U.S. and Russia–Not China–Lead List of Malicious Hosting Providers

ID THREATPOST:55593DBD442D2B2BF216882F7622D81C
Type threatpost
Reporter Dennis Fisher
Modified 2013-04-26T15:57:59


China has become the go-to bogeyman behind every cyber attack or malware campaign, but if you’re looking for the most malicious hosting providers on the Web, you won’t find any of the top 10 in China. In fact, the United States and Russia have many more bad hosting providers in the top 20 than China does.

Those statistics, compiled in Host Exploit’s quarterly World Hosts Report, are somewhat surprising, although they don’t paint the full picture of the attack landscape. The malicious activity that Host Exploit tracks generally comprises malware hosting, botnet C&C hosting and the like, and does not necessarily include command-and-control servers for targeted attacks or the like. Still, the data the organizations compiled shows that the hosting of malicious servers is not a localized problem, it’s a global one.

Of the top 20 malicious autonomous systems (AS)–ranked according to an index that Host Exploit calculates based on a number of factors–five are located in the United States, four are in Russia and just one is in China. Even drawing it out to the entire top 50 malicious AS find just one other host in China. Host Exploit bases its index on a calculation of the concentration of malicious activity coming from each AS, which is a large block of routes assigned to one host or ISP.

In the first quarter of 2013, the host ranked as the worst in this report is Ecatel Network in the Netherlands, a host that has a relatively small number of IPs assigned to it, at slightly more than 13,000. By comparison, Chinanet Backbone, the lone Chinese host in the top 20, has more than 116 million IPs. So the absolute level of malicious activity on Chinanet is obviously far higher than that on Ecatel Network. The highest-ranked U.S. host is Landis Holdings, which comes in ninth and has just 28,000 IPs.

Host Exploit tracks several different kinds of malicious hosting activity including botnet traffic, spam hosting, badware hosting and phishing sites. The breakdown of how much of each kind of activity a given provider is hosting makes for interesting reading. For example, Ecatel Network carries a lot of botnet traffic, but when it comes to activity related to the Zeus botnet, Ideal Solution, a Russian host with fewer than 3,000 IPs, is the largest culprit in the top 10.

One other interesting data point is the appearance of Amazon in the top 10 list of providers hosting the highest concentration of infected Web sites. These are the kind of sites used in drive-by download attacks and to deliver exploits from exploit packs. Amazon, with more than two million IPs, ranks fourth in the list of providers hosting infected sites. Also on that list is Google, which comes in at number seven. The top spot belongs to Mail.ru, a Russian hosting provider.

“The number of malicious URLs on Mail.ru’s servers has risen rapidly over the last quarter, with the vast majority being stored on its file hosting servic eand download manager.This rise has seen it move into the overall top 10 hosts. Such a sudden increase in malicious files being hosted could either be the result of new features, a change in policy or down to cybercriminals choosing Mail.ru as a temporary hosting service,” Host Exploit said in its report.

When it comes to phishing sites, the U.S. again shows its prowess, with four of the top 10 hosting providers being located in America.