Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

So, where are Esthosts/Estdomains now that Intercage/Atrivo are in such trouble?

September 27th 2008 in Uncategorized

Let’s take a look-see at where Intercage/Atrivo’s most infamous client, esthosts/estdomains, are situated – using Domaintools, cidr-report.org and bfk-de, and a smattering of Sam Spade 1.14.  I’m not using Robtex that much because I get the sense that, sometimes, its data is behind the times and it should be noted that by the time this article goes live, things may have changed again.  I think the hardest part of writing about this stuff is not doing the research per se, but rather, trying to distill the information down into a format that is half-way possible to understand.

In summary, what do we see?  Well, it looks like Esthosts/Estdomains have come to rest in Russia and Amsterdam.  I also note that their infamous ex-host Intercage (who are, apparently, still off the air) continue to have some involvement with Esthost/Estdomains via protectdetails.com (protectdetails.com is the WHOIS privacy service Estdomains created to replace Directi’s PrivacyProtect service) and Cernel. I was also interested to note that Domaintools reports that the SSL Certificate for protectdetails.com and cernel.org are both “billing.esthost.com” (btw, note that the correct spelling is CERNEL, not CERNAL – even hostexploit.com got the spelling wrong in places in its PDF report…)

I don’t expect things to settle down any time soon.  Those behind malware, and malware hosting, are being watched like a hawk.  For example, reports about Intercage who, as I noted on the 25th, being knocked offline again over the past 24 hours or so include:

UnitedLayer COO: Giving access to InterCage is an issue of ethics (an interview with Intercage/Atrivo’s latest peer explaining why they were willing to take Intercage/Atrivo on)
Yes, Atrivo/Intercage is Offline Again…
Notorious ISP Intercage goes dark again (notes that “Kacperski is evaluating whether his company [Atrivo/Intercage] can continue as a business“)
Net pariah Intercage back among the dead – No more Global Crossing 
Intercage, gone with the wind again

 

The nitty gritty details of Esthosts/Estdomains are…

estdomains.com  A   83.171.76.98 – ZAO Petersburg Transit Telecom (PTT), Russia (AS31353)  *A*
estdomains.com  A   94.102.49.3 – Ecatel LTD, Amsterdam (AS29073) *B*
estdomains.com  NS  ans1.esthost.com
estdomains.com  NS  ans2.esthost.com
estdomains.com  NS  temp1.estdomains.com
estdomains.com  NS  ns1.estdomains.com
estdomains.com  NS  temp2.estdomains.com
estdomains.com  NS  ns2.estdomains.com
estdomains.com  NS  a.estdomains.com
estdomains.com  NS  b.estdomains.com

esthost.com  A  94.102.49.3 – Ecatel LTD, Amsterdam (AS29073) *C*
esthost.com  NS  ens1.esthost.com
esthost.com  NS  ans2.esthost.com
esthost.com  NS  ans3.esthost.com
esthost.com  NS  ans4.esthost.com

 

*A*
83.171.76.98 A  ns2.protectdetails.com – ZAO Petersburg Transit Telecom (PTT), Russia (AS31353)
83.171.76.86 A  estdomains.com
83.171.76.86 A  b.estdomains.com

 

*B* and *C*
94.102.49.3 A  estdomains.com – Ecatel LTD, Amsterdam (AS29073)
94.102.49.3 A  esthost.com

 

protectdetails.com  A  89.108.73.87 – Agava JSC, Russia (AS39561)  *D*
protectdetails.com  NS  ns1.protectdetails.com
protectdetails.com  NS  ns2.protectdetails.com

ns2.protectdetails.com – A: 69.50.176.229 – Intercage Inc, California (note: SSL Cert billing.esthost.com) (AS27595) *E*
ns2.protectdetails.com – A: 83.171.76.98 – ZAO Petersburg Transit Telecom (PTT), Russia (AS31353)

 

*E*
69.50.176.229 also hosts cernel.org, online-company.com, otegra.com, otegra.net

69.50.176.229 A ns2.protectdetails.com
69.50.176.229 A ns1.esthost.com
69.50.176.229 A ens1.esthost.com
69.50.176.229 A ns2.esthost.com
69.50.176.229 A ns2.cernel.net

 

WHOIS

protectdetails.com
69.50.180.157 (Domaintools) – Intercage Inc, California (AS27295)
Registrar: Estdomains, Inc
Created 11 June 2008
Registrant: Protect Details Inc, Domain Manager, privatecontact@protectdetails.com

cernel.net
216.255.190.85 (Domaintools) – Intercage Inc, California (AS27295)
Registrar: Estdomains, Inc
Created 28 November 2005
Registrant Cernel Inc, Legal Department, support@cernel.net

cernel.org
69.50.176.229 (Domaintools) – Intercage Inc. California (AS27295)
Registrar: Estdomains, Inc
Created 28 November 2008
Registrant: Cernel Inc, Legal Department, support@cernel.net
Note: SSL Cert is noted as billing.esthost.com (Domaintools)

 

ZAO Petersburg Transit Telecom (PTT), Russia (AS31353)  *A*
Upstream ASN-SPBNIT OJSC North-West Telecom Autonomous System (AS8997)

ASN-SPBNIT OJSC North-West Telecom Autonomous System (AS8997)
Upstream ROSTELECOM-AS (AS12389), RTCOMM-AS (AS8342), TRANSTELECOM (AS20485), RETN-AS (AS9002)

 

Ecatel LTD, Amsterdam (AS29073)  *B* and *C*
Upstream OPEN-PEERING-AS (AS20562), OPENHOSTING (AS33970), TISCALI-BACKBONE (AS3257), HURRICANE (AS6939)

 

Agava JSC, Russia (AS39561)  *D*
Upstream – Skymedia, Russia (AS39134)

Skymedia, Russia (AS39134)
Upstream Transtelecom, Russia (AS20485)

Transtelecom, Russia (AS20485)
Upstream Tiscali-Backbone (AS3257), IS (AS3741), Rostelecom-AS (AS12389), Telianet (AS1299), CW Cable and Wireless (AS1273), NTT-Communications-2914 (AS2914), RETN-AS (AS9002), BTN-ASN (AS3491)

 

Intercage Inc, California (note: SSL Cert billing.esthost.com) (AS27595)  *E*
No upstream provider


One comment to...
“So, where are Esthosts/Estdomains now that Intercage/Atrivo are in such trouble?”

Proud vigilante

You might want to keep an eye on vpn1.esthost.com … their backdoor is still on isprime AS23393 > nlayer/pilosoft AS26627


Surprise surprise.  Screenshot taken just a few minutes ago…
http://www.cidr-report.org/cgi-bin/as-report?as=AS27595&v=4&view=2.0
 

Previous Entry

Edited to update documentary links.. Washington Attorney General, Rob McKenna (whose work has been featured on this blog several times) and Richard Boscovich, Senior Attorney for Microsoft’s Internet Safety Enforcement Team, unveiled several lawsuits against malware (what they call “scareware”) pushers today.  The lawsuits are the first to be filed under the State’s recently […]

Next Entry

Archives