HostExploit - CyberCrime Series

Q2 2010

TOP 50
Bad Hosts and Networks
2nd Quarter 2010
 Table of Contents

Introduction Page 4

1. Editor’s Note Page 5

2. The Top 50 - June 2010 Page 6

3. March to June 2010 Comparison Page 7

4. Top 10 Visual Breakdown Page 8

5. Country Analysis Page 9

6. The Good Hosts Page 10

7. Most Improved Hosts Page 11

8. Bad Hosts by Topic Page 12

8.1 Infected Web Sites Page 12
8.2 Spam Page 13
8.3 Botnet C&C Servers Page 14
8.4 Phishing Page 15
8.5 Exploit Servers Page 16
8.6 HostExploit Current Events Page 17
8.7 Botnet Hosting - Zeus Page 18
8.8 Badware Page 19

9. Crime Servers Page 20

10. Conclusions Page 21

Appendix 1
Glossary Page 22

Appendix 2
Methodology Page 24

Top Bad Hosts & Networks Q2 2010 Page 2 © HostExploit.com 2010

 Top 50 CyberCrime Series

Bad Hosts and Networks

Edited by Comparative Data

• Jart Armin
• SiteVet • Sunbelt
• HostExploit • UCE Protect
Review • Spamhaus
• Dr. Bob Bruen • RashBL
• hpHosts • Abuse.CH
• Derek Smythe
• StopBadware • Emerging Threats
• Steve Burn
• Google • KnujOn
• MalwareDomains • CIDR
Contributors • MalwareList • Robtex
• MaliciousNetworks • Team Cymru
• Philip Stranger • MalwareURL • Dancho Danchev
• James McQuaid • AA419 • SudoSecure
• Scott Logan
• David Glosser
• Max Mockett
• Brynd Thompson
• Will Rogofsky

Top Bad Hosts & Networks Q2 2010 Page 3 © HostExploit.com 2010

Top 50
Bad Hosts and Networks
Introduction
HostExploit presents the second quarter
2010 report in our ongoing series on the
Top 50 Bad Hosts and Networks.
HostExploit has used its own sustained
research and data-gathering sources
together with reputable Open Source
security data on: badware, infected web
sites, spammers, phishing, malware,
botnet C&Cs, ZeuS botnet infections, and
exploit serving to compile a list of the
worst Internet hosting operators around
the world.
Analysis of 34,748 public ASes
(Autonomous Systems), exchanging
routing information with each other
over the public Internet, provides the
backbone for this research. The resulting
information has been analyzed using
a unique combination of actuarially-
weighted mathematical equations and
focuses on the worst aspects of cyber-
criminal activity in order to create a
bespoke ‘badness’ rating. This takes into
account the size of each network in
question, recognizing that larger servers
offer greater potential for distributing
malware, but also that such larger servers
are under more pressure to undertake
effective monitoring. The result is an
easily understandable measurement of
damage caused to internet users by ‘bad’
activity. We call this measurement the HE
Index.
Using data gathered from across a
far-reaching range of respected data
sources gives a more accurate snapshot
of ‘badness’ than other existing scoring
systems. Tracking only URLs does not
produce fail-safe data. For example,
McColo had few active domains and did
not present as a cybercriminal server on
URL tracking lists.
For further details about the
methodology behind the HE Index,
Top Bad Hosts & Networks Q2 2010
CyberCrime Series
please refer to the appropriate section. of abuse policies.
The HE Index is presented in an easy to The power of community action should
understand format: not be underestimated, as illustrated in
the recent exposure and demise of the
• An HE Index of 25.0 or below malware serving host Troyak.
represents a low state of badness
- approximately 5.8% of ASes Organized gangs of cybercriminals
analyzed are above this figure. can, and do, take advantage of system
vulnerabilities and weaknesses which,
• We see this as a positive sign unfortunately, can sometimes be under
meaning that: 94.2% of the world’s the protection of legitimate businesses.
commercial ASes, ISPs and servers
are operating effective abuse Credit should be given where it is due,
procedures with a low tolerance for however, and we whole-heartedly
hosting badness. support the vast majority of hosting
providers who do a good job in keeping
• Within the Top 50 Bad Hosts, rank #1 cybercriminals at bay. For this reason we
(Demand Media / eNom) has an HE also highlight the ‘Top 10 Good Hosts’, an
Index of 307.5, and rank #50 has an accolade that I hope the qualifying hosts
HE Index of 115.4 will appreciate when so much about
security is given a negative perspective.
• Disclosure in the‘Q1 Top 50 Bad Hosts’
report was helpful to a number of
Please note the quantitative analysis of
hosts. Those who made contact with each of the 34,748 ASes can be viewed
us have made progress in resolving
on SiteVet.com
badness and abuse issues - in one
particular case, hosting badness has
decreased by up to 90%.
Jart Armin
• Research continues into the
growing trend of dedicated “Crime
Servers”, to be released as a series
of supplements to the report. One
recent example, Troyak and its peers,
will highlight what action can be
taken to combat this issue.
The ‘Top 50 Bad Hosts’ report also
explores the implications of criminal
involvement in terms of global security.
It should act as a benchmark for law
enforcement agencies, Internet crime
monitoring bodies and the Internet
community as a whole.
The security and wider internet
community can play an active role in
calling for more stringent enforcement
Page 4 © HostExploit.com 2010
1. CyberCrime Series

Editor’s Note

In December 2009, we introduced the HE Index as
a numerical representation of the ‘badness’ of an
Autonomous System (AS). Although generally well-
received by the community, we have since received
many constructive questions, some of which we will
attempt to answer here.
Why doesn’t the list show absolute badness instead
of proportional badness?
A core characteristic of the index is that it is weighted
by the size of the allocated address space of the AS,
and for this reason it does not represent the total
bad activity that takes place on the AS. Statistics
of total badness would, undoubtedly, be useful for
webmasters and system administrators who want to
limit their routing traffic, but the HE Index is intended
to highlight security malpractice among many of the
world’s internet hosting providers, which includes the
loose implementation of abuse regulations.
If these figures are not aimed at webmasters, at
whom are they targeted?
The reports are recommended reading for
webmasters wanting to gain a vital understanding
of what is happening in the world of information
security beyond their daily lives. Our main goal,
though, is to raise awareness about the source of
security issues. The HE Index quantifies the extent to
which organizations allow illegal activities to occur -
or rather, fail to prevent it.
Why do these hosts allow this activity?
It is important to state that by publishing these results,
HostExploit does not claim that the hosting providers
listed knowingly consent to the illicit activity carried
out on their servers.
-------------------------------------------

Further feedback is warmly welcomed

Shouldn’t larger organizations be responsible for
re-investing profits in better security regulation? admin@hostexploit.com
The HE Index gives higher weighting to ASes with
smaller address spaces, but this relationship is
not linear. We have used an “uncertainty factor” or
Bayesian factor, to model this responsibility, which
boosts figures for larger address spaces. The critical
address size has been increased from 10,000 to 20,000
in this report to further enhance this effect.

