Professional Documents
Culture Documents
Top 50 Bad Hosts 201006
Top 50 Bad Hosts 201006
Top 50 Bad Hosts 201006
Q2 2010
TOP 50
Bad Hosts and Networks
2nd Quarter 2010
Table of Contents
Introduction Page 4
Appendix 1
Glossary Page 22
Appendix 2
Methodology Page 24
HostExploit presents the second quarter please refer to the appropriate section. of abuse policies.
2010 report in our ongoing series on the
Top 50 Bad Hosts and Networks. The HE Index is presented in an easy to The power of community action should
understand format: not be underestimated, as illustrated in
HostExploit has used its own sustained the recent exposure and demise of the
research and data-gathering sources • An HE Index of 25.0 or below malware serving host Troyak.
together with reputable Open Source represents a low state of badness
security data on: badware, infected web - approximately 5.8% of ASes Organized gangs of cybercriminals
sites, spammers, phishing, malware, analyzed are above this figure. can, and do, take advantage of system
botnet C&Cs, ZeuS botnet infections, and vulnerabilities and weaknesses which,
exploit serving to compile a list of the • We see this as a positive sign unfortunately, can sometimes be under
worst Internet hosting operators around meaning that: 94.2% of the world’s the protection of legitimate businesses.
the world. commercial ASes, ISPs and servers
are operating effective abuse Credit should be given where it is due,
Analysis of 34,748 public ASes procedures with a low tolerance for however, and we whole-heartedly
(Autonomous Systems), exchanging hosting badness. support the vast majority of hosting
routing information with each other providers who do a good job in keeping
over the public Internet, provides the • Within the Top 50 Bad Hosts, rank #1 cybercriminals at bay. For this reason we
backbone for this research. The resulting (Demand Media / eNom) has an HE also highlight the ‘Top 10 Good Hosts’, an
information has been analyzed using Index of 307.5, and rank #50 has an accolade that I hope the qualifying hosts
a unique combination of actuarially- HE Index of 115.4 will appreciate when so much about
weighted mathematical equations and security is given a negative perspective.
• Disclosure in the‘Q1 Top 50 Bad Hosts’
focuses on the worst aspects of cyber- report was helpful to a number of
criminal activity in order to create a Please note the quantitative analysis of
hosts. Those who made contact with each of the 34,748 ASes can be viewed
bespoke ‘badness’ rating. This takes into us have made progress in resolving
account the size of each network in on SiteVet.com
badness and abuse issues - in one
question, recognizing that larger servers particular case, hosting badness has
offer greater potential for distributing decreased by up to 90%.
malware, but also that such larger servers Jart Armin
are under more pressure to undertake • Research continues into the
effective monitoring. The result is an growing trend of dedicated “Crime
easily understandable measurement of Servers”, to be released as a series
damage caused to internet users by ‘bad’ of supplements to the report. One
activity. We call this measurement the HE recent example, Troyak and its peers,
Index. will highlight what action can be
taken to combat this issue.
Using data gathered from across a
far-reaching range of respected data The ‘Top 50 Bad Hosts’ report also
sources gives a more accurate snapshot explores the implications of criminal
of ‘badness’ than other existing scoring involvement in terms of global security.
systems. Tracking only URLs does not It should act as a benchmark for law
produce fail-safe data. For example, enforcement agencies, Internet crime
McColo had few active domains and did monitoring bodies and the Internet
not present as a cybercriminal server on community as a whole.
URL tracking lists.
The security and wider internet
For further details about the community can play an active role in
methodology behind the HE Index, calling for more stringent enforcement
Editor’s Note
In December 2009, we introduced the HE Index as If these figures are not aimed at webmasters, at
a numerical representation of the ‘badness’ of an whom are they targeted?
Autonomous System (AS). Although generally well-
received by the community, we have since received The reports are recommended reading for
many constructive questions, some of which we will webmasters wanting to gain a vital understanding
attempt to answer here. of what is happening in the world of information
security beyond their daily lives. Our main goal,
though, is to raise awareness about the source of
security issues. The HE Index quantifies the extent to
Why doesn’t the list show absolute badness instead which organizations allow illegal activities to occur -
of proportional badness? or rather, fail to prevent it.
