Top 50 Bad Hosts - March 2011

Abstract

Current Cyber Security Events and the World’s Worst Hosts

HostExploit is pleased to present the Q1 2011 report on the Top 50 Bad Hosts and Networks, taking a look at recent notable events such as the LizaMoon SQL attacks and the takedown of the Rustock botnet.

In addition to HostExploit’s regular quarterly analysis of the world’s worst hosts for malicious activity – including spam, botnets, badware, phishing attacks and infections – the report looks at the fallout of major hacks and intrusions in the industry and what it means for the hosts themselves. Other pertinent topics such as Advanced Persistent Threats (APT), mobile malware and 32-bit ASNs are discussed.

A major feature of the report is the fluctuating levels of malicious activity over the three months from January to March 2011. For example, the impact of spam over this period of time is analyzed in the context of the Rustock botnet takedown. There have been significant decreases in levels of spam being churned out by some service providers. Of particular note is the 96 percent decrease by Russian mobile internet provider Bashcell AS42115.

The main purpose of the Top 50 Bad Hosts and Networks series, as always, is to reveal the hosts that cybercriminals are using to serve their nefarious operations. In publishing this information it is hoped that these "worst" hosts will take the measures needed to actively clean up the output of malicious activity from their networks.

In this respect, this quarter’s "winner" of the title for Top Bad Host is the Russian-based host Webalta AS41947. The situation on Webalta’s servers has steadily worsened over the last few months, and it has come in at #1 overall without being ranked #1 in any of the specific badness categories. This is a result of being highly-ranked in a broad array of sectors, which suggests extremely slack abuse procedures.

Coincidentally it would seem, last quarter’s winner Volgahost AS29106 had a very short lifespan after the release of the Q4 2010 report as this hosting provider was taken offline in January 2011.

The vast majority of hosting providers offer a relatively clean service by employing the best of industry practices. It is important to give this balanced view and the reason for the inclusion of a "good host" category. At #1 this quarter is Asattca AT&T Global Network Services AS2688, a US-based company with global headquarters in Dallas. They should be congratulated for their consistently good performance.

Congratulations should also go to the “most improved” hosts who are showing that it is possible turn things around. #1 most improved host this quarter is eNom AS21740 the registrar arm of Demand Media, now down to #72 from #3 last quarter.

Regular features including crime servers, biggest movers, good hosts and country analysis can all be found in the full version of the report. Additionally, new items such as mobile malware and pocket botnets, together with Advance Persistent Threats give up-to-date information about the dangers posed from the changing landscape of cyber security threats.

Note: Live AS results can be found at SiteVet. The figures contained here and in the report were correct at the time of the end-of-quarter analysis.

Download

top_50_bad_hosts_201103.pdf
PDF document
English 1.39M Download

Authors

Editor Jart Armin
Contributors Philip Stranger
James McQuaid
Steve Burn
David Glosser
Brynd Thompson
Will Rogofsky
Reviewers Dr. Bob Bruen
Raoul Chiesa

Feedback

We welcome any feedback relating to this paper or assistance in this area of research from the community.

Get in touch.