Reports

HostExploit is pleased to present the Q1 2010 report on the Top 50 Bad Hosts and Networks. Using our own data, supplied by SiteVet.com, together with Open Security partners, HostExploit has compiled an updated HE Index of the worst internet hosting players around the world.

Download the report here.

Findings in the report are based on data generated by public ASes (Autonomous Systems) exchanging routing information with each other over the public internet. ‘Bad’ activity in this context includes traffic generated by botnets, spam, MALfi, phishing, malware, exploits and the control centers that manage these activities.

By using a unique combination of actuarially-weighted mathematical equations, a bespoke ‘badness’ rating is created showing the worst hosting organizations for cyber-criminal activity. Consideration is given to the size of each network and related potential for malware distribution where larger servers should have the means to track cyber-criminal activity more effectively.

HostExploit is proud to announce the “winners” of the Bad Internet Host of 2009 awards, alongside the definitive Top 50 Bad Hosts and Networks report. The findings are powered by the newly-created HE Index - a numerical representation of internet badness.

Download the report here.

The report comprises an exhaustive analysis of the Internet hosting industry (servers and Autonomous Systems) by the researchers at HostExploit, with community input and data from 16 authorative community sources. The result is a definitive list of the worst commercial servers around the globe, in terms of server badness. Detailed reports on each of the top 150 bad servers can be viewed on SiteVet.com.

The report analyses the wide range of crimes which affect all of our lives, and through the use of sophisticated math and our researchers’ vast experience, HostExploit has been able to produce what is perhaps the most definitive list to date and an easy-to-understand badness index. Beyond this, the report analyses the effects by country, the worst culprits within cybercrime categories (i.e. spam, malicious software, malware, botnet serving, Zeus, etc.), the attack vectors for specific cybercriminal activities and much more.

Legitimate businesses may wish to reconsider hosting a web site with a hosting service which has a high HE Index. In addition to supporting a hosting service that has a disproportionate amount of malicious activity, there is the risk of being blacklisted by having your web site on such a server.

However, it is not all bad news; part of the project also provides examples of the cleanest hosts around the world to demonstrate how such Internet badness can be avoided by commercial servers.

In providing this report, the emphasis was to review servers that could be considered medium to large scale commercial operations, with a few exceptions. The report highlights the issues which face the internet community due to the lack of accountability required of internet service providers whose servers are utilized for cybercrime.

This new report is available for a free PDF download at hostexploit.com - the producers of community reports exposing RBN (Russian Business Network), Atrivo, McColo and Real Host, and a foremost source of rogue and malicious network activity analysis on the Internet.

Cyber Crime International – MALfi

A new cybercrime report from HostExploit.com the producers of the definitive reports
exposing RBN (Russian Business Network), Atrivo, McColo, Real Host, and a foremost
source of rogue network activity analysis on the Internet.

Download the report here.

MALfi “A Silent Threat”

What is it all about, MALfi? A blended threat currently detected on around 350,000 websites &
Internet servers. One major purpose is to establish, “use once and throw away” disposable
botnets for spam, phishing, DDoS and exploits.
Full Report (public version) download PDF – HostExploit Download page = http://bit.ly/eoO4C

Abstract / Press Release

MALfi is a holistic and descriptive term applied to adequately describe the recent blended attack
utilized by hackers and cyber criminals to compromise websites and servers. This is
combination of RFI (remote file inclusion), LFI (local file inclusion), XSA (cross server attack),
and RCE (remote code execution).

Conservative estimates over recent months indicate around 350,000 affected websites and
servers worldwide. HostExploit and associated researchers have tracked 103,351 attacks,
involving 2,743 unique IP addresses, with 85 countries involved in RFI scanning and 911 ASNs
involved.

RFI is used by hackers to compromise websites and upload a remote user interface shell. This
ensures partial to full manual and unauthorized control over the server. This differs from the
now familiar “drive by” web site exploit as it provides hackers with a ready-made arena where
internet plunder in the form of information, controlled servers and web sites are exchanged or
resold to cyber criminal groups.

Essentially the RFI hackers continuously and automatically search for website vulnerabilities for
exploitation. Once breached, the websites and often the now compromised underlying servers,
are utilized for DDoS (distributed denial of service) attacks such as the recent US and Korean
government DDoS, spamming, phishing, large scale ID theft and to facilitate further attacks on
other targets. It follows that many of the regular and apparently attempted attacks on various
high volume governmental and key servers were RFI and similar vulnerability scanning, bots
and scripts.