A core characteristic of the index is that it is weighted
by the size of the allocated address space of the AS,
and for this reason it does not represent the total Why do these hosts allow this activity?
bad activity that takes place on the AS. Statistics
of total badness would, undoubtedly, be useful for It is important to state that by publishing these results,
webmasters and system administrators who want to HostExploit does not claim that the hosting providers
limit their routing traffic, but the HE Index is intended listed knowingly consent to the illicit activity carried
to highlight security malpractice among many of the out on their servers.
world’s internet hosting providers, which includes the
loose implementation of abuse regulations.
-------------------------------------------
2010 Q1 to Q2 Comparison
A comparison of the ‘Top 50 Bad Hosts’ in March 2010 with June 2010
shows a consistent level of effective badness
The above visual breakdown of the HE Index For instance, it can be seen that AS21740
in the Top 10 Bad Hosts effectively shows two DemandMedia (USA) is ranked #1 due to its
things. exceptionally high concentrations of badware, in
addition to botnet C&C servers.
Firstly, that weighting ensures that the make up
of the HE Index is a balanced measurement as no AS29073 Ecatel (NL) is at rank #2 in the Index
particular source of ‘badness’ dominates among due to a range of issues; particularly spam, exploit
the majority of the hosts. servers and infected web sites.
Secondly, it demonstrates the breakdown of the Further, we can see that AS29106 VolgaHost
HE Index for each specific AS in the Top 10, which (Russia) is a suspected crime server, due to its very
shows us why it is ranked so highly. high number of Zeus servers on a small allocated
prefix, i.e. 256 IPs.
Country Analysis
Many forms of badware can be 2009 report, has dramatically reduced This demonstrates that raising awareness
inextricably linked, appearing as an its badness levels yet again in this 2nd can trigger action. It shows it is possible
intractable issue to some hosts. However, quarter to drop now to #143 with an HE for hosting providers to improve their
we applaud the efforts of the ASes in index of 84. performance in a relatively short period
the above table - all have dramatically of time with better abuse activity.
reduced their badness levels in the three Another welcome example for this
months since our March 2010 report was quarter is AS36351 SOFTLAYER (USA): Other large European ASes demonstrate
published. significant falls in badness levels. From a
#8 and an HE index of 164, in March 2010 large AS perspective this is particularly
In addition to above ASes, which Now improved to: encouraging.
have shown the largest percentage
improvements in respective HE Indexes, #32 and an HE index of 133, in June 2010
it is good to see that AS30407 Velcom
(Canada), ranked at #1 in the December
‘Infected Web Sites’ is a general category found on individual ASes. MalwareURL’s suspected crime servers. ECATEL,
where simultaneous forms of malicious information is itself an amalgam of a AS29073, tops this list.
activity can be present. Here, our own number of community-reported sources. There are 3 Russian and 3 Dutch AS’s in
data, gathered from specific honeypots,
The results show a mixed outcome with the Top 10.
is combined with data provided by
large hosts and a number of smaller,
MalwareURL on instances of malicious URLs
Our Top 10 spam results again indicate The damage caused by a single spammer SudoSecure to provide a wide spread
that spammers tend to prefer servers can be as great or sometimes greater of spam instances. The result was a
located in countries where regulation and than a group and is, therefore, a difficult definitive list of the worst spam havens
monitoring are minimal. Spammers make category to measure. For this reason, in the world.
use of fast flux servers and disposable we used a combination of routing
crime servers, making ownership difficult prefixes from respected commercial Perhaps unsurprisingly four of the AS’s
to quantify. Spammers use tried and operation UCEPROTECT-Network, spam listed in the table below were also
tested methods, are quick to adapt to server information from academic present in our Top 10 list of Bad Hosts.
current media themes without needing researchers at Malicious Networks (FiRE)
new innovations unlike other areas of and community spam bot data from
cybercriminal activity.
