Last Saturday, Californian-based Web hosting company Intercage dropped off the Internet because its upstream provider PIE decided to terminate services to Intercage. IP addresses of Intercage were no longer routed to the Internet, so all servers of Intercage could not be reached. On Monday, Intercage found a new upstream provider after being offline for more than 36 hours. While writing this article, traffic to and from Intercage appears still not to be possible probably because of filtering by a large Internet carrier higher upstream.

Intercage got bad publicity by recent blog postings written by Washington Post reporter Brian Krebs. Brian Krebs cited a research article that dubbed Intercage as a major host of malware. Intercage got criticized for selling services to Esthost, an Estonian Web hosting reseller and domain site registrar being accused of helping cyber criminals by allowing them to register domain names anonymously.

It is a well known fact among security researchers that Intercage IP space had a remarkable concentration of cyber crime throughout the last 4 years. But Intercage is not alone, there are more Web hosting companies in the US and Europe that seem to have persistent problems with their customer base.

On this blog we have written a few times on the so called rogue DNS (Domain Name System) network of ZLOB. We showed that this network is using DNS tricks for a massive click fraud scheme targeting legitimate advertising companies and search engines. We also showed that the rogue DNS network can lead to leakage of personal information of ZLOB victims.

We checked what happened with the rogue DNS network of ZLOB after Intercage went offline. Last week we counted 1178 live rogue DNS servers related to ZLOB. These rogue DNS servers resolved more than 14,000 domain names (including high profile sites and major search engines) to 200+ malicious IP addresses. After Intercage disappeared from the Internet we looked again: since last Sunday 655 rogue DNS servers are down. Many spoofed sites related to ZLOB disappeared too because they were all hosted by Intercage.

On Monday we noticed a very slow recovering of the rogue DNS network. Some of the spoofed search engine web sites became live again, but now in a different data center on the East coast of the US operated by Cernel.net.

We expect that in the coming days more of the rogue DNS network of ZLOB will move elsewhere, simply because the bad guys do not want to miss their ill gained revenues.