Atrivo/Intercage i.e. except "Eric" owner has some servers with Intercage. Could you assist with advice as to the specific details of these servers in particular?

(b) Can you assist by providing details of 'Eric', his whereabouts etc. Also as 'owner' any corporate details provided to use your facilities?

(c) We have noted and welcome your statement "We will shut down and take offline any servers that have malicious software or causing harm to anyone. But of course we need proof that this is the case." - having proof, can you confirm you will act on this, presumably in a reasonable time say 24 / 48 hours?

(d) It does appear you Atrivo / Intercage (AS27595 ATRIVO) have some communication difficulties responding to any formally requested 'abuse' requests e.g. CastleCops and others. Can we assume you will now act on these immediately?

Look forward to your response on these and other matters.

Posted by: Jart Armin | August 29, 2008 4:20 AM | Report abuse

No matter how you look at it, the fact is Atrivotech-Intercage has been profiting from their relationship with cyber criminals for too many years now.

In plain english, Emil gets paid to host criminals who use his networks to hijack innocent people with malware. For too many years.

These criminals take over innocent people's computers for profit, some computers will even be used as platforms to launch more attacks on other innocent people to make even more money.

Too many people have suffered, too many people have reported on these activities and yet no one with any real power to do anything has taken any notice whatsoever.

Baesd on what has been allowed to continue over the years, nothing will ever really change and nothing much has changed since Emil purchased some of his stolen network IP ranges off some guy in the very beginning.

We ge a lot of excuses, and bandaid attempts to keep people briefly satisfied that a problem has been fixed, but the malware never stops, at best it just moves around.

Emil knows who is behind it all, these people are helping to pay his bills after all.

It is truly mind bogling to think of how many people have been affected over the years because no one has the guts to shut this racket down.

You would think that there would be laws about this sort of profiteering fronm cyber crime in the united states but i guess not.

Even ex-employees have admitted in the past on public mailing lists that the atrivo-intercage network relies heavily on the income from criminal organisations and that an investigation by law enforcement was needed. Many people wait for that day to happen.

I personaly would not believe anything that Emil can say to the contrary to defend these kinds of practices, as these types of people will do anything to protect their malware cash cows.

We need effective action not talk to clean this companies infestated networks off the face of the internet.

Certainly Atrivotech-Inrtercage is not the only player in our malware infested world, but I can guarantee one thing, the internet would be a much safer place for everyone without this criminal internet terrorist safe haven in existence.

If we were to clean up these kinds of criminal networks, there is no better place to start than with Atrivotech/Intercage.

And yes please do a story on EST Domains.. I dare you. ;)

This is just the very tip of the iceberg, the edge of the rabbit hole..

Posted by: Moore | August 29, 2008 4:23 AM | Report abuse

Hearing anything back from Atrivo/Intercage is a good thing, even though in the form of complaining about exposure, since they sure as hell don't respond to abuse mails sent to them.

_If_ what Emil says about actually doing something to abuse is true (which hasn't been the case in the past), I can only sit and wait. Actions are the thing that matter, not just promises or assurations. It should be pretty straightforward to see from statistics whether Atrivo really steps up to the plate and delivers.

Posted by: Toni | August 29, 2008 5:19 AM | Report abuse

Great article Brian!

Posted by: David Taylor | August 29, 2008 9:19 AM | Report abuse

I think Emil's hi-jinks should be brought to the attention of that FBI Anti-Cyber-Crime Guy. Ummmm, never mind.

Posted by: Pete from Arlington | August 29, 2008 12:02 PM | Report abuse

Gr8 reporting! If it looks like a skunk, smells like a skunk, well...

Posted by: Mike | August 29, 2008 12:13 PM | Report abuse

Thank you Brian! A few months ago I was at a business dinner in Denver with a 1/2 dozen other tech company owner-principals when the guy sitting next to me says "I hate thieves", to which I replied that I love that comment and use it often myself. We all pay so much in society for thieving criminals in all their endless manifestations. His comment prompted me to voice my particular disdain for Malware/Adware perpetrators. They are thieves brutally fleecing us of a very significant amount of time and money in our lives and businesses. It's hard to imagine sweeping laws or other mechanisms that might be used to abate their activities as Badware perpetrators, but your reporting on Atrivo is certainly a great and welcomed start.

Posted by: Ety in MD | August 29, 2008 12:23 PM | Report abuse

you have to be really careful about a website that often shows up in google search results called "blogtoplist" dot com. DO NOT browse there. It installs a fake anti-virus program on your computer that is difficult, but not impossible, to remove. The fake program extorts you to pay up by claiming your system is riddled with viruses when the only virus is the fake anti-virus program!

Posted by: dinlaurel | August 29, 2008 12:34 PM | Report abuse

Emil's gratuitous assertions do nothing to undermine the findings of this study. He will stop at nothing in order to continue to provide hosting for the Russian mafiya. Atrivo should be raided and shut down, and its employees should face federal charges for racketeering, conspiracy, and fraud.

Posted by: High Plains Drifter | August 29, 2008 2:12 PM | Report abuse

I want to thank Brian Krebs for his fair and focused coverage of the study that Jart Armin, Matt Jonkman and I worked on over these past months. Brian is very thorough and highly professional.

I should also point out that Spamhaus has just seconded the conclusion of our study in their blog posting "Cybercrime's U.S. Hosts":

Thank you,

James McQuaid

Posted by: James McQuaid | August 29, 2008 2:53 PM | Report abuse

We got a report from Global Crossing on a few malware sites and all have been null-routed. If anyone is serious about helping to get this resolved, please e-mail me at with anything else to drop.

My goal this weekend is to make sure that this community is satisfied.

I should at least be given that chance.


Posted by: Emil K. | August 29, 2008 5:27 PM | Report abuse

Jart Armin we only route and for Hostfresh which is used for his servers with us. Now we are only talking about 30 servers in total and 3 were shutdown today which said to contain a malware domain from Global Crossing.

Of course I can't post his contact details on here for everyone to see. But any other blocks or anything else we have zero to do with HostFresh.

BTW please feel free to contact me on ICQ at 23531098.


Posted by: Emil K. | August 29, 2008 5:52 PM | Report abuse

This article is a bit of a joke IMHO.

For the most part, my impression is that most of the "facts" are based on "internet research" which is generally worthless in the real world. The issues that Intercage deals with are part of daily life when you run a dedicated server business, or any isp for that matter. You have good and bad customers, you try to keep the bad customers out but part of running a successful business is getting customers in the door. Ask a popular webhoster like DreamHost or ThePlanet how many bad-eggs they get and I'm sure the answer might suprise you.

If you want to write a real article, maybe you should actually interview the guy.

Posted by: Tom S. | August 29, 2008 8:48 PM | Report abuse

Emil's comments of today sound awfully familiar. He wrote:

"Nobody is going to care about the issue why pick on me because who here is responsible for 30K+ IP's or run a dedicated server company? It's easy to think one way when you have zero clue what the business is like."

In an email to me on March 29, 2006, he wrote:
"Sorry for the delay been busy the last couple of weeks. First of all let me say that I do understand your frustration in dealing with some of these issues. It hasn't been very easy dealing with them myself and not being behind the scenes it's very easy to make a accusation and be mislead. Intercage, Inc. holds a large number of IP space and over 30 racks of equipment filled with customers. And unfortunately sometimes a abusive customer will pop up. Have to admit that in the past the abuse just got overwhelming and I had to revamp the abuse system. End of last year and toward the beginning of this year we did a massive hunt for abusive customers alongside Esthost and we removed a ton of clients.

Our abuse currently is next to nill as a matter of fact and has been a great success. But I do understand that once in a while someone new will pop up and has to be dealt with. It's also extremely easy to do a quick search and find some random blog or list that was listed in the past.
Personally I have never hid anything and have always been available to contact. No one has even made a effort to get a hold of me beside random blog postings which I don't have time to try and find. And honestly we deal with abuse much more quickly than a EV1 or anyone else like that."