Top Bad Hosts & Networks Q2 2010 Page 5 © HostExploit.com 2010

 HE Rank HE Index AS number AS name Country # of IPs
1 307.5 21740 DemandMedia AS DemandMedia US 12,544
2 262.8 29073 ECATEL-AS AS29073, Ecatel Network NL 10,496
3 260.5 29106 VOLGAHOST-AS PE Bondarenko Dmitriy Vladimirovich RU 256
4 180.9 41947 WEBALTA-AS OAO Webalta RU 13,312
5 179.6 11798 BLUEHOST-AS - Bluehost Inc. US 49,152
6 167.8 45899 VNPT-AS-VN VNPT Corp VN 1,785,856
7 167.8 46475 LIMESTONENETWORKS - Limestone Networks, Inc. US 57,344
8 166.6 16138 INTERIAPL INTERIA.PL Autonomous System PL 3,072
9 165.8 28299 CYBERWEB NETWORKS LTDA BR 9,216
10 165.7 21844 THEPLANET-AS - ThePlanet.com Internet Services, Inc. US 1,534,464
11 163.4 39150 VLTELECOM-AS VLineTelecom LLC Moscow, Russia RU 5,632
12 161.5 33182 DIMENOC---HOSTDIME - HostDime.com, Inc. US 21,504
13 156.1 24560 AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services IN 1,548,800
14 151.6 10297 COLUMBUSNAP - The Columbus Network Access Point, Inc. US 90,112
15 149.8 16276 OVH OVH FR 412,672
16 149.5 4134 CHINANET-BACKBONE No.31,Jin-rong Street CN 95,976,768
17 148.6 29182 ISPSYSTEM-AS ISPsystem Autonomous System RU 35,328
18 146.1 24940 HETZNER-AS Hetzner Online AG RZ DE 371,456
2. The Top 50

19 141.0 28753 NETDIRECT AS NETDIRECT Frankfurt, DE DE 108,544

20 139.7 6849 UKRTELNET JSC UKRTELECOM, UA 1,014,016
21 139.0 42953 MOSCOWCAPITALBANK-AS Bank Moscowskiy Kapital Ltd. RU 512
22 138.9 36057 WEBAIR-AMS Webair Internet Development Inc US 24,320
23 138.6 32181 ASN-ECOMD-COLOQUEST - Ecomdevel, LLC US 37,120
24 137.8 16265 LEASEWEB LEASEWEB AS NL 227,840
25 136.5 31252 STARNET-AS StarNet Moldova MD 108,544
26 136.4 15244 ADDD2NET-COM-INC-DBA-LUNARPAGES - Lunar Pages US 43,776
27 135.0 44565 VITAL VITAL TEKNOLOJI TR 22,016
28 134.9 21788 NOC - Network Operations Center Inc. US 212,992
29 134.6 32613 IWEB-AS - iWeb Technologies Inc. CA 219,392
30 134.3 15169 GOOGLE - Google Inc. US 253,696
31 134.0 9829 BSNL-NIB National Internet Backbone IN 4,708,608
32 133.5 36351 SOFTLAYER - SoftLayer Technologies Inc. US 534,272
33 133.1 33626 OVERSEE-DOT-NET - Oversee.net US 4,096
34 130.4 16626 GNAXNET-AS - Global Net Access, LLC US 76,672
35 128.8 29873 BIZLAND-SD - The Endurance International Group, Inc. US 94,464
36 127.9 49544 INTERACTIVE3D-AS Interactive3D NL 57,600
37 125.8 27715 LocaWeb Ltda BR 49,664
38 125.3 32475 SINGLEHOP-INC - SingleHop US 198,016
39 125.1 39392 SUPERNETWORK-AS SuperNetwork s.r.o. CZ 33,792
40 124.9 29671 SERVAGE Servage GmbH DE 12,288
41 124.7 46844 ST-BGP - SHARKTECH INTERNET SERVICES US 64,576
42 122.9 39570 LOOPIA Loopia AB SE 768
43 119.6 34305 EUROACCESS Euroaccess Global Autonomous System NL 37,888
44 119.6 41126 CENTROHOST-AS JSC Centrohost RU 4,096
45 119.1 6697 BELPAK-AS BELPAK BY 744,448
46 118.1 30058 ACTIVO-SYSTEMS-AS30058 ACTIVO-SYSTEMS-AS30058 US 159,744
47 116.6 37943 CNNIC-GIANT ZhengZhou GIANT Computer Network Technology CN 4,096
48 116.2 6877 AS6877 Utel Mobile Internet Service ASN UA 270,336
49 115.4 42560 BA-GLOBALNET-AS GlobalNET Bosnia BA 20,736
50 114.0 35908 VPLSNET - VPLS Inc. d US 583,680

Top Bad Hosts & Networks Q2 2010 Page 6 © HostExploit.com 2010

3. CyberCrime Series

2010 Q1 to Q2 Comparison

A comparison of the ‘Top 50 Bad Hosts’ in March 2010 with June 2010
shows a consistent level of effective badness

Top Bad Hosts & Networks Q2 2010 Page 7 © HostExploit.com 2010

4.
Top 10 Visual Breakdown
The above visual breakdown of the HE Index
in the Top 10 Bad Hosts effectively shows two
things.
Firstly, that weighting ensures that the make up
of the HE Index is a balanced measurement as no
particular source of ‘badness’ dominates among
the majority of the hosts.
Secondly, it demonstrates the breakdown of the
HE Index for each specific AS in the Top 10, which
shows us why it is ranked so highly.
Top Bad Hosts & Networks Q2 2010
CyberCrime Series
For instance, it can be seen that AS21740
DemandMedia (USA) is ranked #1 due to its
exceptionally high concentrations of badware, in
addition to botnet C&C servers.
AS29073 Ecatel (NL) is at rank #2 in the Index
due to a range of issues; particularly spam, exploit
servers and infected web sites.
Further, we can see that AS29106 VolgaHost
(Russia) is a suspected crime server, due to its very
high number of Zeus servers on a small allocated
prefix, i.e. 256 IPs.
Page 8 © HostExploit.com 2010
5. CyberCrime Series

