Top 50 Bad Hosts - December 2010
Repeat Offenders Host Cybercrime Activity
The HostExploit (HE) series on worldwide cybercriminal activities continues in the Q4 2010 Report on the ‘Top 50 Bad Hosts and Networks’. The emphasis this quarter is on the repeat offending of some hosting providers.
VolgaHost AS29106 is no stranger to the Top 50 reports, having been in the top 10 for the entire 6 months prior to this quarter. And yet the effective badness levels have continued to rise to now take the #1 rank. Particularly prevalent on VolgaHost are Zeus servers and infected web sites.
On the theme of repeat offenders, it has been a disappointing quarter for eNom AS29073, the domain registrar arm of Demand Media. Ever willing to give credit where due, HE praised, in the last quarter report, what seemed to be a genuine attempt on eNom’s part to ‘clean-up’. Sadly, however, this effort appears to have been short lived. eNom is back up to ranking #3 from #7 in Q3, having previously been #1. In the Badware sector eNom is once again top of the pile as #1 Bad Host.
HE’s view is that the majority of hosts do a good job at keeping their servers clean. So why then are there hosts such as VolgaHost, eNom and Ecatel AS21740 (displaced from #1 down to #2), all of whom display enduring levels of cybercriminal activities on their servers?
Perhaps the attitude of hosting providers is best summed up by Andre' M. Di Mino (Co-Founder & Director of The Shadowserver Foundation) in his foreword to the report:
“The majority of network and hosting providers are very concerned about their reputation and will respond in rapid fashion when notified of malicious activity. Others are content to let such activities flourish. In any case, it is important to highlight those providers where malicious activity is rampant, and raise general public awareness.” - Andre' M. Di Mino
HE’s Q4 2010 Report exposes the persistent nature of some of the more dubious activities hosted by a few providers such as:
- INTERIAPL (PL) AS16138 #1 for Current Events (exploit kits etc) since June 2010.
- DATA ELECTRONICS (IE) AS13100 #1 for Exploit Servers in the last 2 reports.
An example of the lack of due diligence allowing bad habits to return can be seen with Brazilian Cyberweb Networks AS28299. This hosting provider had dropped down to #228 in Q3 2010, from #9 in Q2 as a result of ‘cleaning-up’. Recent increased levels of botnets and phishing, however, has bounced this provider back up to #21.
The HE Q4 2010 Report recognizes the genuinely hard effort made by hosts and providers intent on ‘cleaning up’. The ‘Most Improved Hosts’ section displays those deserving of praise and approval for their achievements. For example:
CTC-CORE-AS (RU) AS44237 #29 in Q3 now #27,204. An improvement of 99% to almost negligible levels of badness.
The vast majority of hosts do provide a safe and relatively clean Internet experience for their customers. Approximately only 6% of the 36,371 public ASes (Autonomous Systems) display levels of badness that give cause for concern through ineffective abuse procedures and a tolerance of cybercriminal friendly activities. The HE quarterly reports continue to display the results of the monitoring ‘bad’ hosts in anticipation of a cleaner and safer Internet experience for all users.
HE’s study combines its own data with a wide range of respected community sources to produce a comprehensive analysis of badness levels on each of the world’s 36,000+ public Autonomous Systems. The data is processed by SiteVet, an innovative tool that uses unique algorithms to calculate a simple quantitative badness rating out of 1000 (which we call the HE Index) of each AS. Results are further published in tables and charts. With a focus on the worst aspects of cybercriminal activity, the HE Index also takes into account factors such as: size of network; botnet hosting; infection rates; current events; distribution of malware, exploits, rogues and spam.
Note: Live results can be found at SiteVet. The figures contained here and in the report were correct at the time of the end of year analysis.
|Reviewers||Andre’ M. DiMino
Dr. Bob Bruen
We welcome any feedback relating to this paper or assistance in this area of research from the community.