Posted by: Suzi | August 29, 2008 10:30 PM | Report abuse

Going back to at least 2004, a majority of the malware and illegal pharmacy operations for which I receive spam and infection attempts, link back to one or more of the Intercage/Atrivo organizations or clients.

As it happens, yesterday, I came across information about an "Eric" in regards to an internet pharmacy and malware operation connected to and both registered by

Any clarification Emil could offer about the relationship between Estdomains/Esthost and Intercage/Atrivo would be appreciated as would any information Emil would care to offer about "Eric" and/or "Pavel".

Posted by: Anonymous | August 29, 2008 11:24 PM | Report abuse

This isn't very complicated we have zero partners as implied. The only services we provide are dedicated servers / bandwidth / minor co-location. Esthost / Hostfresh have there respective owners and provide services on there own. Never have any of us blended to provide services together. You can believe what you will but I wouldn't know the first thing about writing malware or profiting from it.

Never have I provided incorrect contact information or anything to that matter. Let's see if the experts contact me this weekend to deal with anything that is abusive. Nobody can say that I have ignored a issue as I have been very strict on abuse.

Just take a look at spamhaus SBL's and none of them are active. Spamhaus refuses to remove the few old remaining because then it wouldn't look very good. Nobody is saying that Esthost has never had any abuse issues but certainly the amount of space the hold, it's nothing out of the ordinary. Just take a step back and compare the action in Spamhaus against somoene like me or ThePlanet.

ThePlanet according to has 3464 malware sites and 8 recent SBL's since August. Shouldn't there be a SBL for every malware site. Create a list of all the old SBL's that ThePlanet has had, it's going to be many times over what was listed for Atrivo. But for some reason Spamhaus plays whack-a-mole with ThePlanet and wouldn't even consider adding a major block for them. Day in and day out they add a /32. We never got this kind of treatment, they have blocked our complete ranges for a few years now.

Now I am not trying to say that any abusive malware is acceptable but it does happen. It's very clear that Spamhaus treats certain companies very delicate while they show no remorse for others.

Without making a judgement on me or Intercage, Inc. just take a non-biased look and tell me if all is equal. Who is the hidden company, Intercage, Inc. or Spamhaus?

Posted by: Emil K. | August 30, 2008 12:12 AM | Report abuse



Per your comment below, would you please take down (and not just move,
or rename) You host this
site, and it distributes "Antivirus2008XP" malware.

More about this site can be read here:

Thank you,


== Your comment ==

We got a report from Global Crossing on a few malware sites and all
have been null-routed. If anyone is serious about helping to get this
resolved, please e-mail me at with anything else to
My goal this weekend is to make sure that this community is satisfied.
I should at least be given that chance.
Posted by: Emil K. | August 29, 2008 5:27 PM

Posted by: Sam Trappe | August 30, 2008 3:10 AM | Report abuse

Emil, thank you for your response, but and are hosted on Intercage/Atrivo IP addresses and the information available about abuse by both operations seems to be ignored. Also, correction to earlier post, the referenced malware sites are and and more information can be found at: and

Posted by: Anonymous | August 30, 2008 3:53 AM | Report abuse

Interesting, but very far from the truth. Especially the fact that there are so many spammers registering their domains at EstDomains. Could you name a couple of “spam” domains at EST? I doubt that. Every spamvertised domain name is being suspended at the same day it is being reported. Even ICANN, which named 10 worst spam-registrars have not included EST in the list.

Anyway, thank you for plenty of useful information. Please don’t attack Emil, as this seems to be our oversight more than his one. We are going to perform a total clean-up, really total. Also, in case you have anything more to report just drop me an email to and we’ll be glad to deal with it.

Posted by: Konstantin Poltev | August 30, 2008 5:32 AM | Report abuse

Sadly, there are individuals in every walk of life that make the:

a)i'm just doing what others are doing, why pick on me?

b)i am terribly busy (making money) and don't have the time to. . .

c)now that you have brought this to my attention.

d)i have never personally done this, or knowingly sanctioned any one doing it, but. . .


Ken Lay is an example.

Richard Nixon also comes to mind. (damn, i must be really old to remember that one.)


if the comments attributed to Emil in this discussion are accurate, and he (you) REALLY wants to clean up the (your) enterprise, i would suggest he (you) hire an outside expert to assist in the sanitizing.

certainly, no one can do everything themselves, or be an expert in every field. that's why there are consultants.

anyone who is questioned as to their motives can best (in my opinion) prove their honesty by going our of house for an impartial evaluation/correction.

(open your site to your accusers, and HONESTLY work with them to resolve their issues? that route could even be the least expensive while being the most effective. at the very least, you could then correctly state you had done the best you could.)

quick profits are quickly lost. long term stability is based on solid foundations.

good luck in your endeavor if you really wish to improve the 'net' experience for all users.

or even if you want to provide a quality product that will survive in the long term.

Posted by: bill | August 30, 2008 2:58 PM | Report abuse

@Konstantin Poltev,
You really expect us to believe Est is actively disabling/taking down malicious domains registered and/or hosted with them? I don't think so.

I've got hundreds of domains blacklisted in hpHosts that have their registrar listed as you guys, and strangely, they are all involved in either rogue programs, exploits or general malware. You've been proven time and again to either be directly involved in criminal activities, or to be actively helping those that are, by allowing registrations and/or hosting, via your company.

So do I believe Emil is innocent in this? nope, I believe, as do many many others, that he is actively involved, just as Est are.

Posted by: MysteryFCM | August 30, 2008 4:43 PM | Report abuse

I've managed a dedicated server/colocation company operating over 10K+ ips. I've had similar problems mainly because a clients server would get hacked and used to host such activities. As soon as I received an email and validated the issues I would null the ip address and email the client.

When your as busy as emil... (I think he does it all) its hard to answer all departments.

Emil when are you going to get some help? You can't do it all boss :)

Posted by: James | August 30, 2008 11:56 PM | Report abuse

James I do have help with the upgrades and all but it's hard to let something go when you have been doing it for so long.

It's just a shame that all this attention came out of nowhere. It's not as though I have been ignoring any abuse complaints or neither has Esthost.

But it's clear the public demands I do a better job if at all possible. I know that Spamhaus in the past has refused to work with me but you never know tomorrow is a new day.

Certainly I want stopbadware to run a new check this coming week to make sure we aren't even on there radar. I always say that communication is key but it seems that certain organizations have other agendas instead of getting something closed.

The funny thing is probably the CEO of ThePlanet or Softlayer has seen this and is shaking there head saying Emil you stupid idiot, you have staff and a ticket system to deal with this stuff!. And remain behind the scenes ;-). Hell somehow Spamhaus and others seem to leave them alone.

But Thanks James at least there is somoene who understand what I go through! ;-)

Posted by: Emil K. | August 31, 2008 12:22 AM | Report abuse

Konstantin Poltev,
Does ESTdomains support malware vendors?
How about fake anti-spyware?
For example:

There a actually thousands of them...

Posted by: Alexander | August 31, 2008 7:00 AM | Report abuse

Emil - As SpamHaus notes, your web sites give you away. ThePlanet and Softlayer actually have a conventional business model. Go to their web sites, and they have elaborate presentations to encourage customers to sign up for services. and need no such sales model. Just as junkies know by word of mouth where to buy drugs, your customers know where to find the services they need...

Posted by: Moike | August 31, 2008 7:54 AM | Report abuse

Have you ever tried to report anything to us instead of writing something on some forums, blogs, etc? I don't think so, otherwise you'd see that we react to the reports fast enough.
Just try it.