Country Analysis

Hosts in Country Total IPs Total Average Average Indexes by Category

Top 50 within Top Index Index
Infected Zeus Badware C&C Phishing Exploit Current Spam
50 web sites servers servers servers servers events
19 UNITED STATES 4,052,544 2,824.8 148.7 163.0 136.6 230.9 199.9 197.1 238.5 135.8 44.8
6 RUSSIA 59,136 1,011.9 168.6 299.1 535.5 157.5 126.2 0.2 274.9 116.4 20.2
4 NETHERLANDS 333,824 648.0 162.0 392.9 197.2 170.1 95.5 50.2 143.7 142.8 117.3
3 GERMANY 492,288 411.9 137.3 215.3 172.7 238.0 93.4 130.4 200.6 115.8 43.1
2 UKRAINE 1,284,352 256.0 128.0 101.9 0.0 102.4 51.2 0.0 54.0 100.6 310.9
2 BRAZIL 58,880 291.6 145.8 104.4 0.1 150.8 345.2 465.7 187.9 106.0 51.4
2 INDIA 6,257,408 290.1 145.1 100.2 0.0 100.2 0.0 0.0 51.0 100.0 401.9
2 CHINA 95,980,864 266.1 133.0 114.9 64.1 245.7 222.9 69.0 229.7 128.4 60.1
1 FRANCE 412,672 149.8 149.8 157.2 141.0 219.5 115.5 270.5 202.5 119.3 88.8
1 VIETNAM 1,785,856 167.8 167.8 0.0 0.0 82.0 0.0 0.0 0.0 100.1 557.6
1 POLAND 3,072 166.6 166.6 105.9 0.3 232.0 0.2 0.2 182.4 949.6 5.4
1 MOLDOVA 108,544 136.5 136.5 279.7 441.0 126.2 0.0 0.0 0.2 128.1 90.4
1 TURKEY 22,016 135.0 135.0 244.5 261.4 147.6 269.3 0.1 145.6 130.7 6.5
1 CANADA 219,392 134.6 134.6 114.3 142.1 142.1 136.0 254.7 211.9 110.4 89.4
1 CZECH REPUBLIC 33,792 125.1 125.1 104.7 143.3 316.9 122.4 0.1 206.7 116.1 34.0
1 SWEDEN 768 122.9 122.9 107.7 0.3 133.9 323.3 0.3 553.4 115.2 5.1
1 BELARUS 744,448 119.1 119.1 100.2 0.0 100.7 0.0 0.0 106.5 100.1 285.4
1 BOSNIA HERZ 20,736 115.4 115.4 213.6 542.3 110.3 0.1 0.1 0.5 104.3 13.3

Top Bad Hosts & Networks Q2 2010 Page 9 © HostExploit.com 2010

6. CyberCrime Series

The Good Hosts

HE Rank HE Index AS number AS name Country # of IPs

34,000 0.382 5722 Universidad Nacional de Colombia COLUMBIA 67,072
33,014 0.632 18942 WEBHOSTPLUS-INC - WebHostPlus Inc UNITED STATES 32,768
6,911 3.927 12754 COOLNET Coolnet New Communication Provider ISRAEL 35,328
6,632 4.272 19956 TENNESSEE-NET - Bell South UNITED STATES 337,920
6,149 4.903 15626 ITLAS ITL Company (Kharkov, Ukraine) UKRAINE 8,192
5,478 6.112 20661 TURKMENTELECOM-AS TMtelecom ISP ASN TURKEY 5,376
6,792 4.105 16162 London Web Communications UNITED KINGDOM 8,192
34,142 0.364 17509 STARNET STARNET Co.,Ltd. JAPAN 71,680
7,270 3.434 33915 TNF-AS The Network Factory BV NETHERLANDS, THE 114,688

6.1. Why List Examples of Good 6.2. Selection Criteria

Hosts?
It would be wrong to give the impression that
service providers can only be judged in terms of
badness. To give a balanced perspective we have
pinpointed several examples of organizations
with minimal levels of service violations. Safe
and secure web site hosting environments are
perfectly possible to achieve and should be
openly acknowledged as an example to others.
That is why we have created a table of ‘good hosts’
and would like to commend those companies on
their effective abuse controls and management.
This will be a regular feature of our ‘bad hosts’
reporting.
To conform to our definition of AS, ISP or
colocation facility, organizations needed to
control at least 5,000 individual IP addresses.
Several hosting providers controlled less than
this number. However, in this context, our
research focuses mainly on larger providers
which, it could be argued, should have the
resources to provide a full range of proactive
services, including 24-hour customer support,
network monitoring and high levels of technical
expertise.
We also only included those ASes that act
primarily as public web or internet service
providers, although we appreciate that such
criteria is subjective.

Top Bad Hosts & Networks Q2 2010 Page 10 © HostExploit.com 2010

 7. CyberCrime Series

Most Improved Hosts

Change Old Index New Index AS number AS name Country # of IPs

-90.9% 64.4 5.8 40260 TERRA-NETWORKS-MIAMI - Terra Networks Operations Inc. US 7,168
-87.2% 73.8 9.5 34848 COMENDO-AS Comendo A DK 11,008
-79.4% 80.6 16.6 43988 ABSERVER-AS Access Basic Server S.L. ES 2,048
-73.4% 51.1 13.6 20015 FullCom S.A. CL 8,192
-64.9% 151.5 53.1 31240 OLD-HT-SYSTEMS-AS JSC Hosting Telesystems RU 6,144
-59.9% 143.2 57.3 9680 HINETUSA HiNet Service Center in U.S.A TW 37,120
-59.7% 126.5 50.9 47781 ANSUA-AS PE Sergey Demin UA 512
-59.6% 101.1 40.9 35295 PETERHOST-PITER PeterHost.Ru Hosting Provider at SPb RU 3,072
-59.6% 71.5 28.9 34762 COMBELL-AS Combell group NV BE 26,112
-59.3% 78.3 31.9 15915 IBERCOM WORLD WIDE WEB IBERCOM ES 24,576

Many forms of badware can be
inextricably linked, appearing as an
intractable issue to some hosts. However,
we applaud the efforts of the ASes in
the above table - all have dramatically
reduced their badness levels in the three
months since our March 2010 report was
published.
In addition to above ASes, which
have shown the largest percentage
improvements in respective HE Indexes,
it is good to see that AS30407 Velcom
(Canada), ranked at #1 in the December
2009 report, has dramatically reduced
its badness levels yet again in this 2nd
quarter to drop now to #143 with an HE
index of 84.
Another welcome example for this
quarter is AS36351 SOFTLAYER (USA):
#8 and an HE index of 164, in March 2010
Now improved to:
#32 and an HE index of 133, in June 2010
This demonstrates that raising awareness
can trigger action. It shows it is possible
for hosting providers to improve their
performance in a relatively short period
of time with better abuse activity.
Other large European ASes demonstrate
significant falls in badness levels. From a
large AS perspective this is particularly
encouraging.

