Last Saturday, California-based Web hosting company Intercage dropped off the Internet because its upstream provider PIE decided to terminate its services. All servers became unreachable as IP addresses were no longer routed to the Internet. They found a new upstream provider last Monday, after being offline for more than 36 hours. Traffic to and from Intercage appears absent as of this writing, probably because of filtering by a large Internet carrier higher upstream.
The Web hosting company got bad publicity from recent blog postings written by Washington Post reporter Brian Krebs. He cited a research article that dubbed Intercage as a major host of malware. The article criticized the Web host for selling services to Esthost, an Estonian Web hosting reseller and domain site registrar accused of helping cyber criminals by allowing them to register domain names anonymously.
A well-known fact among security researchers is that Intercage IP space has had a remarkable concentration of cybercrime throughout the last four years. But Intercage is not alone; there are more Web hosting companies in the US and Europe that seem to have persistent problems with their customer base.
On this blog, we have written a few times on the so-called rogue DNS (Domain Name System) network of ZLOB. We have shown that this network is using DNS tricks for a massive click fraud scheme targeting legitimate advertising companies and search engines. We also showed that the rogue DNS network can lead to leakage of personal information of ZLOB victims.
We monitored the rogue DNS network of ZLOB after Intercage went offline. Last week, we counted 1178 live rogue DNS servers related to ZLOB. These rogue DNS servers resolved more than 14,000 domain names (including high-profile sites and major search engines) to 200+ malicious IP addresses. After Intercage disappeared from the Internet we looked again: since last Sunday, 655 rogue DNS servers are down. Many spoofed sites related to ZLOB also disappeared because they were all hosted by Intercage.
Last Monday, we noticed a very slow recovering of the rogue DNS network. Some of the spoofed search engine Web sites became live again, but now in a data center operated by Cernel.net located in the east coast of the US.
We expect that in the coming days more of the rogue DNS network of ZLOB will move elsewhere, simply because the bad guys do not want to miss their ill-gained revenues.