Top 50 Bad Hosts - September 2011


HostExploit is pleased to present the next report in the Top 50 Bad Hosts & Networks series, for the period of 2011 Q3. For the second consecutive quarter, the report is published in collaboration with Russian security company Group-IB. Both English and Russian versions of the report are available to download now.

This year has been characterized by frequent reports of hacks and data breaches with little change in Q3 2011 in a seemingly never ending outflow of data from organizations struggling to cope with the demands of ever changing technologies.

Social engineering is now acknowledged as a leading threat to organizations and businesses of all sizes with many lacking the resources to control this multi-faceted problem. The rise of personal gadgets used within the workplace brings its own set of problems too. Key to countering cybercrime in its many forms and guises is to raise awareness and to educate users/employees/IT personnel about current threats and the places that they are likely to come from.

The HostExploit Top 50 Bad Hosts & Networks series and related quarterly reports is our way of contributing to the fight against cybercrime. Our aim is to raise awareness about where badness is being hosted and to provide a means for hosts to benchmark the cleanness of their service against others in the industry.

HostExploit analyzes all 39,056 currently advertised and commercial hosts (ASNs) with the results represented in a number of ways. The main findings are available for download on the HostExploit website.

More detailed information on individual ASNs is available on our sister site, SiteVet. Here it shows, for example, whether the badness detected is botnet activity, badware, exploit kits, spam etc. Historical information is available too to give added insight into the longer term performance of all hosting providers. This information is additionally beneficial in the making of an informed decision about the reputation of a particular host.

In Q3 2011, there were several changes in the top positions in the Top Bad Hosts table:

  • The title of #1 Bad Host (Overall Category) now goes to AS33626, a monetizer of domain names, for high levels of hosting malicious URLs, badware, Zeus botnet servers and infected sites.
  • The US share of the Top 50 has dropped from 23 in Q2 to 16 In Q3 although 5 of the Top 10 are still hosting from the United States including the #1 spot.
  • #1 in the most important category, Exploit Servers, in the analysis of malware, phishing or badness as a whole, is AS47583 Hosting-Media, hosted in Lithuania.

Discussed in this quarter report, also, is the rise of GHOSTing, or 'Bulletproof Cybercrime Hosting and the Cloud', which is increasingly being used as a way of serving malicious material and yet remaining under the radar. It gives, by all intents and purposes, the impression of clean and responsible hosting as no obvious sign of criminal activity is detected on the providers’ servers. This is achieved through the legitimate offering of VPN or VPS services to those clients who wish to host illicit or objectionable badness e.g. malware, botnet C&Cs, phishing, spam operations or even images of child sexual abuses. In this way hosts can feign ignorance or turn a blind eye to their customers’ real intentions. Further information on this practice can be found in the Q3 report.

In a quarter that included the notorious hack of DigiNotar many questions relating to lax security remain unanswered. At times it seem a struggle to find any good news but that is why HostExploit quarterly reports include a regular feature on the Good Hosts, as a way of emphasizing that the vast majority of hosts do a good job and to congratulate the most improved hosts. This quarter is no exception and includes at least one familiar name, Dutch host AS29073 Ecatel, a former #1 Bad Host, and regular in the Top 10, whcih has recently shown a significant improvement by dropping just out of the Top 50.

Note: Live AS results can be found at SiteVet. The figures contained here and in the report were correct at the time of the end-of-quarter analysis.


PDF document
English 1.65M Download
PDF document
Russian 1.57M Download


Editor Jart Armin
Contributors Philip Stranger
James McQuaid
Steve Burn
David Glosser
Greg Freezel
Brynd Thompson
Will Rogofsky
Reviewers Dr. Bob Bruen
Raoul Chiesa
Ilya Sachkov
Alexander Pisemskiy


We welcome any feedback relating to this paper or assistance in this area of research from the community.

Get in touch.