In comparing RFI and SQL injection / viruses / worms, RFI scanning, and related exploitation,
happens continuously and affects all corners of the Internet. Both un-patched windows systems
and systems with RFI vulnerabilities are on a theoretical time to live?.

The three distinct stages of this serious but silent threat to Internet security are:

First stage – Remote File Inclusion Attack: Hacked websites and servers are not infectious to
the web visitor and remain undetected by most AV vendors including, for example, Google?s
safe browsing feature. This “crack in the door” provides for the second stage.

Second stage – Doing Damage: Here the compromised websites and servers have attacker
tools uploaded. These consist of both purchased and custom written tools to conduct nefarious
activities such as sending phishing emails, hosting phishing sites, sending SPAM, hosting
malware, defacing, DDoS and much more. XSA (Cross server attacks), LFI (local file inclusion),
and RCE (remote file inclusion) further compromise the system or other remote systems.

Third stage – Detection Avoidance: Upon completion of the cybercriminal action or discovery of
their attack, the miscreant removes their tools or causes them to self destruct before moving on.
With full control of the system, covering their tracks is accomplished easily.

With this technique there is no master server and no simple tracking. The compromised servers
are controlled via various anonymous web proxies and compromised hosts, in a totally de-
centralized manner. IRC (internet relay chat) is primarily used in a cell like communication
structure to co-ordinate efforts and to launch vulnerability scans.

Identification of specific botnets such as Storm or Cutwail has been used to gather valuable
cyber criminal intelligence but the de-centralized nature of RFI based attacks requires deeper
investigation and wider application of fundamental COMINT (communication intelligence)
techniques. Even after being discovered, hackers using the RFI technique still have the
compromised web sites to re-launch from or even to re-utilize. The whole process begins again
with scanning for vulnerabilities with a new disposable single use botnet.

The how, what and where of this particular hacking technique and cybercrime business model
are provided together with detailed and graphic explanations in the HostExploit community
research report.

For report download here - for further information contact:

Jart Armin – jart (at) jartarmin.com,

Scott D Logan - scott (at) hostexploit.com,

General enquiries - admin (at) hostexploit.com

Release Date - Nov 11th 2009

As a cybercrime and bullet proof hosting hub Real Host Ltd which resides on the autonomous system (Internet server) AS8206 Junik based in Riga, Latvia is high on any watch list, as Dynamoo pointed out in his blog “A real sewer” (ref1).   Moreover this has all the hallmarks and operational elements of the apparently fragmented RBN (Russian Business Network), either as a resurgence or clone of the RBN’s business model.

• Spamhaus – SBL75831 – lists the net block for Phishing and Malware hosting. (Ref 5.)
• Fire - shows up to 9 complete malware servers over recent times. (Ref 6.)
• MalwareURL – shows currently 199 domains hosting amongst other badness; 18 trojans, 25 redirects to exploits and rogue anti-virus, 6 Botnet C&C (command and control) (Ref 7.)
• Google’s Safe Browsing - shows for AS8206 Junik in the last 90 days; 12 sites providing malicious software for drive by downloads, 102 sites acting as intermediaries for the infection of 11,810 other web sites. Finally it found 161 websites hosting malware that infected 20,681 other web sites.
• Google’s Safe Browsing  - as an example for just one of the domains – 71.speed.info – 32 scripting exploits

• exploits including un patched (or soon to be patched) 0days
• fake codecs, banking trojans, spambots, down loaders ;
• phishing sites,
• money mule recruitment sites;
• Zeus botnet Command and Control servers
• Distributing licensed software (Warez),
• Illegal porn content

• botnet rental,
• botnet loading,
• iFrame exploit affiliate,
• warez
• credit card trading forums,
• openly selling credit card, PayPal accounts and bank logins, over 10,000 “newly harvested”

• Many of the domains are ex-Estdomains.
• All of the websites are in Russian or for the trading arm Russian / English.
• However, older entities which many had thought were dead and gone are here; Barwells Group, Newsky, Web-Alfa, and good old Botnet.Su

Joint report on the outcome of community actions against abuse of Directi’s domain registry in the first quarter of 2009.