A disturbing trend has emerged since the Our data returned a surprising result hosting/media provider in the U.S., a
last quarter report with the apprearance displaying the worst offending Botnet well-known, and apparently, reputable
of Botnet C&C Servers migrating towards & C&C Serving host as AS21741 company.
larger hosts. DemandMedia / eNom - the largest
Phishing continues to be a cause for of the top 10 phishing hosts are based in Malware located on a server in the West
concern to banks and large corporations the US. minimizes both customers’ and target
alike. The need to establish false organization’ suspicions.
credibility explains the dominance of The necessary malware can reside on the
Western countries in the Top 10 list for enterprise’s web site, or appears to via
phishing. In fact our results show that 7 cross-site scripting or header redirects.
It is important to note that “Exploit Many hosts or commercial internet In contrast to spam hosts, Exploit Servers
Servers” is possibly the most important servers that deliver malware or undertake have until recently been entirely located
category, to be found in this report, in the other malicious activity do so because in countries subject to lower levels of
analysis of malware, phishing, or badness they have been hacked externally. Useful regulation. However in this 2nd quarter
as a whole . Added weighting was given information, victims’ identities and other 2010 it should be noted 50% of the top
to this sector. illicitly gained booty are then directed 10 in this sector are located in the US.
back to these Exploit Servers using
malware.
The most up-to-date and fast-changing counterfeit pharmas, Zeus (Zbota), Artro, containing some well-known names.
of attack exploits and vectors form the SpyEye, and newly emerged exploit kits
category of Current Events. form a key component of the data.
Cyber criminals manage networks of This section should be considered in Zeus botnet data (Zbot) is provided by
infected computers, otherwise known conjunction with Section 8.5 on Exploit the excellent Zeus Tracker service from
as zombies, to host botnets out of C&C Servers. In both instances, it is somewhat abuse.ch.
servers. A single C&C server can manage surprising to see large hosting providers
some 250,000, or higher, slave machines. such as DemandMedia and Interactive3D
HostExploit focused, here, on the Zeus being infected with high concentrations
botnet as it remains the cheapest and of C&Cs.
most popular on the underground
market.
Badware fundamentally disregards free screensavers that surreptitiously The findings in this category are primarily
how users might choose to employ generate advertisements, malicious web based on StopBadware’s data, which is
their own computer. Examples of such browser toolbars that take browsers to itself aggregated from Google, Sunbelt
software include spyware, malware, unexpected web pages and keylogger Software, and Team Cymru.
rogues, and deceptive adware and programs that transmit personal data to
it commonly appears in the form of malicious third parties.
Crime Servers
9.1. Background - What Are 9.2. Crime Servers - Currently Inactive (Not Announced)
Crime Servers?
Crime servers are by definition active AS number Name IPs HE Rank
dedicated accomplices to cybercrime 12604 CITYGAME-AS Kamushnoy Vladimir Vasulyovich 256 N/A
providing a platform for cyber criminals
29371 GAZTRANZITSTROYINFO-AS LLC “Gaztransitstroyinfo” 256 N/A
or cells within their own organization to
mount cyber attacks. Crime servers cannot 42229 MARIAM-AS PP Mariam 1,024 N/A
be excused on the grounds of being a 44107 PROMBUDDETAL-AS Prombuddetal LLC 1,024 N/A
victim of lax abuse policy enforcement 47560 VESTEH-NET-AS Vesteh LLC 1,024 N/A
but are active participants in the bad
47821 BOGONET-AS PE Syrovatko Igor Mykolayevish 256 N/A
host process sometimes acting as hosting
providers or registrars themselves 49091 INTERFORUM-AS Interforum LTD 256 N/A
49093 BIGNESS-GROUP-AS Bigness Group Ltd. 512 N/A
Examples of large versions of these have
49934 VVPN-AS PE Voronov Evgen Sergiyovich 256 N/A
been seen over recent times and shown
within earlier HostExploit reports i.e. Atrivo 50033 GROUP3-AS GROUP 3 LLC. 256 N/A
(US), McColo (US), Real Host (Latvia). Also 50215 TROYAK-AS Starchenko Roman Fedorovich 256 N/A
more recently in the example of Troyak. 50369 VISHCLUB-AS Kanyovskiy Andriy Yuriyovich 1,024 N/A
Interestingly the ones discovered within 50390 SMILA-AS Pavlenko Tetyana Oleksandrivna 256 N/A
this current analysis and report are 50678 SAINTVPN 256 N/A
considerably smaller than these, numbers
of IPs ranging from just 256 to 1,024, while
the majority of the top 50 bad hosts appear
to be legitimate commercial enterprises. 9.3. Crime Servers - Examples Currently Active
9.2. Crime Servers or Bad
AS number Name IPs HE Rank
Hosts?