Alexander: is registered through PDR, other domains are suspended by us.

Posted by: Konstantin Poltev | August 31, 2008 9:11 AM | Report abuse

MysteryCFM complete nonsense the only reason I have not put up a website is we have been out of space. No point in putting up a website when you can't complete the orders. Just because ThePlanet or SoftLayer has a website dosn't give them the right to take on abusive customers (as you imply). There business model is identical to mine except on a larger scale.

They still have active SBL's that Spamhaus has noted (just in the last week). Not to mention the thousand of domains that StopBadWare has pointed out that reside on there network. Do you feel this is fair?

Posted by: Emil K. | August 31, 2008 5:45 PM | Report abuse

I worked for six years at a web hosting firm. We understood quite well that we had a responsibility to our customers as well as, to the public, to keep malware off of our servers. Mr. Kacperski has been a very poor steward of the public Internet. The American people expect better than this.

In the last sixty days there have been 366 malware files in Atrivo's class C network at, and there have been 646 malware sites in Atrivo's IP range Anyone can check this using the database at

Folks, do not go to any of these sites! Here is

IP ADDRESS: Malware Description: fg48ue/0304.exe Trojan.Inject.apd / Trojan-Proxy.Xorpix.Fam fg48ue/0506l.exe Trojan-Downloader.Small.wuq fg48ue/0705s.exe Virus.Sality.y fg48ue/10.Build.exe Trojan.Nosok.b fg48ue/10901.exe Trojan.BHO.bfv fg48ue/11002.exe Trojan.BHO.bki fg48ue/1103.exe Trojan-Proxy.Xorpix.dh fg48ue/11101.exe Trojan.BHO.cbm fg48ue/1188981.exe Trojan-Dropper.Mudrop.hx / Trojan.Tedroo fg48ue/12.exe Trojan-PSW.Agent.alx fg48ue/1305l.exe Trojan.DNSChanger.czu fg48ue/1405l.exe Trojan-Downloader.Agent.pcc fg48ue/14726.exe Trojan-Downloader.Small.ite fg48ue/155.exe Backdoor.Agent.ltu / Mariofev fg48ue/159.exe Backdoor.Agent.ltu / Mariofev fg48ue/18mrt.exe Trojan.Inject.afm fg48ue/2004.exe Trojan-Proxy.Xorpix.eb fg48ue/208.exe Trojan-Downloader.Injecter.jz fg48ue/2205l.exe Trojan-Downloader.Small.wdu fg48ue/2302.exe fg48ue/232.exe Trojan.Inject.bck fg48ue/233.exe Backdoor.Agent.fnc fg48ue/235.exe Trojan.Inject.adu fg48ue/238.exe Trojan.Inject.bzi fg48ue/28858589-111.exe Trojan-Spy.Zbot.bzj / Virus.Buzus.BQ / Hupigon fg48ue/2904s.exe / Sality fg48ue/2exe.exe Trojan.Buzus.mbf fg48ue/3025.exe Trojan-Spy.Agent.cce fg48ue/3105l.exe Trojan-Downloader.Small.iyr fg48ue/3202fozanfpv.exe fg48ue/35.exe Trojan-Clicker.Agent.amt fg48ue/388888.exe fg48ue/38938.exe P2P-Worm.Socks.ew / Trojan.Alupko / Kork.A / Zalup fg48ue/432443.exe Trojan-Spy.Zbot.bol fg48ue/566ds.exe Trojan-PSW.Agent.jzi fg48ue/575.exe / Pandex / Pushdo / Wigon / Cutwail / Undef.hij fg48ue/575857.exe Trojan-Dropper.MultiJoiner.j fg48ue/57585722.exe Cutwail.R / Trojan-Dropper.Agent.shy fg48ue/6.exe Trojan-Downloader.Zlob.jbe / Zirit.C fg48ue/64.exe Trojan-Dropper.Agent.fcu fg48ue/646.exe Trojan-Dropper.Agent.fcu fg48ue/7m.exe Trojan-Dropper.Agent.fcu fg48ue/925037.exe Trojan.Agent.qoc fg48ue/96492ww.exe fg48ue/9bbn.exe Worm.Socks.agy / Worm.Mandaph / Trojan.Alupko fg48ue/BOT.EXE Backdoor.IRCBot.auf / Backdoor.SdBot.asy fg48ue/CbEvtSvc.exe Trojan-Downloader.Agent.mhk / Zlob fg48ue/Crypted_packedW.exe Trojan-Spy.Webmoner.gv fg48ue/F111113.exe Trojan-Dropper.Small.bpt / Trojan.Inject.cpe fg48ue/F223311.exe Trojan.Inject.eef fg48ue/F311.exe Trojan.Inject.cfr fg48ue/F347893.exe Trojan.Inject.cha fg48ue/Launcher.204.exe Trojan.Agent.evi fg48ue/Launcher.206.exe Trojan.Agent.kve fg48ue/MediaTubeCodec.exe Trojan-Downloader.Zlob.jbe fg48ue/Video_Codec_v35.exe Trojan-Downloader.Agent.wkt fg48ue/a200_86_23_05_08_0.exe fg48ue/a200_86_23_05_08_1.exe Trojan-Downloader.Agent.qrc fg48ue/aadr433.exe Trojan.Kobcka.EH / Cutwail.AL / Trojan.Inject.dvf fg48ue/aadre.exe Trojan-Downloader.Mutant.ic / Trojan-Dropper.Cutwail.G / Downloader.Wigon / Pandex / Pushdo / Undef.eyu fg48ue/abc_14-0.exe Trojan.Agent.lkz fg48ue/admfrm3.exe Trojan.Agent.sdf fg48ue/adv406.exe Trojan-Downloader.Small.yjj fg48ue/adwin.exe / Srizbi / Sentinel fg48ue/agent.exe / Srizbi / Sentinel fg48ue/ahe1.exe Trojan fg48ue/airz2.gif Trojan-Spy.Zbot.btg / Trojan-Spy.Wsnpoem.BZ fg48ue/al12l.exe / Rustock fg48ue/alexey.exe / Backdoor.Rustock fg48ue/allex345.exe Trojan-Downloader.Agent.qpb fg48ue/alxveg4.exe Trojan.Agent.qzm fg48ue/amina.exe Email-Worm.Zhelatin.zt / Sintun.EZ / Nuwar.T / Peed.PJ / Tibs.CETC / Alanchum.MV / Storm.Worm fg48ue/ander.exe Trojan-Downloader.Small.vds fg48ue/anoi98.exe Backdoor.Prosti.mi / Cutwail.AH / Pandex / Pushdo / Kobcka.EJ fg48ue/anon97.exe Trojan.Agent.sdp / Pandex / Pushdo fg48ue/arc43r.exe Trojan.Agent.srm / Pandex / Pushdo fg48ue/arc5.exe Trojan.Agent.sdp / Pandex / Pushdo fg48ue/arcant3.exe Trojan-Downloader.Agent.ucx / Pandex fg48ue/argl.exe Trojan-Downloader.Injecter.pp fg48ue/art4545.exe Trojan.Agent.snk / Pandex / Pushdo / Kobcka.EJ / Backdoor.Prosti.mi fg48ue/arti90.exe Trojan-Downloader.Agent.tpf / Pushdo / Pandex fg48ue/artist25.exe Trojan.Agent.syy / Pandex / Pushdo fg48ue/asiaura59.exe Trojan-Clicker.Delf.aiu fg48ue/asket.exe Trojan.Agent.mvu fg48ue/asss.exe fg48ue/asssss.exe Trojan-Downloader.Agent.nru fg48ue/avp.exe Backdoor.Agent.iga fg48ue/axp2008.exe Peed / Hoax.Renos.vadx / Tibs / FakeAlert.EH fg48ue/axxel.exe fg48ue/be.exe Backdoor.Small.doc fg48ue/bho.exe Trojan.Agent.vjm fg48ue/bhos.exe Trojan.Agent.vjm fg48ue/bigman.exe Trojan-PSW.Agent.alb fg48ue/bigmn.exe Trojan-PSW.Agent.jyr fg48ue/breds.exe Trojan-Downloader.Small.vsf fg48ue/burty3.exe Trojan-Downloader.Agent.vil fg48ue/bury79.exe Trojan-Downloader.Agent.vmk fg48ue/calc.exe Trojan.Pakes.cfv fg48ue/cayxjidbhjzqjbn.exe fg48ue/cc12.exe Backdoor.Prosti.mi / Cutwail / Pakes / Pandex / Pushdo fg48ue/cerver.exe fg48ue/chi43.exe Trojan.Inject.den fg48ue/chichi3.exe