HostExploit Q2 2011 Top 50 Bad Hosts Report - Hacking, Bad Hosts and False Positives

July 13, 2011 - PRLog -- In a quarter dominated by press stories from self-publicizing hackers such as Anonymous, and LulzSec, matched with DDoS attacks and data exfiltration by others, it is easy to overlook the more widespread problems – as an example, there were around 350,000 website defacement hacks in this quarter and 1.5 million in 2010. Additionally, there are currently 800,000 plus web sites hosting malicious exploits and badware.

The Q2 Top 50 Bad Hosts & Networks report encompasses analysis on all 38,030 currently advertised and commercial hosts (ASNs), focusing on the 50 worst offenders. For the first time, and due to a collaborative partnership between HostExploit (HE) (http://www.hostexploit.com) and Group iB Moscow (http://www.group-ib.ru), we are pleased to announce the report is published with both English and Russian versions available as free downloads.

The need for standardization is a recurring theme for this quarter. This conclusion is reached as a result of, and based upon, our observation of the many different ways that blacklists are compiled. Differences in data sets can be explained, in part, by blacklists being produced for specific malicious activity. Rapid expansion of the blacklist community has resulted, in some cases, in an increase in the number of false positives, and often difficulty in their removal within a reasonable period of time.

After consulting with Google about the problem of false positives in relation to domain parking, Google recently made a process change to eliminate many false positives in their Safe Browsing service (used in browsers to protect end-users from malicious websites). For example, HE research shows that the removal of false positives from the Google Phishing list has resulted in a significant reduction (80 per cent) in the listings of AS21740 eNom. For eNom, now dropped out of the Top 100, this has proved to be significant, enabling them to concentrate on cleaning up the real issues. This will also be reflected across other domain registrars and domain wholesalers as well as reducing the problem of false positives that can be associated with domain parking.

In summary other findings from the report show:

•   The title of #1 Bad Host (Overall Category) goes to AS33182 HostDime for significant levels of spam, exploit servers, phishing servers and Zeus servers, as well as botnet C&C servers, badware and infected websites.
•   Nearly one half (23) of the Top 50 Bad Hosts operate from the United States. Cybercriminals like hosting services that are easy to obtain and which provide false credibility.
•   Exploit Servers represents HostExploit’s most important category in the analysis of malware, phishing or badness as a whole. #1 this quarter is AS14585 CIFNet.
•   In the Current Events sector, the most up-to-date and fast-changing malicious activities, such as click jacking, counterfeit pharma, new exploit kits, SpyEye, Stuxnet and blended attacks such as MALfi, in #1 position is AS16138 Interia.pl.
•   Comparing Q1 with Q2 2011, there are few changes in terms of overall levels of badness being served. Website infections, however, are down on the corresponding period of 2010.

Hosts and corporate networks invariably do not host malicious activity with deliberate intent, but can deliver malware from servers that have been hacked or compromised and added to a network of zombies. Such networks are used to further the outreach of noxious or virulent material by masking its true origin and, thus, helping to avoid detection. For this reason HostExploit considers the category called Exploit Servers to be the most important in its analysis and the basis behind its added weighting. Full details of the methodology used is available in the full report.

To end on a positive note, some well-known names have shown significant reductions in levels of badness and are deserving entrants to the ‘Most Improved Host’ category. Most Improved this quarter is AS47764 Netbridge, host to the popular mail client Mail.ru, which has shown a drop of 84 percent. The title of overall #1 Good Host, for consistent low levels of badness this quarter, is awarded to AS34744 GVM Sistem, hosted in Romania.

To download the Q2 2011 Top 50 Bad Hosts Report in either English or Russian visit: http://hostexploit.com/downloads/viewcategory/7-public-re...

# # #

About HostExploit

HostExploit part of CyberDefcon, provides open source intelligence on cyber security issues and cybercriminal operations. In providing analysis of all the public Internet servers worldwide the quarterly Top Bad Hosts reports and daily SiteVet updates aim to maximize the awareness for hosts, registrars, governmental and cyber security researchers.

About Group-iB

Group-iB is Russia and the CIS’s leading computer security company, specializing in the investigation of computer crime, information security breaches, and computer forensics. It was the first and the only company in Russian Federation which specializes on cybercrime investigations, and post incident consulting.