Blogs

As part of a series of reports on ‘Cybercrime USA’, HostExploit presents a detailed analysis on Demand Media/eNom’s position as #1 Bad Host in the HE Index of comparative Internet badness. Research published in our recent Q2 2010 Top 50 Bad Hosts and Networks Report shows AS21740 Demand Media/eNom topping the HE chart by serving and distributing internet badness through: botnets, spam, Malware, infected web sites, and exploit serving. Out of the known 34,738 publicly reported ASes (servers), Demand Media/eNom is shown to be #1 for Internet badness and #1 abusive Registrar.

Download the report here.

To demonstrate how the Internet badness served by Demand Media relates to other known centers of badness, we introduce in this report “The McColo Standard of Cybercrime”, whereby scores on our HE Index are illustrated in an easy to understand format and in comparison to how the infamous McColo would have fared using this system. A score of 4 to 5 on the HE Index is an average of all ASes. Much to our surprise, both Demand Media and McColo (using retroactive data from October 2008) scored around 270 indicating high levels of Internet badness. This placed Demand Media firmly in the #1 position on the HE Index.

Press Release

HostExploit is pleased to present the Q2 2010 report on the ‘Top 50 Bad Hosts and Networks’. At rank #1 in the report, Demand Media/eNom (USA) earns the label of ‘worst host’ from security analysts at HostExploit, taking over the top spot from Ecatel (Netherlands). A detailed analysis shows high levels of Internet ‘badness’ and cybercriminal activity hosted by Demand Media/eNom in their role as a hosting provider.

Download the report here.

Using data, supplied by SiteVet.com, together with Open Source Security data partners, HostExploit has released an updated HE Index of the worst internet hosting operators around the world. Compiled by actuarial analysis on data provided from all 34,748 public ASes (Autonomous Systems), the HE Index is presented as an easy-to-understand ‘badness’ rating, on a scale of 0 to 1000, published in tables and charts. With a focus on the worst aspects of cybercriminal activity, the HE Index also takes into account factors such as: size of network; potential for the hosting of botnets; distribution of Malware, exploits, rogues and spam.

In a hard-hitting report, ‘Review of Illicit Registrar 2010’, KnujOn has revealed alleged illicit practices of at least 162 Registrars who could be benefiting from significant financial returns from their complicity. Particular attention has rested on eNom:

"... they sponsor more illicit pharmacy than the next 'top five' pharmacy-sponsoring Registrars combined".

There are roughly 4,000 rogue Internet pharmacies violating the criminal laws specified above that are utilizing ‘eNom’s’ registration services, more than any other Registrar by a factor of seven, KnujOn claim. eNom is aware of the illegal nature of these domains. eNom has been notified by the organization that represents pharmacy regulatory authorities about this problem, and has been requested to work with LegitScript, as other U.S.-based Registrars do, and non-U.S. Registrars who do business in the United States, to identify clearly illegal websites and suspend them in accordance with the RAA, UDRP and their own Terms and Conditions. eNom has failed to act’.

In recognition of the serious concerns with vulnerability of the DNS system as a whole Rod Beckstrom (ICANN’s CEO) chaired the panel himself with virtually all 1,200 or so ICANN meeting attendees present. Also on the panel was Whit Diffie; one of the fathers of public key encryption, Paul Mockapetris designer of the original DNS, Steve Crocker chairman of the Security and Stability Advisory Committee of ICANN, and Dan Kaminsky famous for unearthing the exploitation of DNS.

Primarily this session centered on DNSSEC (short for DNS Security Extensions), which is intended to add security to the Domain Name System. DNSSEC was designed to protect the Internet from certain attacks, such

At 9:00am EST on Friday May14th AS50896 PROXIEZ lost its ability to infect the Internet. To avoid confusion there were ‘unsuccessful’ attempts to reconnect on Saturday & Sunday May 15/16^th. This is where there may have been reports of connections to bots and Malware being still alive.

The upstream peer AS50818 DIGERNET was also disconnected from the Internet @ 10:30am EST on Friday May14th. AS50908 EVAUA (InfoPlus Ltd.) is currently attempting to serve the Zeus C&Cs as a replacement for Proxiez.

AS50896 PROXIEZ – Issued by RIPE and first active April 19th 2010 and AS50908 EVAUA first active May17th 2010 again leads to the question the issuance of ASNs and IP ranges by RIPE which are immediately utilized for crime servers. 

Mini Report in PDF can be downloaded here (registration required).