A NASA special agent, Sean Zadig, initially traced the malicious activity to 3FN during an investigation into attacks on the U.S. space administration's networks. The trail initially led to servers owned by McColo, the rogue Internet service provider taken down in November 2008. Zadig received a search warrant for the contents of McColo's servers and found connections between McColo and 3FN, including ICQ message logs f conversations in Russian between customers and the owners of two 3FN accounts, labeled "Head of Programming Department" and "Senior Project Manager".

In one exchange, documented in the court filing, a customer asks 3FN's Senior Project Manager whether they can host a botnet of 20,000 compromised computers aimed at committing click fraud.

"Well, we can manage it," 3FN's Senior Project Manager stated. "To earn 500 USD per day you need to have 20 000 clicks approx."

SecurityFocus requested an interview with Pricewert through e-mail, but the company did not reply. A call to a number listed in several press releases was answered by a man with an Eastern European accent, who stated that the company would not provide comment.

Both Symantec's Weafer and Shadowserver's DiMino predicted far less of an impact from the takedown than what had been witnessed when McColo was disconnected form the Internet. The scammers and online criminals that use rogue ISPs likely learned not to rely on any single hosting provider, DiMino said.

"These guys operate under a rock, and when you turn over the rock, they are not just going to go away," he said. "Unfortunately, they're not going away — they are going to scatter."

If you have tips or insights on this topic, please contact SecurityFocus.