Top Bad Hosts & Networks Q2 2010 Page 11 © HostExploit.com 2010

8. CyberCrime Series

Bad Hosts by Topic

8.1. Infected Web Sites

HE HE AS AS name, description Country # of IPs Index

Rank Index number /1000
2 262.8 29073 ECATEL-AS AS29073, Ecatel Network NL 10,496 910.6
3 260.5 29106 VOLGAHOST-AS PE Bondarenko Dmitriy Vladimirovich RU 256 656.7
50 114.0 35908 VPLSNET - VPLS Inc. d US 583,680 582.0
143 84.2 30407 VELCOM - Rcp.net CA 11,264 457.5
17 148.6 29182 ISPSYSTEM-AS ISPsystem Autonomous System RU 35,328 428.0
19 141.0 28753 NETDIRECT AS NETDIRECT Frankfurt, DE DE 108,544 392.2
11 163.4 39150 VLTELECOM-AS VLineTelecom LLC Moscow, Russia RU 5,632 359.8
357 65.4 38731 VTDC-AS-VN Vietel - CHT Compamy Ltd VN 25,856 311.4
113 90.7 49981 WORLDSTREAM WorldStream NL 11,520 289.3
305 68.4 47869 NETROUTING-AS Netrouting Data Facilities NL 6,912 287.9

‘Infected Web Sites’ is a general category
where simultaneous forms of malicious
activity can be present. Here, our own
data, gathered from specific honeypots,
is combined with data provided by
MalwareURL on instances of malicious URLs
found on individual ASes. MalwareURL’s
information is itself an amalgam of a
number of community-reported sources.
The results show a mixed outcome with
large hosts and a number of smaller,
suspected crime servers. ECATEL,
AS29073, tops this list.
There are 3 Russian and 3 Dutch AS’s in
the Top 10.

Top Bad Hosts & Networks Q2 2010 Page 12 © HostExploit.com 2010

8.2. Spam

HE HE AS AS name, description Country # of IPs Index

Rank Index number /1000
6 167.8 45899 VNPT-AS-VN VNPT Corp VN 1,785,856 557.6
13 156.1 24560 AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services IN 1,548,800 430.1
88 98.9 23682 PACENET-AS Broadband Pacenet India Limited IN 26,112 381.0
31 134.0 9829 BSNL-NIB National Internet Backbone IN 4,708,608 373.7
89 98.1 23860 ALLIANCE-GATEWAY-AS-AP Alliance Broadband Services IN 12,288 367.0
85 99.2 6400 Compañía Dominicana de Teléfonos, C. por A. - CODETEL UY 316,928 365.5
105 92.0 45769 DVOIS-IN No. 70, 2nd Floor, 9th Main, H.M.T. Main Road IN 25,600 342.4
104 92.0 45595 PKTELECOM-AS-PK Pakistan Telecom Company Limited PK 1,080,320 334.0
81 100.9 10199 TATA-AS Tata Communications Ltd IN 466,816 318.2
20 139.7 6849 UKRTELNET JSC UKRTELECOM, UA 1,014,016 318.0

Our Top 10 spam results again indicate
that spammers tend to prefer servers
located in countries where regulation and
monitoring are minimal. Spammers make
use of fast flux servers and disposable
crime servers, making ownership difficult
to quantify. Spammers use tried and
tested methods, are quick to adapt to
current media themes without needing
new innovations unlike other areas of
cybercriminal activity.
The damage caused by a single spammer
can be as great or sometimes greater
than a group and is, therefore, a difficult
category to measure. For this reason,
we used a combination of routing
prefixes from respected commercial
operation UCEPROTECT-Network, spam
server information from academic
researchers at Malicious Networks (FiRE)
and community spam bot data from
SudoSecure to provide a wide spread
of spam instances. The result was a
definitive list of the worst spam havens
in the world.
Perhaps unsurprisingly four of the AS’s
listed in the table below were also
present in our Top 10 list of Bad Hosts.

Top Bad Hosts & Networks Q2 2010 Page 13 © HostExploit.com 2010

8.3. Botnet C&C Servers

HE HE AS AS name, description Country # of IPs Index

Rank Index number /1000
1 307.5 21740 DemandMedia AS DemandMedia US 12,544 929.1
22 138.9 36057 WEBAIR-AMS Webair Internet Development Inc US 24,320 502.1
9 165.8 28299 CYBERWEB NETWORKS LTDA BR 9,216 380.2
128 88.0 46636 NATCOWEB - NatCoWeb Corp. US 18,944 342.8
42 122.9 39570 LOOPIA Loopia AB SE 768 323.3
37 125.8 27715 LocaWeb Ltda BR 49,664 310.2
241 72.9 28271 DataCorpore Serviços e Representações BR 7,424 270.3
27 135.0 44565 VITAL VITAL TEKNOLOJI TR 22,016 269.3
100 92.3 11388 MAXIM - Peer 1 Dedicated Hosting US 135,168 254.1
47 116.6 37943 CNNIC-GIANT ZhengZhou GIANT Computer Network Technology CN 4,096 244.9

A disturbing trend has emerged since the Our data returned a surprising result hosting/media provider in the U.S., a
last quarter report with the apprearance displaying the worst offending Botnet well-known, and apparently, reputable
of Botnet C&C Servers migrating towards & C&C Serving host as AS21741 company.
larger hosts. DemandMedia / eNom - the largest

Top Bad Hosts & Networks Q2 2010 Page 14 © HostExploit.com 2010

8.4. Phishing

HE HE AS AS name, description Country # of IPs Index

Rank Index number /1000
9 165.8 28299 CYBERWEB NETWORKS LTDA BR 9,216 931.3
7 167.8 46475 LIMESTONENETWORKS - Limestone Networks, Inc. US 57,344 766.8
5 179.6 11798 BLUEHOST-AS - Bluehost Inc. US 49,152 543.1
41 124.7 46844 ST-BGP - SHARKTECH INTERNET SERVICES US 64,576 469.1
14 151.6 10297 COLUMBUSNAP - The Columbus Network Access Point, Inc. US 90,112 440.9
18 146.1 24940 HETZNER-AS Hetzner Online AG RZ DE 371,456 391.0
77 102.1 13301 UNITEDCOLO-AS Autonomous System of unitedcolo.de DE 66,816 340.4
34 130.4 16626 GNAXNET-AS - Global Net Access, LLC US 76,672 318.4
35 128.8 29873 BIZLAND-SD - The Endurance International Group, Inc. US 94,464 288.4
159 81.4 25653 FORTRESSITX - FortressITX US 98,304 283.1

Phishing continues to be a cause for
concern to banks and large corporations
alike. The need to establish false
credibility explains the dominance of
Western countries in the Top 10 list for
phishing. In fact our results show that 7
of the top 10 phishing hosts are based in Malware located on a server in the West
the US. minimizes both customers’ and target
organization’ suspicions.
The necessary malware can reside on the
enterprise’s web site, or appears to via
cross-site scripting or header redirects.