29106 VOLGAHOST-AS PE Bondarenko Dmitriy Vladimirovich 256 3
The research contained within this report 44565 VITAL VITAL TEKNOLOJI 18,432 27
has been directed at identifying instances
47434 FORTUNE-AS Fortune Science and Production Company 256 134
of bad hosts around the world to culminate
in a league table of the ‘Top 50 Worst Hosts’,
presuming that most of the hosting servers
are legitimate internet service providers.
Conclusions
10.1. Conclusions
This report is a further undertaking two successive quarters. After disclosure, the first steps towards
to highlight the issues which create action against abuses can be taken.
It is encouraging to see a
and allow cyber criminal activity to be
willingness to begin the process of As originally shown in the December 09
hosted and served on the Internet. It
‘cleaning up’ known abuses but as the and Mach 2010 report and only briefly
should be stressed; HostExploit, the
new report shows there is still much covered within this report, the overall
report’s authors, sponsors, and the now
work to be done. analysis further highlights a relatively
numerous hosts and volunteers who have
small number of dedicated ‘Crime
helped in establishing this report, do not • At worst host ranking #1 Servers’, and related‘bullet proof’hosting
view the exposure of bad hosting and AS21741 DemandMedia / eNom (US), enterprises. A further supplementary
ISPs as a sole solution to the seemingly is carrying a wide range of badness. At disclosure of the worst of this type of
ever growing problem of cybercrime. #2 AS29073 Ecatel (NL), #1 in March criminal activity will be released in a
However, providing a comparative and 2010, continuously hosts large amounts new report from HostExploit which is to
quantitative listing of hosts and ISPs with of badware. follow. Examples and results of actions
associated badness clearly contributes
against crime servers, such as Troyak
to a “who and a “where” approach to • The, HE Index, therefore, has the
and its peers, will be a feature.
comprehending cybercrime: ability to express a myriad of different
internet malpractices in an easy to
• Exposing comparative levels of understand format. It expresses who
badness found on Internet hosts, ISPs, is hosting the worst of these offences.
and networks in this way highlights the
integral part that hosts play in the cycle
of cyber criminal activity.
10.2. Worst Culprits Within Tracked Sectors
• Such a report and the defined
“HE Index” acts as a consumer barometer Category HE Rank ASN Name Country
for each of the 34,748 currently
Infected Web Sites 2 29073 Ecatel NL
advertised and commercial ASes.
Spam 6 45899 VNPT VN
It provides a definitive and quantitative Botnet C&C Servers 1 21740 DemandMedia US
analysis of the worst hosting and
Phishing 9 28299 Cyberweb BR
network culprits of failing to prevent
cyber criminal activity. Exploit Servers 236 18018 Gamebuilders PH
HE Current Events 8 16138 Interia.pl PL
• The release of the Top 50 Bad Zeus Botnet C&Cs 3 29106 Volgahost RU
Hosts reports has delivered a successful
outcome with some contacted hosts Badware 1 21740 DemandMedia US
significantly decreasing levels of abuses The above figures illustrate that the distribution of bad servers is a global problem and
by 90%. is not focused in just one area. We have also found that the choice of attack vector for
• The findings from this report the cyber criminal depends highly on the nature of the objective. For example, the
will reinforce the need to demonstrate distribution of malware is preferably hosted in the western world to avoid suspicion,
willingness to‘clean up’systems when bad while spam servers are usually kept in countries with laxer controls by internet
publicity is seen as harmful to business. providers where obvious spikes in server usage are less likely to be challenged.
