I was trying to decide who to name and shame next, and it was a toss up between Bigness (AS49093), Ecatel and Krypt Technologies. I thought this time, we'd go with Bigness and leave Ecatel and Krypt Technologies for next time.
Bigness came across the radar a few months ago, due to it's hosting a slew of malicious domains, and ONLY hosting malicious domains (I've not seen a single legit site hosted there in all of the time I've been monitoring it).
So what have we got over there you ask? Well, we've had rogues, phishing scams, fake meds, spam, and exploits, and there's evidence over at MDL, of their also housing the likes of the Liberty Exploit, amongst other things.
... and that just gives a small example ...
I'm 99% convinced, due to the activities, that Bigness is actually not a legit ISP at all, but are infact, a criminal organization themselves, due in part, to the sheer amount of activity in such a short time. I'll be happy to see evidence to debunk this?
I am however, more concerned with why their upstreams haven't yet pulled the plug on them. Given the amount of malware, and the amount of abuse reports that have been sent (and there's no doubt been thousands of such reports sent by others), they should've been pulled months ago.
We'll get to the upstream in a moment. Lets see who's "publicly" behind Bigness shall we? Lets start with the PTR, ptrzonez.com. This domain is registered to;
Notice the domains Created date? Yep, so did I. Getting along, the following shows the net-block information for Bigness;
You'll no doubt have noticed the reference, courtesy of the e-mail address, to cardiro.org;
Digging further shows several other domains, for example, vhios.net, that trace back to these people aswell, though none currently resolve.
So who are providing upstream connectivity to Bigness then? Well, a tracert shows the last hop before you get to Bigness, to be tinet.net;
The hop PTR shows a reference to Star Hosting, so lets check it out shall we? Looking at the AS graph over at Robtex, shows that whilst the hop is indeed owned by Tinet.net, it's actually used by Star Hosting (AS44146).
So Star Hosting, would you care to explain to the ladies and gents of the internet, why you are providing upstream connectivity to a criminal organization? Given Bigness also seems to trace to citytelecom.ru (AS29076 CITYTELECOM-AS Citytelecom.ru), I wonder if they'd mind explaining themselves too?
Until they decide to explain themselves, I thought I'd point you to the following PDF report from Host Exploit, which shows Star Hosting's connections to McColo, which is/was part of the Russian Business Network, which leads to the reasonable assumption that Bigness is very likely simply a new name for McColo, and is infact, the RBN.
I'll leave further digging as an excercise for the reader .....