Top Bad Hosts & Networks Q2 2010 Page 15 © HostExploit.com 2010

8.5. Exploit Servers

HE HE AS AS name, description Country # of IPs Index

Rank Index number /1000
236 73.2 18018 GAMEBUILDERS-AS-PH Gamebuilders Inc. PH 5,632 909.0
108 91.3 13100 Data Electronics Group, Data Exchange Centre IE 12,288 861.1
98 92.8 21607 DEPLOYLINUX - DeployLinux Consulting, Inc US 512 833.9
12 161.5 33182 DIMENOC---HOSTDIME - HostDime.com, Inc. US 21,504 603.1
4 180.9 41947 WEBALTA-AS OAO Webalta RU 13,312 554.4
42 122.9 39570 LOOPIA Loopia AB SE 768 553.4
301 68.7 14585 CIFNET - CIFNet, Inc. US 7,168 517.0
22 138.9 36057 WEBAIR-AMS Webair Internet Development Inc US 24,320 443.2
150 82.7 34221 QL-AS JSC QUICKLINE RU 6,144 389.0
102 92.2 40634 FIRSTLOOK-COM - FirstLook, Inc. US 512 375.8

It is important to note that “Exploit
Servers” is possibly the most important
category, to be found in this report, in the
analysis of malware, phishing, or badness
as a whole . Added weighting was given
to this sector.
Many hosts or commercial internet
servers that deliver malware or undertake
other malicious activity do so because
they have been hacked externally. Useful
information, victims’ identities and other
illicitly gained booty are then directed
back to these Exploit Servers using
malware.
In contrast to spam hosts, Exploit Servers
have until recently been entirely located
in countries subject to lower levels of
regulation. However in this 2nd quarter
2010 it should be noted 50% of the top
10 in this sector are located in the US.

Top Bad Hosts & Networks Q2 2010 Page 16 © HostExploit.com 2010

8.6. Current Events

HE HE AS AS name, description Country # of IPs Index

Rank Index number /1000
8 166.6 16138 INTERIAPL INTERIA.PL Autonomous System PL 3,072 949.6
30 134.3 15169 GOOGLE - Google Inc. US 253,696 336.1
416 62.4 40263 FC2-INC - FC2 INC US 1,024 211.2
2 262.8 29073 ECATEL-AS AS29073, Ecatel Network NL 10,496 194.7
28 134.9 21788 NOC - Network Operations Center Inc. US 212,992 185.6
153 82.2 15149 EZZI-101-BGP - Access Integrated Technologies, Inc. US 28,672 182.8
114 90.7 41078 ANTAGUS-AS 1st Antagus Internet GmbH DE 6,400 154.1
16 149.5 4134 CHINANET-BACKBONE No.31,Jin-rong Street CN 95,976,768 152.1
54 112.1 6851 BKCNET "SIA" IZZI LV 49,152 150.4
898 45.3 40965 NET-UA-AS limited corp UA 256 149.0

The most up-to-date and fast-changing counterfeit pharmas, Zeus (Zbota), Artro, containing some well-known names.
of attack exploits and vectors form the SpyEye, and newly emerged exploit kits
category of Current Events. form a key component of the data.

Here HostsExploit’s own processes The vast array of techniques looked at

including examples of MALfi (XSS/ in this category are reflected in this Top
RCE/RFI/LFI), XSS attacks, clickjacking, 10 Current Events sector with this list

Top Bad Hosts & Networks Q2 2010 Page 17 © HostExploit.com 2010

8.7. Botnet Hosting - Zeus

HE HE AS AS name, description Country # of IPs Index

Rank Index number /1000
3 260.5 29106 VOLGAHOST-AS PE Bondarenko Dmitriy Vladimirovich RU 256 944.5
21 139.0 42953 MOSCOWCAPITALBANK-AS Bank Moscowskiy Kapital Ltd. RU 512 934.5
49 115.4 42560 BA-GLOBALNET-AS GlobalNET Bosnia BA 20,736 542.3
25 136.5 31252 STARNET-AS StarNet Moldova MD 108,544 441.0
11 163.4 39150 VLTELECOM-AS VLineTelecom LLC Moscow, Russia RU 5,632 438.5
4 180.9 41947 WEBALTA-AS OAO Webalta RU 13,312 431.9
96 93.6 50793 ALFAHOSTNET Alfa-Host LLP. KZ 256 416.9
242 72.9 41149 WEBTECH-AS WEB Technologies RU 256 416.9
197 77.6 2122 JSC PIOGLOBAL Asset Management, www.pioglobal.ru RU 256 311.3
208 76.2 48671 GROZA-AS Eugenia E. Groza MD 256 311.3

Cyber criminals manage networks of
infected computers, otherwise known
as zombies, to host botnets out of C&C
servers. A single C&C server can manage
some 250,000, or higher, slave machines.
HostExploit focused, here, on the Zeus
botnet as it remains the cheapest and
most popular on the underground
market.
This section should be considered in Zeus botnet data (Zbot) is provided by
conjunction with Section 8.5 on Exploit the excellent Zeus Tracker service from
Servers. In both instances, it is somewhat abuse.ch.
surprising to see large hosting providers
such as DemandMedia and Interactive3D
being infected with high concentrations
of C&Cs.

Top Bad Hosts & Networks Q2 2010 Page 18 © HostExploit.com 2010

 8.8. Badware

HE HE AS AS name, description Country # of IPs Index

Rank Index number /1000
1 307.5 21740 DemandMedia AS DemandMedia US 12,544 929.3
33 133.1 33626 OVERSEE-DOT-NET - Oversee.net US 4,096 555.5
123 89.1 9809 NOVANET Nova Network Co.Ltd CN 11,264 549.6
109 91.3 12996 DOMENESHOP Domeneshop AS NO 3,072 453.5
40 124.9 29671 SERVAGE Servage GmbH DE 12,288 401.8
79 101.6 29629 INETWORK-AS IEUROP AS FR 8,192 395.3
64 107.2 13727 ND-CA-ASN - NEXT DIMENSION INC CA 1,024 349.8
420 61.9 22489 CASTLE-ACCESS - Castle Access Inc US 41,216 330.4
39 125.1 39392 SUPERNETWORK-AS SuperNetwork s.r.o. CZ 33,792 316.9
5 179.6 11798 BLUEHOST-AS - Bluehost Inc. US 49,152 299.9

Badware fundamentally disregards
how users might choose to employ
their own computer. Examples of such
software include spyware, malware,
rogues, and deceptive adware and
it commonly appears in the form of
free screensavers that surreptitiously
generate advertisements, malicious web
browser toolbars that take browsers to
unexpected web pages and keylogger
programs that transmit personal data to
malicious third parties.
The findings in this category are primarily
based on StopBadware’s data, which is
itself aggregated from Google, Sunbelt
Software, and Team Cymru.