Trojan.Inject.dbz fg48ue/classik.exe Trojan-Spy.Graball.z / Trojan-Spy.Graball.h fg48ue/co34.exe Trojan-Dropper.Agent.slh / Trojan.Pandex.AA / Cutwail fg48ue/coca.exe / Pandex / Cutwail / Pushdo fg48ue/cok.exe Trojan-Downloader.Agent.nvj / Cutwail / Pandex fg48ue/cor50.exe Trojan.Pakes.dft / Pushdo / Pandex fg48ue/crypt.exe Trojan-Spy.Zbot.arg fg48ue/crypted__bot.exe / Kbot / Dirat fg48ue/cryptuni.exe Trojan-Clicker.Agent.alf fg48ue/d34.exe Backdoor.IRCBot.eje fg48ue/ddfr.exe Trojan-Downloader.Delf.gly fg48ue/dds800.exe Trojan-Dropper.Agent.uhu fg48ue/defe336.exe Trojan-Downloader.Delf.kmm fg48ue/dfred.exe Trojan.Agent.wdc fg48ue/dljkfhdkh.exe Trojan-Downloader.Agent.oya fg48ue/don221.exe Trojan-Dropper.Small.bop fg48ue/dondns2.exe Trojan-Clicker.Delf.aiu fg48ue/dons332.exe OnLineGames.BQP fg48ue/donse223.exe Trojan-Clicker.Delf.aha fg48ue/donse45.exe Trojan fg48ue/donseoo9.exe Trojan-Spy.Zbot.cie / Trojan.Spy.Zeus fg48ue/dotnet41.exe Trojan-Downloader.Agent.lnh fg48ue/dtpqqsmh.exe Backdoor.Agent.niv / Mariofev fg48ue/eag.exe Trojan-Dropper.Agent.fcu fg48ue/eag102.exe Trojan-Downloader.Small.vsf fg48ue/eagle.exe Trojan-Downloader.Small.cib / Revelation / Ufraie fg48ue/eagle322.exe Trojan-Downloader.Mutant.adf / Cutwail / Pandex / Pushdo fg48ue/elo42.exe Trojan-Dropper.Agent.uer / Cutwail fg48ue/em223.exe Backdoor.Prosti.mi / Pandex / Pushdo fg48ue/emerg56.exe Trojan.Pakes.dft / Pandex / Pushdo / Cutwail / Kobcka fg48ue/er34.exe Trojan-Spy.Zbot.djp fg48ue/ere445.exe Trojan-Dropper.Agent.ule / Siberia fg48ue/exe1121.exe Trojan.Small.bhq fg48ue/exert32.exe Trojan-Downloader.Murlo.pz fg48ue/ext67.exe fg48ue/exy69.exe Trojan-Downloader.Small.yjj fg48ue/fanesso.exe Backdoor.Tiny.ab fg48ue/fasddf.exe Worm.Socks fg48ue/fastmick.exe Backdoor.Small.dls fg48ue/fer235.exe Trojan-Downloader.Small.vsf fg48ue/fjkghkj.exe Backdoor.Agent.hqa fg48ue/fkljghk.exe Trojan-Dropper.Agent.fcu fg48ue/fn.exe Trojan.BHO.bbk fg48ue/fnm.exe / Nuklus.A fg48ue/fr23.exe Trojan-Clicker.Agent.amt fg48ue/fre2.exe Trojan.Pakes.dft / Kobcka.EH / Cutwail / Pandex / Pushdo fg48ue/fre23.exe Backdoor.SdBot.fam fg48ue/frednm.exe Trojan.Inject.bck fg48ue/frein.exe Trojan-Downloader.Small.vsf fg48ue/frekjl.exe Trojan-Downloader.Small.vhq fg48ue/freyy7.exe Trojan-Downloader.Small.xap fg48ue/frizif.exe Backdoor.IRCBot.czb fg48ue/frmghg.exe Trojan-Downloader.Small.uys fg48ue/gdk5.exe Trojan-Downloader.Mutant.wd / Pandex / Pushdo fg48ue/gerger54.exe Trojan.Spambot / fg48ue/gr3.exe Trojan-Downloader.Cntr.ioq / Sintun / Peacomm / Storm.Worm / Zhelatin fg48ue/gr43343.exe Worm.Gadja.a fg48ue/grabber2.exe Trojan-Spy.Banker.ktu fg48ue/grtyuji.exe Trojan-Downloader.Agent.pkw fg48ue/gruzy1.exe fg48ue/gtrgr.exe Trojan-Downloader.Agent.oer / Pushdo / Cutwail Trojan.Inject.apd / Trojan-Proxy.Xorpix.Fam fg48ue/gui500.exe Trojan-Downloader.Agent.ydm / Trojan-Downloader.Chksyn.A / Trojan.AVKiller.AW fg48ue/h1.exe Trojan-Spy.Agent.cse fg48ue/he18-03.exe Trojan-Downloader.Agent.lnr / Koceg fg48ue/heller.exe / Peed.JKG / Sintun.EY / / Peacomm.D fg48ue/helpers.exe Trojan-Downloader.Small.vsf fg48ue/helpp.exe Trojan-Downloader.Small.vsf fg48ue/hypney.exe Trojan-Dropper.Small.bla fg48ue/i5.exe Trojan-Downloader.Agent.maa / DNSChanger fg48ue/idn.exe Trojan.Inject.ege / Trojan.Kobcka.EH fg48ue/iexplorerr.exe Trojan-Downloader.VB.ekd fg48ue/igor.exe Trojan.Pakes.cjj / Srizbi fg48ue/iii.exe Trojan.Agent.gno fg48ue/infin.exe Trojan-Spy.Goldun.abp fg48ue/inst250.exe Trojan.Pakes.cjt / Sentinel / Srizbi fg48ue/inst3_264.exe Trojan.Srizbi.x fg48ue/inst_268.exe Rootkit.Qandr.a fg48ue/install-10-50.exe Trojan.Buzus.bqt fg48ue/install.exe Hoax.Renos.bcz / / FakeAlert / Dropper.Braviax.a fg48ue/irev.exe Worm.Socks.aj fg48ue/j.exe Trojan.Small.auy fg48ue/jokerr43.exe Backdoor.Agent.jrn fg48ue/kasmaite.exe Trojan.BHO.bgf / Trojan.Mocalfost fg48ue/kasmn.exe Trojan-Spy.Agent.cgx fg48ue/kis.exe Trojan-Downloader.Small.ixe / Alureon fg48ue/kmdkm.exe Trojan-Dropper.Agent.rhr / Cutwail / Mutant.uc / Pandex / Pushdo fg48ue/kokin42.exe Trojan.Inject.dvf / Kobcka.EH / Cutwail.S / Pandex fg48ue/korova.exe Trojan-Downloader.Tibs.adb / Zhelatin / Peed.JNG / Nuwar fg48ue/kr3.exe Trojan-Dropper.Agent.fcu fg48ue/krab.exe Trojan-Downloader.Small.uys fg48ue/kryptt.exe Trojan-PSW.LdPinch.sgg fg48ue/kw224.exe Trojan-Proxy.Agent.api fg48ue/last.exe Trojan-Dropper.Agent.fcu fg48ue/lc120.exe / Cutwail.ED / Pandex / Pushdo fg48ue/lddon.exe Trojan.Agent.vio / Lighty.A fg48ue/ldig004.exe Trojan-Downloader.Agent.mtk / Trojan-Downloader.Small.ddx / Peacomm fg48ue/ldig005.exe Trojan-Downloader.Agent.ogp fg48ue/ldig007.exe Backdoor.Agent.mnb fg48ue/ldr1_274.exe Trojan.Srizbi.ah fg48ue/ldr1_276.exe fg48ue/ldr2259.exe Backdoor.Bifrose.qbf fg48ue/ldr250.exe Trojan-Spy.Zbot.cuh fg48ue/ldr2_268.exe Trojan-Dropper.Agent.rzi fg48ue/ldr2_274.exe Srizbi / Trojan.Pakes.cwq fg48ue/ldr4_288.exe Trojan-Dropper.Agent.txl / Srizbi fg48ue/ldr5_288.exe Rootkit.Qandr.fb fg48ue/lfzn.exe Trojan-Downloader.Agent.xau fg48ue/lilo.exe Trojan-Downloader.Zlob.taf fg48ue/limb76.exe Trojan-Downloader.Zlob.dzw fg48ue/limbage12.exe Trojan-Downloader.Zlob.qvv fg48ue/limbo90.exe Trojan-Downloader.Zlob.olh fg48ue/limbobo.exe Trojan-Downloader.Zlob.pnq fg48ue/load.exe Trojan.Inject.afm fg48ue/load38.exe Trojan-Spy.Zbot.cuz fg48ue/loader03_282.exe Trojan-Dropper.Agent.sht fg48ue/loader_17.exe Trojan-Downloader.Agent.tpf / Wigon.CX / Cutwail fg48ue/loader_87.exe Trojan-Downloader.Agent.tpf / Cutwail / Pandex / Wigon.CX / Pushdo fg48ue/loadlx22.exe Trojan-Spy.Zbot.bwp fg48ue/lolotre.exe Trojan.Buzus.lto fg48ue/m00.exe Trojan.Pakes.ckm fg48ue/masst.exe Trojan fg48ue/mbdis.exe Trojan-Spy.Agent.crg fg48ue/mbdisww3.exe Trojan-Spy.Agent.cqm fg48ue/mddddd.exe Trojan-Downloader.Small.vhq fg48ue/mid.exe Backdoor.IRCBot.dsi fg48ue/mie001.exe Trojan-Downloader.Small.vsf fg48ue/misingg.exe