The biggest success to date is illustrated
by AS30407 Velcom, which was ranked
as the #1 Bad Host in December 2009
report, and has dramatically reduced its
badness levels by over 60 per cent over
Glossary
AS (Autonomous System): deliver information. A DNS also stores other information
such as the list of mail servers that accept email for a
An AS is a unit of router policy, either a single network or a given domain, by providing a worldwide keyword-based
group of networks that is controlled by a common network redirection service.
administrator on behalf of an entity such as a university,
a business enterprise, or Internet service provider. An AS DNSBL:
is also sometimes referred to as a routing domain. Each
autonomous system is assigned a globally unique number Domain Name System Block List – an optional list of IP
called an Autonomous System Number (ASN). address ranges or DNS zone usually applied by Internet
Service Providers (ISP) for preventing access to spam
Badware: or badware. A DNSBL of domain names is often called a
URIBL, Uniform Resource Indicator
Software that fundamentally disregards a user’s choice
regarding about how his or her computer will be used. Types Exploit:
of badware are spyware, malware, or deceptive adware.
Common examples of badware include free screensavers An exploit is a piece of software, a chunk of data, or
that surreptitiously generate advertisements, malicious web sequence of commands that take advantage of a bug,
browser toolbars that take your browser to different pages glitch or vulnerability in order to cause irregular behavior
than the ones you expect, and keylogger programs that can to occur on computer software, hardware, or something
transmit your personal data to malicious parties. electronic. This frequently includes such things as violently
gaining control of a computer system or allowing privilege
Blacklists: escalation or a denial of service attack.
In computing, a blacklist is a basic access control mechanism Hosting:
that allows access much like your ordinary nightclub;
everyone is allowed in except people on the blacklist. Usually refers to a computer (or a network of servers) that
The opposite of this is a whitelist, equivalent of your VIP stores the files of a web site which has web server software
nightclub, which means allow nobody, except members running on it, connected to the Internet. Your site is then
of the white list. As a sort of middle ground, a gray list said to be hosted.
contains entries that are temporarily blocked or temporarily
IP (Internet Protocol):
allowed. Gray list items may be reviewed or further tested
for inclusion in a blacklist or whitelist. Some communities IP is the primary protocol in the Internet Layer of the
and webmasters publish their blacklists for the use of the Internet Protocol Suite and has the task of delivering data
general public, such as Spamhaus and Emerging Threats. packets from the source host to the destination host solely
based on its address.
Botnet:
ISP (internet Service Provider):
Botnet is a term for a collection of software robots, or bots,
that run autonomously and automatically. The term is now A company or organization that has the equipment and
mostly associated with malicious software used by cyber public access to provide connectivity to the Internet for
criminals, but it can also refer to the network of infected clients on a fee basis, i.e. emails, web site serving, online
computers using distributed computing software. storage.
CSRF (cross site request forgery): LFI (Local File Inclusion):
Also known as a “one click attack” / session riding, which is a Use of a file within a database to exploit server functionality.
link or script in a web page based upon authenticated user Also for cracking encrypted functions within a server, e.g.
tokens. passwords, MD5, etc.
DNS (Domain Name System): MALfi (Malicious File Inclusion):
DNS associates various information with domain names; A combination of RFI (remote file inclusion), LFI (local file
most importantly, it serves as the “phone book” for inclusion), XSA (cross server attack), and RCE (remote code
the Internet by translating human-readable computer execution).
hostnames, e.g. www.example.com, into IP addresses, e.g.
208.77.188.166, which networking equipment needs to
Rogue Software:
1 Motivation
We aim to provide a simple and accurate method of representing the history of badness on an Autonomous
System (AS). Badness in this context comprises malicious and suspicious server activities such as hosting or
spreading: malware and exploits; spam emails; MALfi attacks (RFI/LFI/XSA/RCE); command & control
centers; phishing attacks.
We call this the HE Index ; a number from 0 (no badness) to 1,000 (maximum badness). Desired prop-
erties of the HE Index include:
1. Calculations should be drawn from multiple sources of data, each respresenting different forms of
badness, in order to reduce the effect of any data anomalies.
2. Each calculation should take into account some objective size of the AS, so that the index is not unfairly
in favor of the smallest ASes.
3. No AS should have an HE Index value of 0, since it cannot be said with certainty that an AS has zero
badness, only that none has been detected.