Top Bad Hosts & Networks Q2 2010 Page 19 © HostExploit.com 2010

9. CyberCrime Series

Crime Servers
9.1. Background - What Are 9.2. Crime Servers - Currently Inactive (Not Announced)
Crime Servers?
Crime servers are by definition active AS number Name IPs HE Rank
dedicated accomplices to cybercrime 12604 CITYGAME-AS Kamushnoy Vladimir Vasulyovich 256 N/A
providing a platform for cyber criminals
29371 GAZTRANZITSTROYINFO-AS LLC “Gaztransitstroyinfo” 256 N/A
or cells within their own organization to
mount cyber attacks. Crime servers cannot 42229 MARIAM-AS PP Mariam 1,024 N/A
be excused on the grounds of being a 44107 PROMBUDDETAL-AS Prombuddetal LLC 1,024 N/A
victim of lax abuse policy enforcement 47560 VESTEH-NET-AS Vesteh LLC 1,024 N/A
but are active participants in the bad
47821 BOGONET-AS PE Syrovatko Igor Mykolayevish 256 N/A
host process sometimes acting as hosting
providers or registrars themselves 49091 INTERFORUM-AS Interforum LTD 256 N/A
49093 BIGNESS-GROUP-AS Bigness Group Ltd. 512 N/A
Examples of large versions of these have
49934 VVPN-AS PE Voronov Evgen Sergiyovich 256 N/A
been seen over recent times and shown
within earlier HostExploit reports i.e. Atrivo 50033 GROUP3-AS GROUP 3 LLC. 256 N/A
(US), McColo (US), Real Host (Latvia). Also 50215 TROYAK-AS Starchenko Roman Fedorovich 256 N/A
more recently in the example of Troyak. 50369 VISHCLUB-AS Kanyovskiy Andriy Yuriyovich 1,024 N/A
Interestingly the ones discovered within 50390 SMILA-AS Pavlenko Tetyana Oleksandrivna 256 N/A
this current analysis and report are 50678 SAINTVPN 256 N/A
considerably smaller than these, numbers
of IPs ranging from just 256 to 1,024, while
the majority of the top 50 bad hosts appear
to be legitimate commercial enterprises. 9.3. Crime Servers - Examples Currently Active
9.2. Crime Servers or Bad
AS number Name IPs HE Rank
Hosts?
29106 VOLGAHOST-AS PE Bondarenko Dmitriy Vladimirovich 256 3
The research contained within this report 44565 VITAL VITAL TEKNOLOJI 18,432 27
has been directed at identifying instances
47434 FORTUNE-AS Fortune Science and Production Company 256 134
of bad hosts around the world to culminate
in a league table of the ‘Top 50 Worst Hosts’,
presuming that most of the hosting servers
are legitimate internet service providers.

Essentially, the difference between a ‘crime

server’ and a ‘bad host’ is more acutely seen
within the motives of the owners; a crime
server’s owners can be identified as being
actively involved with the criminal activity
being carried out on its network whereas
a ‘bad host’ can only be accused of having
a poor abuse enforcement policy, lax or
non-existent network monitoring, ‘turning
a blind eye’ to web site activity or ignoring
complaints about abuses from users.

Top Bad Hosts & Networks Q2 2010 Page 20 © HostExploit.com 2010

10. CyberCrime Series

Conclusions
10.1. Conclusions
This report is a further undertaking two successive quarters. After disclosure, the first steps towards
to highlight the issues which create action against abuses can be taken.
It is encouraging to see a
and allow cyber criminal activity to be
willingness to begin the process of As originally shown in the December 09
hosted and served on the Internet. It
‘cleaning up’ known abuses but as the and Mach 2010 report and only briefly
should be stressed; HostExploit, the
new report shows there is still much covered within this report, the overall
report’s authors, sponsors, and the now
work to be done. analysis further highlights a relatively
numerous hosts and volunteers who have
small number of dedicated ‘Crime
helped in establishing this report, do not • At worst host ranking #1 Servers’, and related‘bullet proof’hosting
view the exposure of bad hosting and AS21741 DemandMedia / eNom (US), enterprises. A further supplementary
ISPs as a sole solution to the seemingly is carrying a wide range of badness. At disclosure of the worst of this type of
ever growing problem of cybercrime. #2 AS29073 Ecatel (NL), #1 in March criminal activity will be released in a
However, providing a comparative and 2010, continuously hosts large amounts new report from HostExploit which is to
quantitative listing of hosts and ISPs with of badware. follow. Examples and results of actions
associated badness clearly contributes
against crime servers, such as Troyak
to a “who and a “where” approach to • The, HE Index, therefore, has the
and its peers, will be a feature.
comprehending cybercrime: ability to express a myriad of different
internet malpractices in an easy to
• Exposing comparative levels of understand format. It expresses who
badness found on Internet hosts, ISPs, is hosting the worst of these offences.
and networks in this way highlights the
integral part that hosts play in the cycle
of cyber criminal activity.
10.2. Worst Culprits Within Tracked Sectors
• Such a report and the defined
“HE Index” acts as a consumer barometer Category HE Rank ASN Name Country
for each of the 34,748 currently
Infected Web Sites 2 29073 Ecatel NL
advertised and commercial ASes.
Spam 6 45899 VNPT VN
It provides a definitive and quantitative Botnet C&C Servers 1 21740 DemandMedia US
analysis of the worst hosting and
Phishing 9 28299 Cyberweb BR
network culprits of failing to prevent
cyber criminal activity. Exploit Servers 236 18018 Gamebuilders PH
HE Current Events 8 16138 Interia.pl PL
• The release of the Top 50 Bad Zeus Botnet C&Cs 3 29106 Volgahost RU
Hosts reports has delivered a successful
outcome with some contacted hosts Badware 1 21740 DemandMedia US
significantly decreasing levels of abuses The above figures illustrate that the distribution of bad servers is a global problem and
by 90%. is not focused in just one area. We have also found that the choice of attack vector for
• The findings from this report the cyber criminal depends highly on the nature of the objective. For example, the
will reinforce the need to demonstrate distribution of malware is preferably hosted in the western world to avoid suspicion,
willingness to‘clean up’systems when bad while spam servers are usually kept in countries with laxer controls by internet
publicity is seen as harmful to business. providers where obvious spikes in server usage are less likely to be challenged.
The biggest success to date is illustrated
by AS30407 Velcom, which was ranked
as the #1 Bad Host in December 2009
report, and has dramatically reduced its
badness levels by over 60 per cent over