Trojan-Dropper.Agent.rjm fg48ue/mol.exe Trojan-Downloader.Mutant.vb / Cutwail.S / Wigon.CE / Pandex / Pushdo / Zhelatin fg48ue/morda23.exe Trojan-PWS.Agent.kbc fg48ue/morda33.exe Trojan-PSW.Agent.kcc fg48ue/morda42.exe Trojan-PSW.Agent.kbx fg48ue/mr.exe Backdoor.Hupigon.cqnl fg48ue/msins.exe Trojan.BHO.bfu fg48ue/msservice.exe Trojan-Spy.Agent.dgh fg48ue/mxlad.exe Trojan.Agent.qon fg48ue/new.exe Trojan-Dropper.Agent.fcu fg48ue/nice443.exe Trojan-Spy.Zbot.bzk fg48ue/nod232.exe / Nuwar.R / Peed.JKK / Zhelatin.zt / Sintun.EY / Peacomm / Tibs.BS fg48ue/ns84.exe Rootkit.Qandr.df fg48ue/nsf2.exe Trojan-Dropper.Agent.qnz fg48ue/nzx2.exe Trojan-Dropper.Agent.fcu fg48ue/opps.exe Backdoor.IRCBot.ddz / Momibot fg48ue/out_kone_44.exe Trojan.Agent.rye fg48ue/outc.exe Backdoor.Agent.hoh fg48ue/parik56.exe Trojan.Agent.tat / Pandex / Pushdo / Meredrop fg48ue/pc-spycle1.exe Trojan.Agent.smf fg48ue/pc-winfix1.exe Hoax.Agent.dg / FakeAlert / MisleadApp fg48ue/pinch.exe Trojan-PSW.LdPinch.xov fg48ue/pinch2.exe Trojan-Downloader.Tibs.aam fg48ue/pre-loader.b19-14.0010.exe Cutwail / Trojan-Downloader.Mutant.ic / Wigon / Pandex / Pushdo fg48ue/q_bot.exe Trojan-Downloader.Agent.pih fg48ue/qqq111.exe Rootkit.Agent.akr fg48ue/rasrewq.exe Trojan-Downloader.Agent.ydn / Virus.Obitel fg48ue/raz.exe Trojan-Downloader.Small.vds fg48ue/rdp32.exe Backdoor.PcClient.bxu / Graball / Emptybase.A / Trojan.Nuklus.A fg48ue/reklam.exe Trojan-Dropper.Small.bkb / Pushdo / Kobcka / Pandex / Wigon / Cutwail fg48ue/resultN.exe Trojan-Spy.Zbot.ctu fg48ue/resulteeg.exe Trojan-Spy.Zbot.dos fg48ue/rfx2.exe Trojan.Patcher.ab fg48ue/rfx3.exe Trojan.Patcher.ak fg48ue/rfx4.exe Trojan.Patcher.ak fg48ue/rfx7.exe Trojan-Banker.Banker.pdp fg48ue/scann.exe Trojan-Dropper.VBS.g fg48ue/se123.exe / Nuwar / Sintun / Peed / Peacomm / Zhelatin fg48ue/se23.exe Email-Worm.Zhelatin.aan fg48ue/search334.exe Trojan.Agent.wpv fg48ue/service.exe Trojan-Proxy.Agent.abr fg48ue/sev.exe Trojan-Downloader.Cntr.w / Zhelatin fg48ue/shone.exe Trojan-Downloader.Small.vsf fg48ue/sinka54.exe Kobcka.ER / Trojan.Agent.vrs / Siberia / Tibs fg48ue/sinn446.exe Trojan-Dropper.Agent.slh fg48ue/sinner.exe Trojan-Downloader.Mutant.jz / Pandex / Pushdo / Cutwail / Kobcka / Kobka fg48ue/sinner44.exe Trojan-Dropper.Agent.slh / Cutwail / Pandex fg48ue/skp61.exe Trojan-Spy.Zbot.bzl fg48ue/skype45.exe Trojan-Spy.Zbot.bzc fg48ue/skype99.exe Trojan-Spy.Zbot.bjh fg48ue/sl.exe Trojan-Downloader.Agent.oeu / Hoax.Renos fg48ue/smmm.exe Trojan-Downloader.Agent.oan fg48ue/sobak9.exe Hoax.Renos.cqi fg48ue/solder.exe Trojan-Dropper.Agent.uup / Kobcka.EM / Wigon / Cutwail fg48ue/solopele.exe Trojan.Small.bne fg48ue/spambot_peer_load.exe Trojan.Inject.agf fg48ue/sperty97.exe Trojan.Buzus.hql fg48ue/spr.exe Trojan-Spy.Zbot.bov fg48ue/srvr.exe Trojan-Spy.Webmoner.ix fg48ue/sssssm.exe Trojan.Pakes.crq fg48ue/sszpasxrucrvzyv.exe Trojan fg48ue/sunnt23.exe Trojan.Agent.ttw fg48ue/suny790.exe Trojan.Pakes.dgb fg48ue/sys.exe Trojan-Dropper.Small.bkb / Cutwail / Pushdo / Pandex / Wigon / fg48ue/system.exe Trojan.DNSChanger.bov fg48ue/systen.exe Trojan-Downloader.Agent.mlu fg48ue/tara.exe Trojan.Srizbi.q fg48ue/task.exe Trojan-Spy.Agent.cpi fg48ue/ter34.exe Backdoor.IRCBot.dfe fg48ue/terasole.exe Backdoor.IRCBot.cqq / Momibot fg48ue/tersl.exe Backdoor.IRCBot.clv fg48ue/test.exe Trojan-Dropper.Agent.qon fg48ue/test1.exe Srizbi / Sentinel fg48ue/test1_400.exe / Srizbi fg48ue/EGO_ldr_CRYPTED.exe Trojan.Buzus.mle fg48ue/load22122.exe Trojan-Downloader.Small.yqt fg48ue/rarara.exe Trojan.Peed.JPX / Tibs fg48ue/rfx8.exe fg48ue/rfx9.exe fg48ue/svc.exe Backdoor.IRCBot.ekm fg48ue/svchost3.exe Trojan.Buzus.lof fg48ue/svchost32-64.exe Trojan-Downloader.Agent.xjf fg48ue/svchost5.exe Trojan.Buzus.lzc fg48ue/test302.exe Srizbi fg48ue/test311.exe Srizbi fg48ue/tigerw667.exe Worm.Socks.hf fg48ue/tor.exe Trojan-Downloader.Agent.ucy / Pushdo / Pandex / Cutwail fg48ue/torrrr.exe / Cutwail fg48ue/tre2005.exe Trojan-Downloader.Small.uoy fg48ue/tree2005.exe Trojan.Pakes.cqb / ZBot fg48ue/tw.exe Worm.Socks.hf fg48ue/vr45.exe Trojan-Downloader.Small.vsf fg48ue/demiuu.exe Trojan-Downloader.Small.zpn fg48ue/twunk_16.exe Trojan-PSW.Agent.kbc fg48ue/twunk_18.exe Trojan-PSW.Agent.keh fg48ue/u_f1_v34_78.exe / DNSChanger fg48ue/u_f1_v35_80.exe Trojan.PR.Saturn.R fg48ue/uprrrr.exe Trojan-Spy.Zbot.boa fg48ue/ver1.459.3.exe Trojan-Downloader.Zlob.kfa fg48ue/viewer.exe Trojan.Inject.cma fg48ue/volodar3.exe Hupigon / Zbot fg48ue/vololo67.exe Trojan-Spy.Zbot.dlk fg48ue/vr45.exe Trojan-Downloader.Small.vsf fg48ue/wejhfds.exe Email-Worm.Zhelatin.yo / Peed / Nuwar / Tibs / Storm / Alanchum fg48ue/wisp34.exe Trojan-Spy.Webmoner.jv fg48ue/xm.exe Trojan-Downloader.Mutant.bu / Pandex fg48ue/xm100.exe Trojan-Downloader.Mutant.zy / Trojan-Downloader.Cutwail.S / Pandex / Pushdo fg48ue/xm101.exe Trojan.Pakes.czx / Cutwail / Pandex fg48ue/xm111.exe Pakes.cyu / Cutwail / Pandex / Pushdo fg48ue/xm112.exe Kobcka.DZ / Trojan-Downloader.Mutant.yz / Pushdo / Pandex fg48ue/xm5644.exe Trojan.Agent.tdq / Pushdo / Pandex fg48ue/xm778.exe Cutwail / Trojan-Downloader.Agent.qoj / Meredrop / Wigon.R / Bankolimb.AT / Pushdo / Pandex fg48ue/xmmm4.exe Pakes.csa / / Cutwail.S / Pandex / Pushdo fg48ue/xmr.exe Trojan-Dropper.Agent.rup / Cutwail / Pandex / Pushdo fg48ue/xs.exe Trojan.Agent.vma fg48ue/xx.exe Trojan-Dropper.Agent.fcu / Harnig fg48ue/y443.exe Hupigon / Zbot.AQ fg48ue/yoyo.exe fg48ue/zfaugptsxtpiote.exe Trojan.Pakes.jwr / Peed / Harnig fg48ue/zik.exe Trojan.Pakes.jln fg48ue/zloi.exe Trojan-Dropper.Small.blh / Cutwail / Wigon.G / Peed fg48ue/zloy.exe Trojan-Downloader.Mutant.oz / Cutwail / Wigon.M / Pandex / Pushdo Exploits Exploits Exploits Exploits Exploits Exploits Exploits Exploits Malware calls home Malware calls home Malware calls home Trojan-Downloader.Winlagons.ahq / Tipikit fg48ue/win32load.exe ldrctl/ldrctl.php Rogue

