A different angle on SPAM and malware

Two websites have recently published reports on Internet security and the spread of malware across the web, and both documents examine the problem from a new perspective. Most online security coverage tends to focus on the perpetual war between the antimalware industry and the companies that earn an illicit living from selling botnets and developing new exploits. The reports from HostExploit and Knujon, however, focus on the registrars and ISPs that actually provide hosting to the black hats, and explore the various connections between the organizations.

HostExploit's report is an examination of the US-based ISP Atrivo, and of that company's alleged willingness to ally itself with (or, at least deliberately overlook) ongoing criminal enterprises; the Knujon investigation documents the relationship between the Indian-based Directi Group and its affiliates. The following diagram illustrates the relationship between these various organizations/companies.



Image courtesy of HostExploit

Atrivo: Near the top of the food chain

Atrivo, (top-center), is the ISP at the relative "top" of the chart. HostExploit analyzed data provided by StopBadware.org, and calculated both the number of infected sites and the total percentage of bad IP addresses Atrivo was serving per month, as demonstrated in the chart below. According to HostExploit, an average web host's percentage should be around 0.01 percent. Atrivo's is just a smidge higher.



Image courtesy of HostExploit. Ranked in terms of the number of infected sites per IP address, Atrivo is the 4th-worst online.

HostExploit did a full analysis on the "IP space associated with, leased to or by Atrivo & Intercage & Co., from various methods and community sources." The numbers given below represent "an extrapolation of 10% random sampling of known Atrivo IP addresses (2,600) that resolve to the Atrivo IP space was selected (26,000). Each of these domains was visited by an automated tool that downloads all content from each domain and follows one link further."

Here's what they found (all numbers out of 2600, multiply x10 for full address range):

31 known malware binaries, each linked to multiple websites

91 infected websites, i.e., websites that exhibit badware behavior

113 botnet C&C controllers

4 calling birds (and three French hens, not four, as I erroneously stated earlier.)

three French hens, not four, as I erroneously stated earlier.) 734 malicious web links, including links to products like XPDefender

78 percent of Atrivo domains and mail servers are rated hostile (based on 465 random samples)

145 fake porn redirectors that also use a variation of a DNS-hijacking rootkit. (We've covered such programs before).

Atrivo is also responsible for the overwhelming majority of fake/rogue antivirus scanners, spyware, and "codec" downloads, as shown below.



Image courtesy of HostExploit.com

HostExploit notes that there are a number of companies that unwittingly provide hosting or access to malware, but the sheer volume of garbage passing over Atrivo's network makes it hard to believe the company isn't aware of it. Now that we've discussed Atrivo in general, we'll examine the Directi infrastructure "underneath" Atrivo in more detail.

The Directi Group: Hiding in plain site

Scroll back up to the top of the article and observe the links between Atrivo, EstDomains, and EstHost. EstDomains is an anonymous registrar that may be owned by the Directi group—Knujon suspects it, but isn't certain. EstDomains partner, EstHost, provides anonymous hosting services. Both sites offer WHOIS anonymity through a service they refer to as "Protect Details." If Protect Details isn't PrivacyProtect.org under a different name, the two services are identical twins; a PR at Esthost describes Protect Details as follows:

Enabling Protect Details allows replacing actual contact information for the domain name holder by the contact details marked for protect details project. WHOIS database will display the alternative contact information along with a message proclaiming that this particular domain name is protected and uses the service powered by Protect Details dot com. The only way to get in touch with the holder of the protected domain name is to use the e-mail address indicated as a contact e-mail. Please note the concealing the contact information under the Protect Details option is legal as only the law-enforcement organizations has the ultimate right to demand for the exposure of personal data at any time.

PrivacyProtect.org is linked to Atrivo through EstDomains. Officially, PrivacyProtect.org's owners are anonymous, though Knujon is fairly certain that the company is owned by the Directi Group. The service describes itself in much the same terms that Protect Details uses above.

Notice how the name Directi keeps popping up? The Directi Group (a company based in Mumbai, India), is believed to own both EstDomains and EstHost, as well as PrivacyProtect, LogicBoxes (another hosting service), and the Public Domain Registry (PDR). LogicBoxes is a prominent sponsor of ICANN, which links both the Directi Group and Atrivo to that governing body. Ties between the Directi Group and ICANN are well-documented; Skenzo (another Directi company focused on traffic monetization) and LogicBoxes co-sponsored a day trip to the Taj Mahal for attendees of the 31st ICANN meet last February.

According to LogicBoxes' PR, no expense was spared: "The trip included a comfortable drive in a convoy of luxurious coaches down the picturesque Golden Triangle of North India, followed by an awe striking tour of the Taj Mahal...coupled with a visit to other famous landmarks in Agra—a tour of the magnificient Agra Fort...rounding off with some of the best specimens of Mughal art in India."

Going to see the Taj Mahal on someone else's dime doesn't mean a person is on the take, but the Directi Group is clearly interested in keeping the wheels of ICANN well-greased. It's hard not to notice that while certain branches of Directi are offering all-expenses-paid trips around India, other segments of the organization are ending up on embarrassing lists. The PDR, ironically, is number nine on Knujon's list of Top 10 worst registrars in terms of advertised junk product sites and compliance failures; the top 20 registrars on that list account for 90 percent of the illicit sites Knujon has tracked.