Top 50 Bad Hosts - December 2011


There is one common denominator in cybercrime – it is hosted, served, or trafficked by some host or network operator somewhere. It could be assumed that such a succinct, yet true, statement should yield, in return, an equally concise solution. In fact, it provides only a place to start, albeit a very good one, in the complex world of cybercrime.

It has been a few years since the HostExploit &v;Top 50 Bad Hosts and Networks” reports began, during which time we have published, each quarter, the results of our analysis on all the world’s publicly-announced Autonomous Systems (ASes) which are serving and delivering, unwittingly or otherwise, malicious activities.

Luckily, we are not alone in seeing the value in presenting this comparative data (see report for a full list of our community partners). Through a range of charts and tables we give an overview on where internet badness is located. The aim is to encourage service providers to “clean up” and to be proactive in stopping the cybercriminal activities found on their servers.

Also, once again, Group-IB, Russia and the CIS’s leading computer security company (specializing in the investigation of computer crime, information security breaches, and computer forensics) collaborated with us to publish our report in both English and Russian.

Some things have changed since our early reports. There is now more cooperation between the security industry, law enforcement and service providers and some pleasing results against some of the worst activities found on the net.

Sadly, some things have not changed. Cybercriminals are still too easily making financial gain from the lax procedures by service providers, security vulnerabilities of organizations large or small and Internet users’ lack of awareness. 2011 showcased some data breaches of truly epic proportions with the year ending in the same vein in which it began.

As well, 2011 saw a variety of new threats appearing including the first smartphone infections with botnet-like attributes to bring the reality of a “pocket botnet” ever closer. 2012 will see more of the same as the continuing popularity of the smartphone as the device of choice for accessing the internet ensures that cybercriminals will make it their target in pursuit of financial gain. HE’s Q4 2011 report contains a special feature on this subject with excerpts taken from HE’s editor, Jart Armin’s, popular presentation on “The Pocket Botnet” given at security conferences in 2011.

This quarter’s report features, too, an overview of the analysis performed on the “Dirt Jumper” DDoS botnet by newly-formed security group DeepEnd Research. This new alliance is formed of independent, experienced and highly-respected researchers focusing on analysis of various threats – with the emphasis on malware, botnet tracking, underground economy and cybercrime.

The regular features of the HE “Top Bad Hosts and Networks” Reports form the main topics for consideration. For example, the league table displaying the “Top 50 Bad Hosts” has a new #1 this quarter. Lithuanian (LT) hosting provider, AS47583 Hosting Media, is shown to be delivering a variety of malicious activities from its servers including botnets, spam, phishing, exploits and viruses.

Other themes include an analysis of individual categories – tables of the “Top 10” positions for hosting botnets servers, phishing servers, exploit servers, Zeus botnet hosting, and for the delivery of activities such as infected websites, spam, current events (latest threats such as XSS/RCE/RFI/LFI), clickjacking, counterfeit pharmas, rogue AV, DDoS, Zeus (Zbota), Artro, SpyEye, Stuxnet, BlackHat SEO, Koobface, as well as newly-emerging exploit kits and badware.

By highlighting the “bad” hosts, who put money before concern for the safety of internet users, we can raise awareness among webmasters and domain owners who can make an informed decision about where to host their website. Being proactive in this way will ensure that gaining a bad reputation makes no economic sense.

Note: Live AS results can be found at SiteVet.


PDF document
English 1.76M Download
PDF document
Russian 1.69M Download


Editor Jart Armin
Contributors Dr Bob Bruen
Steve Burn
Andrew Fields
Will Rogofsky
Bryn Thompson
Reviewers Raoul Chiesa
Rod Rasmussen
Garth Bruen
Peter Kruse
Alexander Klimberg
Andrey Komarov


We welcome any feedback relating to this paper or assistance in this area of research from the community.

Get in touch.