Thank you,

James McQuaid

Posted by: Anonymous | August 31, 2008 5:48 PM | Report abuse

ThePlanet and SoftLayer can improve also, but it's a matter of percentage and slow response or inaction on your part. If your business were truly at capacity for the past several years, as indicated by your empty web sites, then kicking out the bad guys would have freed enough space to take on new customers.

But, I suppose that honest businesses would not pay the prices that you are able to charge the badware purveyors.

Posted by: Moike | August 31, 2008 6:10 PM | Report abuse

@Konstantin Poltev

I indeed have tried contacting you, several times via e-mail - the last e-mail was sent over 12 months ago (when I finally stopped bothering), and to date, have never received a reply, so nope, you don't reply.

I don't believe I mentioned your website, or lack thereof. Though I don't believe you don't have enough space for a website (surely you've got 10MB spare? thats all it would take, and thats being generous).

I am also well aware that TP and SL also host some malicious websites, and nope, I don't believe they should get away with it - but we're not here to talk about them are we? Nope, we're here to talk about you, and you're failing miserably at trying to convince us that you're innocent in all of this (and bringing in your friend from Est hasn't done you any favours either, quite the opposite)

Posted by: MysteryFCM | August 31, 2008 7:15 PM | Report abuse

Hilarious to see Konstantin pop up and try to defend Esthost/Estdomains/Estboxes/Inhoster/Ukrtelegroup/Cernel/Rove/CriticalInternet/Name15/etc. - anyone whose been following the explosion of the Russian-language-AWM malware ecosystem recognises them as the criminal organisation they are.

I have dumps of endless thousands of their domains hosting malware, exploits, scams, fake-codec-trojans and illegal porn. They are directly involved in many of their customers/affiliates' misdeeds through their staff members, who are to be seen throughout the Russian-AWM forums posting openly in discussions of malware and exploit tactics.

There is nothing legitimate on Esthost, and nothing to be lost by blackholing their netblocks. I strongly recommend it.

Brian's article is a tad sloppy on the details - I haven't seen evidence that HostFresh is so strongly linked to Atrivo, and RBN not really except for sharing associates... unless you're using 'RBN' as a catch-all for the Russian-AWM-malware complex in general.

But Atrivo knows who its customers are, and doesn't care. Emil can play the aggrieved innocent, and he'll eventually boot a site or two from one of his servers if you pester him enough... but what's the point when his blackhat ISP customers are always registering hundreds of new domains spread over enormous swathes of Esthost's netspace?

What happened to Atrivo's Russell Mitchell? He was a lot more honest with us:

"I believe an investigation by law enforcement is a very corrective
step... That would definately clean Esthost up. [...]

On one, it's the occasional spam via exploit. The other... Esthost... Well... A
lot worse abuse then just spam. [...]

If I had the ability... I would cut Esthost as a client... But, in
doing so, it causes nearly a quarter if not half of the company's
monthly revenue to be cut."