Top Bad Hosts & Networks Q2 2010 Page 21 © HostExploit.com 2010

Appendix 1.
Glossary
AS (Autonomous System):
An AS is a unit of router policy, either a single network or a
group of networks that is controlled by a common network
administrator on behalf of an entity such as a university,
a business enterprise, or Internet service provider. An AS
is also sometimes referred to as a routing domain. Each
autonomous system is assigned a globally unique number
called an Autonomous System Number (ASN).
Badware:
Software that fundamentally disregards a user’s choice
regarding about how his or her computer will be used. Types
of badware are spyware, malware, or deceptive adware.
Common examples of badware include free screensavers
that surreptitiously generate advertisements, malicious web
browser toolbars that take your browser to different pages
than the ones you expect, and keylogger programs that can
transmit your personal data to malicious parties.
Blacklists:
In computing, a blacklist is a basic access control mechanism
that allows access much like your ordinary nightclub;
everyone is allowed in except people on the blacklist.
The opposite of this is a whitelist, equivalent of your VIP
nightclub, which means allow nobody, except members
of the white list. As a sort of middle ground, a gray list
contains entries that are temporarily blocked or temporarily
allowed. Gray list items may be reviewed or further tested
for inclusion in a blacklist or whitelist. Some communities
and webmasters publish their blacklists for the use of the
general public, such as Spamhaus and Emerging Threats.
Botnet:
Botnet is a term for a collection of software robots, or bots,
that run autonomously and automatically. The term is now
mostly associated with malicious software used by cyber
criminals, but it can also refer to the network of infected
computers using distributed computing software.
CSRF (cross site request forgery):
Also known as a “one click attack” / session riding, which is a
link or script in a web page based upon authenticated user
tokens.
DNS (Domain Name System):
DNS associates various information with domain names;
most importantly, it serves as the “phone book” for
the Internet by translating human-readable computer
hostnames, e.g. www.example.com, into IP addresses, e.g.
208.77.188.166, which networking equipment needs to
Top Bad Hosts & Networks Q2 2010
CyberCrime Series
deliver information. A DNS also stores other information
such as the list of mail servers that accept email for a
given domain, by providing a worldwide keyword-based
redirection service.
DNSBL:
Domain Name System Block List – an optional list of IP
address ranges or DNS zone usually applied by Internet
Service Providers (ISP) for preventing access to spam
or badware. A DNSBL of domain names is often called a
URIBL, Uniform Resource Indicator
Exploit:
An exploit is a piece of software, a chunk of data, or
sequence of commands that take advantage of a bug,
glitch or vulnerability in order to cause irregular behavior
to occur on computer software, hardware, or something
electronic. This frequently includes such things as violently
gaining control of a computer system or allowing privilege
escalation or a denial of service attack.
Hosting:
Usually refers to a computer (or a network of servers) that
stores the files of a web site which has web server software
running on it, connected to the Internet. Your site is then
said to be hosted.
IP (Internet Protocol):
IP is the primary protocol in the Internet Layer of the
Internet Protocol Suite and has the task of delivering data
packets from the source host to the destination host solely
based on its address.
ISP (internet Service Provider):
A company or organization that has the equipment and
public access to provide connectivity to the Internet for
clients on a fee basis, i.e. emails, web site serving, online
storage.
LFI (Local File Inclusion):
Use of a file within a database to exploit server functionality.
Also for cracking encrypted functions within a server, e.g.
passwords, MD5, etc.
MALfi (Malicious File Inclusion):
A combination of RFI (remote file inclusion), LFI (local file
inclusion), XSA (cross server attack), and RCE (remote code
execution).
Page 22 © HostExploit.com 2010
Malicious Links:
These are links which are planted on a site to deliberately
send a visitor to a malicious site, e.g. a site with which will
plant viruses, spyware or any other type of malware on
a computer such as a fake security system. These are not
always obvious as they can be planted within a feature of
the site or masked to misdirect the visitor.
MX:
A mail server or computer/server rack which holds and can
forward e-mail for a client.
NS (Name Server):
Every domain name must have a primary name server (eg.
ns1.xyz.com), and at least one secondary name server (ns2.
xyz.com etc). This requirement aims to make the domain still
reachable even if one name server becomes inaccessible.
Open Source Security:
The term is most commonly applied to the source code of
software or data, which is made available to the general
public with relaxed or non-existent intellectual property
restrictions. For Open Source Security this allows users to
create user-generated software content and advice through
incremental individual effort or through collaboration.
Pharming:
Pharming is an attack which hackers aim to redirect a
website’s traffic to another website, like cattle rustlers
herding the bovines in the wrong direction. The destination
website is usually bogus.
Phishing:
Phishing is a type of deception designed to steal your
valuable personal data, such as credit card numbers,
passwords, account data, or other information. Phishing is
typically carried out using e-mail (where the communication
appears to come from a trusted website) or an instant
message, although phone contact has been used as well.
Registrars:
A domain name registrar is a company with the authority to
register domain names, authorized by ICANN.
Remote File Inclusion (RFI):
A technique often used to attack Internet websites from a
remote computer. With malicious intent, it can be combined
with the usage of XSA to harm a web server.
Rogue Software:
Rogue security software is software that uses malware
(malicious software) or malicious tools to advertise or install
Top Bad Hosts & Networks Q2 2010
its self or to force computer users to pay for removal of
nonexistent spyware. Rogue software will often install a
trojan horse to download a trial version, or it will execute
other unwanted actions.
Rootkit:
A set of software tools used by a third party after gaining
access to a computer system in order to conceal the
altering of files, or processes being executed by the third
party without the user’s knowledge.
Sandnet:
A sandnet is closed environment on a physical machine in
which malware can be monitored and studied. It emulates
the internet in a way which the malware cannot tell it is
being monitored. Wonderful for analyzing the way a bit
of malware works. A Honeynet is the same sort of concept
but more aimed at attackers themselves, monitoring the
methods and motives of the attackers.
Spam:
Spam is the term widely used for unsolicited e-mail. .
Spam is junk mail on a mass scale and is usually sent
indiscriminately to hundreds or even hundreds of
thousands of inboxes simultaneously.
Trojans:
Also known as a Trojan horse, this is software that appears
to perform or actually performs a desired task for a
user while performing a harmful task without the user’s
knowledge or consent.
Worms:
A malicious software program that can reproduce itself
and spread from one computer to another over a network.
The difference between a worm and a computer virus
is that a computer virus attaches itself to a computer
program to spread and requires an action by a user while a
worm is self-contained and can send copies of itself across
a network.
XSA (Cross Server Attack):
A networking security intrusion method which allows for
a malicious client to compromise security over a website
or service on a server by using implemented services on
the server that may not be secure.
Page 23 © HostExploit.com 2010
 Appendix 2
HE Index Calculation Methodology
July 2010

