Malicious ISP Atrivo has lost the confidence and support of the last upstream provider willing to do business with the company. Up until last Saturday, Pacific Internet Exchange (PIE) had kept Atrivo connected to the rest of the world, but evidently felt the cost of doing business with the rot-filled ISP was too high to justify. Pacific was the last company to get the memo on that particular decision, but as of Saturday, Atrivo is offline.

The chain of events that ultimately led to Atrivo's shutdown may have been touched off by an August report from HostExploit on the company's illegal endeavors. At the time, Atrivo was a major hub of illegal activity; some 66 percent of the fake antivirus scanners and false malware-laden "codecs" were on Atrivo's network. The situation also persisted over time, a significant indication that Atrivo's disproportionate share of the malware market was no mere blip or oversight.

Atrivo had a long-standing reputation as a bad seed, and HostExploit's report was the final straw for a number of upstream providers. Just weeks after the document was published, Global Networks, WVFiber, and Bandcon all dropped Atrivo as a customer. The President of PIE, David Grieshaber, is a long-time friend of Atrivo founder Emil Kacperski and offered to help his beleaguered friend out, provided certain conditions were met. As Grieshaber told the Washington Post: "I told him [Kacperski], you've got to put up a Web site, an official abuse reporting and ticketing system, and some real contact information so that people can get in touch with you and know their complaints are being heard."

Ultimately, however, Atrivo proved too much of a bad apple for PIE to swallow. It's not clear when, exactly, PIE and Intercage/Atrivo began peering, but it wasn't long before the amount of garbage spewing out of Atrivo led Spamhaus to put PIE on its block list. Spamhaus' action put PIE in an extremely difficult position (and probably ticked off quite a few customers). In the end, friendship couldn't overcome the cost of doing business.

As for Emil, Atrivo's founder insists that he operated above the board and received virtually no complaints about the websites his company hosted, and adamantly defended his actions to the Washington Post, saying: "The truth is that nobody's been reporting this stuff, but it's illegal for me to just sniff around each and every site on my network and say, 'Hey, what are you up to?,' Kacperski told the Post. "But if there's a complaint, then I can deal with it, I have to deal with it. Instead of complaints, I get people labeling me as some kind of mafia kingpin or crime boss."

If HostExploit's report is correct, Kacperski wouldn't have had to look very hard; research demonstrated that some 78 percent of the company's domains and servers were hostile. Again, the sheer size of the problem confounds any sort of "it happens to everyone" defense. Kacperski may be telling the truth when he says he received virtually no complaints, but such a situation isn't hard to engineer. Obtuse contact forms that require extremely specific information (the details of which are all spelled out in the very fine print), combined with aggressive e-mail filtering, could easily leave the owner with almost no complaints to answer, because "whoops," all those other e-mails got dumped in the trash.

Taking Atrivo offline will only cause a minor blip (if that) in the flow of malware across the Internet, but it at least eliminates a parasite we know was doing business in the US as a legitimate company. We'll never win the war this way, but security researchers in general, and the folks at HostExploit in particular, can still take pride in having won a battle.

Update: The victory celebration is short-lived indeed. As some readers have observed, Atrivo (operating as Intercage) is back up and online, courtesy of IP upstream provider UnitedLayer. The white hats, in this case, may still have one—Intercage's owner has pledged to cease all business with Esthost, a notorious malware haven itself, and has vowed to create a new, transparent system for customers to contact the company. There's no word on whether or not jettisoning Esthost (and possibly EstDomains) will affect the shell-corporation-loving Directi Group, which we also discussed early this September, but it wouldn't be surprising if the Atrivo aftershocks continue to ripple down the malware chain of command.