Posted by: bobince | August 31, 2008 8:17 PM | Report abuse

Here is a link to the statements by Russ Micthell that bobince quoted above:

September 2, 2005:

Posted by: Anonymous | August 31, 2008 9:32 PM | Report abuse

For those bashing this article, I’ve worked with Jart and Brian, they do their homework.

As for Konstantin and EstDomains. First, If you want to improve public perception, start by dropping your relationship with Stop using it.

Second item. Fully disclose your location, cancel the Delaware incorporation.

Third item. LegitScript and KnujOn sent you a letter IN JULY about an unlicensed steroid pharmacy: You never responded and this site is still active.

We’ve put together a very detailed report on how registrars can play a complex shell game to appear compliant (terminating some and re-activating others):

This section of the report:

We describe the relationship cycle of fake pill sites, pornography, and malware.
“Using pornography to lure unsuspecting Internet users into unknowingly downloading malware is an old trick, but one that continues to work. However, KnujOn has found an array of EstDomains sponsored, shielded domains that combine drugs, porn and malware. Several former steroids EstDomains sites have metadata that appears to offer Schedule 3 substances like Morphine, Testosterone, and Vicodin but redirects the user's browser to (also sponsored by EstDomains), a porn site that attempts download malware in the guise of a "player update." The scripting vigorously prevents the user from navigating away from the page or closing it. The content of is served from (also sponsored by EstDomains), another porn site that has links to another fake pharmacy: (also sponsored by EstDomains). This EstDomains sponsored and PrivacyProtected domain rotates different sites the user is redirected to. One site,, seems to feature films that depict rape scenes as well as attempting to download malware from (also sponsored by EstDomains). Another redirect landing launched from links to fake virus/spyware scan site: This particular fake security software is actually one of the most insidious PC infections to date. It blocks access to the Control Panel, Registry Editor, hard drive, removable media, Task Manager, Run, and just about any utility someone might use to fix their PC or remove the malware. It also blocks installation and running of legitimate anti-virus packages. Once infected your PC can only be used as a botnet node or a doorstop.”

Drop, disclose your real location, shutdown the steroid site,, remove any site distributing malware and any unlicensed pharmacy site (it shouldn’t be hard, they are always the same customers) and we’ll all consider your claims of being compliant.

Start with these:

Posted by: Garth @ | August 31, 2008 11:23 PM | Report abuse

I hope this all goes toward a positive movement and not just bashing as some people like to do.

James McQuaid there was no point in posting the file structure of 1 ip and clearly 1 server. You just took up many pages for no point at all. Will go ahead and take a look at Btw that server has been shutoff already prior to reading this.

I keep mentioning ThePlanet and SoftLayer because I am hoping this does not go to waste. Am pretty certain that nobody is going to change the mind of Spamhaus but maybe there is hope for others. But I am a little reluctant because this certainly could of been done in a different way and could of been a focus of multiple companies who need to step it up. Hopefully this coming week StopBadWare will respond to my communication and not just ignore and bash.

Also trying to post quotes from Russ or other quotes from years ago makes no sense. It shows that me and anyone from Intercage has always been available for contact and honest. I know that Russ has been reluctant to post in places because you give someone a hand and they try to take your arm. He has been burned many times.

Let's focus on what we are here for and make sure that there is no malware present on Intercage blocks or Esthost blocks / customers.

Posted by: Emil K. | September 1, 2008 12:24 AM | Report abuse

Hello all,

I'd like to reflect on a few comments made with regard to me.

The group's posting your bringing back from the dead is quite un-needed.
It doesn't give any positive matter in this article, or for the argument at hand. Never-the-less, here I am, as you requested.

Here's what happened in the past, I got VERY tied up in the Abuse Department and really started to take what everyone else said to be the truth. I continued for some time and let my mouth get ahead of my actual job.
That's now a few years ago when I first started @ Atrivo/InterCage. When I first started, I took on the task of managing ALL Abuse Claims on a 24/7 Basis. It didn't matter if you sent in a claim at 2am or 2pm, I was ontop of it within the hour.

The parties that continually supported us by reporting their abuse claims began to send continous lists of domains and IPs that had SOME FORM of abuse (in their view). After quite a while, I began to get a little more insight and trained myself a bit more in how to handle abuse.


Now for the rest of you, here's some insight.
InterCage (Formerly Atrivo) has NEVER had _ANY_ partners (I've been here near 4 years).

IMHO, Emil got wrapped up in this article to try and deliver the truth to you (as I have in the past), OUTSIDE of our companies line of communication.
So, as I've stated to Emil, there's simply no need to continue to argue here on the WashingtonPost Site.
If you want to take a walk through our DataCenter, I'll be happy to accomidate you. If you think we can make something better in our company, Write us! (Russ.[at] - Emil.[at]

This article's intent is clear, it's gained the attention the author intended.
Like all news reporters, if you don't alter the facts to generate a good story, people won't go past the first paragraph.

You wanted the honest Atrivo guy, Emil has given nothing but straight and honest answers to your questions. Since you all have wrapped yourself up tightly in this article, unwrap yourself, take a deep breath, and move a long.

If you have a claim for abuse on our network, send your claim (WITH EVIDENCE) to abuse.[at]
If what your reporting is in regards to a service provided by Esthost or EstDomains, CC abuse.[at]

Special thanks out to Jart Armin for your in-accurate "research", and a huge thanks to Brian Krebs for his coverage of this great in-accurate report.
If you think we don't handle abuse in a timely manner, follow-up on it! Talk to some unbiased Anti-Abuse Parties in the community, try SpamHuntress for one, get her honest opinion!

Russell M.
InterCage, Inc.

Posted by: Russell M. | September 1, 2008 12:38 AM | Report abuse

To close out the communications in regards to this article, No further communication will be provided via this article.

The proper avenues for communication have been clearly defined.

Thank you all for your great insight (Most of you). Have a great day.

Russell M.
InterCage, Inc.

Posted by: Russell M. | September 1, 2008 12:42 AM | Report abuse

Hrm. I have been following this for a little bit and I have come to a conclusion of my own. 1st and foremost, isn't it illegal for Intercage to sort through every site that is being hosted on their dedicated servers? For one they are not doing webhosting they are renting servers.
Should you not be flaming the ones renting the servers before you flame Intercage? Wouldn't it be fair to send abuse reports through the proper channels instead of flaming them on a nationally recognized post? If you have found illegal stuff, or stuff that violates the Intercage terms, on Intercage server on your own and not reported it are you not partially to blame. In a sense you are actually a part of the problem for not reporting through the proper channels. I'm pretty sure if you took a look at the operations behind the media-fluff you would see that Intercage is probably ran just like any other provider of comparable services. I would love to see the all this PROOF that these items have been submitted through proper channels to INTERCAGE, and proof they ignored it. I think most of you have been quick to judge. Instead of flaming maybe you should submit an abuse report and follow up on it.


Posted by: TJ | September 1, 2008 1:13 AM | Report abuse

You have suspended just a few domains. There are lots of "clones". They are probably registered under the same accounts or have some common information.
Off we go:

Posted by: Alexander | September 1, 2008 7:34 AM | Report abuse

MysteryFCM: How did you try to do that? We always respond. For all future correspondence kindly use or my direct e-mail – This is the opposite side of SpamHaus filters – if you use them then our letters won’t reach you. And it doesn’t mean that we don’t respond.

Garth@Knujon: The same question to you, how did you try to get in touch with us? I wasn’t able to locate any letter of this kind from you. Regarding – we don’t use it for some time already, and it is neither ours nor registered through us, so we can’t do anything with us. Anyway, it doesn’t matter if there is privacy protection on the domain name or not – in case of any abuse we have always removed the protection. As for the domains you mentioned – we are going to investigate that. Majority of them have already been suspended, the rest will be suspended soon, I assume. However, it’d be great if you could send us some additional information you have.

These domains have been suspended as well. Thank you.

