Top 50 Bad Hosts - March 2012
Timely events provide the backdrop to the latest HostExploit’s Top 50 Bad Host and Networks report for Q1 2012. Recent disruptions of cybercriminal operations - the result of cross-industry and international cooperation - show signs of a new willingness to target supporting infrastructures as the enablers of cybercriminal operations.
HostExploit’s (HE) latest report features an in-depth analysis of malicious activity on the servers of the two hosting providers named in legal documents supporting the recent Microsoft-led raid. Following this activity over the course of a few days, using the SiteVet tool on our sister website, provides tangible evidence that strengthens the case behind the dramatic action taken against AS21788 BurstNET NOC and AS53264 Continuum. There is clear evidence of the Command & Control (C&C) centers of the online banking trojans Zeus and SpyEye being served via the two hosting providers raided in this action.
The SiteVet snapshots, on view in the report, show that immediately before the Microsoft-led raid, AS21788 BurstNET NOC had an HE Index of 155.9 (0 represents no badness - 1,000 represents maximum badness) and is at #6 on the HE Ranking. Zeus activities are clearly shown as being served via BurstNET networks. The day after the raid BurstNET dropped to #33 on the HE rank, with an HE Index of 110.5, an overnight drop of 45 on the scale.
The HE Q1 2012 Report also details events in other regions. Befitting of our collaborative action in publishing this report in Russian with Group-IB (the leading computer security company in Russia and the CIS specializing in the investigation of computer crime, information security breaches, and computer forensics) we cover the recent arrest of a cybercriminal gang by Russian security service. There is coverage, too, of the second takedown of the Kelihos botnet by Kaspersky and partners. Both of these events show the importance of cross-industry and international cooperation as national CERTS, a variety of different industry sectors and law enforcement unite in action against cybercriminal gangs.
Alongside news roundups of current events, HE presents its regular list of the Top 50 Bad Hosts and Networks including highly visual displays of the most concentrated areas of malicious activity on the Internet.
Featured in this quarter’s report too is evidence of the worsening situation for malware on Android and smartphones with Russian-based mobile communications provider, AS31133 MegaFON, in the #1 position for Spam as well as putting in another 3 appearances in the same Top 10 category under other AS numbers. This is an unprecedented occurrence and a sign that SMS spam is a problem that some providers are struggling to control.
However, the overall #1 Bad Host title for this quarter is a hosting provider based in Poland – AS16138 INTERIA – with extremely high levels of Infected websites (almost double the level than the next nearest host) and Current Events, the most up-to-date and fast changing attack exploits including blended attack threats, XSS attacks, clickjacking, botnets, SEO, newly-emerged exploit kits, etc.
AS16138 INTERIA appears to be comfortable about its high ranking position, although new to the #1 slot it has been near or around the Top 10 since June (Q2) 2010. This hosting provider obviously aims high, no matter what the stakes are, with a global traffic ranking of 684, (#10 in its native Poland) and an HE ranking of #1 INTERIA appears comfortable in its position in these charts – be it for free web hosting and relaxed domain name registration or for enabling all types of malicious nasties that catch out unsuspecting users.
Elsewhere, HostExploit is excited about announcing a forthcoming event and new tool that we have been working on for some time with our community partners - the Global Security Map. This is to be released in conjunction with the new World Cybercrime Report, due for release on April 25, with APWG at CeCOS VI in Prague. Please continue to check out the website for the latest news on this release.
For now, an early preview is available at globalsecuritymap.com.
|Reviewers||Dr. Bob Bruen
We welcome any feedback relating to this paper or assistance in this area of research from the community.