1 Motivation
We aim to provide a simple and accurate method of representing the history of badness on an Autonomous
System (AS). Badness in this context comprises malicious and suspicious server activities such as hosting or
spreading: malware and exploits; spam emails; MALfi attacks (RFI/LFI/XSA/RCE); command & control
centers; phishing attacks.

We call this the HE Index ; a number from 0 (no badness) to 1,000 (maximum badness). Desired prop-
erties of the HE Index include:
1. Calculations should be drawn from multiple sources of data, each respresenting different forms of
badness, in order to reduce the effect of any data anomalies.
2. Each calculation should take into account some objective size of the AS, so that the index is not unfairly
in favor of the smallest ASes.
3. No AS should have an HE Index value of 0, since it cannot be said with certainty that an AS has zero
badness, only that none has been detected.
4. Only one AS should be able to hold the maximum HE Index value of 1,000 (if any at all).

2 Data sources
Data is taken from the following 11 sources:

# Source Data Weighting

1. UCEPROTECT-Network Spam IPs Very high
2. MalwareURL Malicious URLs High
3. Abuse.ch ZeuS servers High
4. StopBadware Badware instances Very high
5. SudoSecure Spam bots Medium
6. Malicious Networks C&C servers High
7. Malicious Networks Phishing servers Medium
8. Malicious Networks Exploit servers Medium
9. Malicious Networks Spam servers Low
10. HostExploit Current events High
11. hpHosts Malware instances High

Table 1: Data sources

Spam data from UCEPROTECT-Network and ZeuS data from Abuse.ch is cross-referenced with Team
Cymru.

Data from StopBadware is itself an amalgam of data from Google, Sunbelt Sofware and NSFOCUS.

Using the data from this wide variety of sources fulfils desired property #1.

Sensitivity testing was carried out, to determine the range of specific weightings that would ensure known
bad ASes would appear in sensible positions. The exact value of each weighting within its determined range
was then chosen at our discretion, based on our researchers’ extensive understanding of the implications of
each source. This approach ensured that results are as objective as realistically possible, whilst limiting the
necessary subjective element to a sensible outcome.

3 Bayesian weighting
How do we fulfil desired property #2? That is, how should the HE Index be calculated in order to fairly
reflect the size of the AS? An initial thought is to divide the number of recorded instances by some value
which represents the size of the AS. Most obviously, we could use the number of domains on each AN as the
value to respresent the size of the AS, but it is possible for a server to carry out malicious activity without
a single registered domain, as was the case with McColo. Therefore, it would seem more pragmatic to use
the size of the IP range (i.e. number of IP addresses) registered to the AS through the relevant Regional
Internet Registry.

However, by calculating the ratio of number of instances per IP address, isolated instances on small servers
may produce distorted results. Consider the following example:

Average spam instances in sample set: 50

Average IPs in sample set: 50,000
Average ratio: 50 / 50,000 = 0.001
Example spam instances: 2
Example IPs: 256
Example ratio: 2 / 256 = 0.0078125

In this example, using a simple calculation of number of instances divided by number of IPs, the ratio
is almost eight times higher than the average ratio. However, there are only two recorded instances of spam,
but the ratio is so high due to the low number of IP addresses on this particular AS. These may well be isolated
instances, therefore we need to move the ratio towards the average ratio, moreso the lower the numbers of IPs.

For this purpose, we use the Bayesian ratio of number of instances to number of IP addresses. We cal-
culate the Bayesian ratio as:
B = ( MM N C Na
+ C ) · M + (M + C ) · M a
(1)

where:
B: Bayesian ratio
M: number of IPs allocated to ASN
Ma : average number of IPs allocated in sample set
N: number of recorded instances
Na : average number of recorded instances in sample set
C: IP weighting = 10,000

The process of moving the ratio towards the average ratio has the effect that no AS will have a Bayesian
ratio of zero, due to an uncertainty level based on the number of IPs. This meets the requirements of desired
property #3.

4 Calculation
For each data source, three factors are calculated.

To place any particular Bayesian ratio on a scale, we divide it by the maximum Bayesian ratio in the
sample set, to give Factor C:
FC = BB (2)
m
where:
Bm : maximum Bayesian ratio

Sensitivity tests were run which showed that in a small number of cases, Factor C favors small ASes too
strongly. Therefore, it is logical to include a factor that uses the total number of instances, as opposed to
the ratio of instances to size. This makes up Factor A:
N , 1}
FA = min{ N (3)
a

This follows the same format as Factor C, and should only have a low contribution to the Index, since it
favors small ASes, and is used only as a compensation mechanism for rare cases of Factor C.

If one particular AS has a number of instances significantly higher than for any other AS in the sam-
ple, then Factor A would be very small, even for the AS with the second highest number of instances. This
is not desired since the value of one AS is distorting the value of Factor A. Therefore, as a compensation
mechanism for Factor A (the ratio of the average number of instances) we use Factor B as a ratio of the
maximum instances less the average instances:

FB = N N (4)
m − Na

where:
Nm : maximum number of instances in sample set

Factor A is limited to 1; Factors B and C are not limited to 1, since they cannot exceed 1 by defini-
tion. Only one AS (if any) can hold maximum values for all three factors, therefore this limits the HE Index
to 1,000 as specified in desired property #4.

The index for each data source is then calculated as:

I = (FA · 10% + FB · 10% + FC · 80%) · 1000 (5)

The Factor A, B & C weightings (10%, 10%, 80% respectively) were chosen based on sensitivity and regres-
sion testing. Low starting values for Factor A and Factor B were chosen, since we aim to limit the favoring
of small ASes (property #2).

The overall HE Index is then calculated as:

P11
Ii ·wi
H = Pi=1
11 (6)
wi
i=1

where:
wi : source weighting (3=high, 2=medium, 1=low)
HostExploit - Top 50 Bad Hosts and Networks
2nd Quarter 2010