Frankly speaking it’s not very easy to suspend the domain names which use the same contact details. We are doing that, but it takes lot of time. In case you report us any abusive domain names we will definitely suspend them faster than we do upon the investigation. Hence, in case you have any more domains to report – kindly raise the support ticket at or write me directly.

2 ALL:
Please, don't write any domains here, it's not the right place to report anything. I've already written appropriate link several times, please use it further.

Posted by: Konstantin Poltev | September 1, 2008 12:40 PM | Report abuse

"Of course I can't post his [Eric] contact details on here for everyone to see. But any other blocks or anything else we have zero to do with HostFresh."

What? You don't have to post his home address and his favorite hobby, just his contact information: telephone number, business address, and e-mail address. A reputable business has no trouble doing that.

Posted by: Anonymous | September 1, 2008 4:35 PM | Report abuse

"Emil, thank you for your response, but and are hosted on Intercage/Atrivo IP addresses and the information available about abuse by both operations seems to be ignored."

To add to that, Atrivo's abuse responsibilities go beyond making sites on their servers are addressed, but that businesses who host with them also respond to abuse complaints.

Posted by: Anonymous | September 1, 2008 4:36 PM | Report abuse

It looks like there are more than a few organizations that have the tools in place to identify malware hosted on Atrivo's network. Perhaps the best thing for Atrivo to do is get a feed from them to automate this.

Another good step would be request customers to put down a $1000 refundable deposit (after 60 days) for every site they host with Atrivo.

Posted by: Anonymous | September 1, 2008 4:39 PM | Report abuse

We emailed all of your contact address and sent a paper letter to your posted address:

110 W. Ninth Street #688

If you disclose your -real- address here or on your website we will resend the letter.

If has been dumped, we applaud that. But be honest, it only happened after the Krebs article was published, right? If Directi, mouzzinteractive, planetonline, registercom, enom, and crispnames stop using it, that would great.

Posted by: Garth @ | September 1, 2008 5:48 PM | Report abuse

I've been blocking access to any IP addresses managed by Hostfresh, Inhoster, Intercage, and Atrivo for years. This effort began timidly in December 2004 but became bolder over the next few months. I don't need to know their interrelations (if any); I only need to recognize that malware distributors find them easy to work with.

There's not much to be gained by waiting to learn what new malicious web site has been created, then gathering evidence and reporting it to the "abuse" channel. It is safer and simpler to turn those IP ranges into black holes.

Its akin to recognizing a high crime rate neighborhood. You're not obligated to walk home at night through that neighborhood.

Don't wait for some government agency to intervene. Take the initiative; you've got a firewall, block outbound and inbound access to those IP ranges.

Posted by: Anonymous | September 1, 2008 9:51 PM | Report abuse

Its a shame that web based companies have to be publicly humiliated in order to do whats right, namely remove fraud accounts from their servers.
Take a look at the fake domains reported daily by such organizations as:
Many web hosting companies ignore reports of fraud on their servers.
The sites cause billions of dollars in losses and damages to unwitting and inexperienced internet users.
Law enforcement agencies cannot deal with the situation due to monetary and time constraints.
Internet fraud is not high on the totem pole for agencies such as the FBI or the US Secret Service.
Those agencies have more important issues to deal with.
I was under the impression that the internet was set up to be self policing.
I'm amazed that agencies like ICANN set rules up that are blatently ignored by registrars and hosts.
ICAAN doesn't even enforce their own rules.

Court orders are not needed, as often stated by hosting companies, to remove a fake or malicious site from servers.
Due diligence is needed on the part of the web hosts.
Perhaps litigation will take care of the offending web companies, but there needs to be someone with the cajones to go after web hosts and registrars.
....or dare I say it?
Government intervention.....
I feel its long overdue.

Posted by: no_muie | September 2, 2008 1:17 AM | Report abuse

Very strange. Kindly write me directly in order I could investigate this
As for the privacyprotect – we don’t use it for about two months already.

Posted by: Konstantin Poltev | September 2, 2008 4:46 AM | Report abuse


Disclose your real location. Thanks.

Posted by: | September 2, 2008 9:36 AM | Report abuse

Posted by: Russell M. | September 1, 2008 12:38 AM

To close out the communications in regards to this article, No further communication will be provided via this article.

The proper avenues for communication have been clearly defined.

Thank you all for your great insight (Most of you). Have a great day.

Russell M.
InterCage, Inc.

Hmmm ... Closed Communication through WashingtonPost's site. So, what they're saying is that they're not making any banner money off us telling them what's wrong and want us to go to InterCage, Inc.'s site so we can get infected with THEIR malware while InterCage, Inc. continues to cash in while we complain.

Posted by: Just Me | September 2, 2008 11:22 AM | Report abuse

If anything this proves is that the rest of the world is crazy and the likes of EstDomains\Atrivo\Intercage\Directi\ Hostfresh\Inhoster are the only sane ones.

Typical back and forth gibberish by the accused.

Great work by Krebs, Knujon and Jart

Keep it up

Posted by: TeMerc | September 2, 2008 2:01 PM | Report abuse

Some progress perhaps?

Leave 'em all dead for about 6 months without 'em poppin up else where and it's a good thing.

Posted by: TeMerc | September 3, 2008 3:52 AM | Report abuse

^^ where have 1M bot ! you can see it's talk about botnet cash systems

Posted by: | September 3, 2008 10:45 AM | Report abuse

InterCage suspends thousands of malware related sites
Only a few days after an article in the Washington Post and a detailed report by HostExploit [PDF] [Video] they (InterCage) have suspended thousands of malware related sites. Which is good news ... but it makes you wonder if these sites will simply be transfered elsewhere, or the criminals will just register thousands of new sites and continue with their activities ... since these culprits depend on the revenue generated by their illegal activities, I predict they will pop-up elsewhere very soon.

I happened to notice this myself (amount of suspended domains) when running a program I use to validate the DNS of each entry in the HOSTS file. Usually it returns a hundred or so sites that have either expired or suspended, Parked, etc. ... (since the last update) however this time the amount was huge!

Although the "comments" (must read) to the article by "Emil Kacperski" appear to be nothing more than the usual spin ... mainly complaining why other hosting domains are not mentioned ... it seems that exposing the activities by InterCage has produced some results ... for now. It will be interesting to see the outcome of Brian Krebs other scheduled related articles ...

Posted by: Michael | September 3, 2008 11:58 AM | Report abuse

Still more fallout:

Could this be the beginning of a wonderful thing?

Posted by: TeMerc | September 3, 2008 8:39 PM | Report abuse

Well, as far as I can see EstDomains fell back to it's "no response - no action" way of doing things. I've sent two abuse notes on a domains they're the registrar for and nada.

Posted by: Toni | September 4, 2008 1:55 AM | Report abuse

Where did you send them?
As soon as I've got your letter we suspended the abusive domain name, didn't we?

Posted by: Konstantin Poltev | September 4, 2008 2:45 AM | Report abuse


Posted by: sapmhouse killer | September 4, 2008 4:24 AM | Report abuse

Konstantin, true. Apparently the first letters didn't go through, and the comment was posted before you replied.

Posted by: Toni | September 4, 2008 8:44 AM | Report abuse

Posted by: TeMerc | September 4, 2008 5:39 PM | Report abuse

Konstantin, we're still waiting for the real business address of EstDomains. Thanks

Posted by: Garth @ | September 4, 2008 8:24 PM | Report abuse

Posted by: Publicus | September 4, 2008 9:17 PM | Report abuse

9bCould you explane more widly.5e I compleatly agree with last post. grk
This is my project купить ламинат 0f

Posted by: ламинат | September 4, 2008 9:21 PM | Report abuse

download cd Corel Designer 10.0 software

Posted by: FancyYork | September 5, 2008 2:59 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company