4. Only one AS should be able to hold the maximum HE Index value of 1,000 (if any at all).
2 Data sources
Data is taken from the following 11 sources:
Spam data from UCEPROTECT-Network and ZeuS data from Abuse.ch is cross-referenced with Team
Cymru.
Data from StopBadware is itself an amalgam of data from Google, Sunbelt Sofware and NSFOCUS.
Using the data from this wide variety of sources fulfils desired property #1.
Sensitivity testing was carried out, to determine the range of specific weightings that would ensure known
bad ASes would appear in sensible positions. The exact value of each weighting within its determined range
was then chosen at our discretion, based on our researchers’ extensive understanding of the implications of
each source. This approach ensured that results are as objective as realistically possible, whilst limiting the
necessary subjective element to a sensible outcome.
3 Bayesian weighting
How do we fulfil desired property #2? That is, how should the HE Index be calculated in order to fairly
reflect the size of the AS? An initial thought is to divide the number of recorded instances by some value
which represents the size of the AS. Most obviously, we could use the number of domains on each AN as the
value to respresent the size of the AS, but it is possible for a server to carry out malicious activity without
a single registered domain, as was the case with McColo. Therefore, it would seem more pragmatic to use
the size of the IP range (i.e. number of IP addresses) registered to the AS through the relevant Regional
Internet Registry.
However, by calculating the ratio of number of instances per IP address, isolated instances on small servers
may produce distorted results. Consider the following example:
In this example, using a simple calculation of number of instances divided by number of IPs, the ratio
is almost eight times higher than the average ratio. However, there are only two recorded instances of spam,
but the ratio is so high due to the low number of IP addresses on this particular AS. These may well be isolated
instances, therefore we need to move the ratio towards the average ratio, moreso the lower the numbers of IPs.
For this purpose, we use the Bayesian ratio of number of instances to number of IP addresses. We cal-
culate the Bayesian ratio as:
B = ( MM N C Na
+ C ) · M + (M + C ) · M a
(1)
where:
B: Bayesian ratio
M: number of IPs allocated to ASN
Ma : average number of IPs allocated in sample set
N: number of recorded instances
Na : average number of recorded instances in sample set
C: IP weighting = 10,000
The process of moving the ratio towards the average ratio has the effect that no AS will have a Bayesian
ratio of zero, due to an uncertainty level based on the number of IPs. This meets the requirements of desired
property #3.
4 Calculation
For each data source, three factors are calculated.
To place any particular Bayesian ratio on a scale, we divide it by the maximum Bayesian ratio in the
sample set, to give Factor C:
FC = BB (2)
m
where:
Bm : maximum Bayesian ratio
Sensitivity tests were run which showed that in a small number of cases, Factor C favors small ASes too
strongly. Therefore, it is logical to include a factor that uses the total number of instances, as opposed to
the ratio of instances to size. This makes up Factor A:
N , 1}
FA = min{ N (3)
a
This follows the same format as Factor C, and should only have a low contribution to the Index, since it
favors small ASes, and is used only as a compensation mechanism for rare cases of Factor C.
If one particular AS has a number of instances significantly higher than for any other AS in the sam-
ple, then Factor A would be very small, even for the AS with the second highest number of instances. This
is not desired since the value of one AS is distorting the value of Factor A. Therefore, as a compensation
mechanism for Factor A (the ratio of the average number of instances) we use Factor B as a ratio of the
maximum instances less the average instances:
FB = N N (4)
m − Na
where:
Nm : maximum number of instances in sample set
Factor A is limited to 1; Factors B and C are not limited to 1, since they cannot exceed 1 by defini-
tion. Only one AS (if any) can hold maximum values for all three factors, therefore this limits the HE Index
to 1,000 as specified in desired property #4.
The Factor A, B & C weightings (10%, 10%, 80% respectively) were chosen based on sensitivity and regres-
sion testing. Low starting values for Factor A and Factor B were chosen, since we aim to limit the favoring
of small ASes (property #2).
where:
wi : source weighting (3=high, 2=medium, 1=low)
HostExploit - Top 50 Bad Hosts and Networks
2nd Quarter 2010