Wednesday, October 01, 2014
   
Text Size

Hacking, Bad Hosting & False Positives

Tuesday, 12 July 2011 10:40 in Blogs, Reports by Bryn Thompson

Blog Image

The Q2 Top 50 Bad Hosts & Networks report encompasses analysis on all 38,030 currently advertised and commercial hosts (ASNs), focusing on the 50 worst offenders. HostExploit is pleased to announce that for the first time, and in collaboration with Group iB, the report is published in English and Russian with both versions available as free downloads. In addition, registration is no longer required to view the public reports.

Download the English report (PDF) here.

Download the Russian report (PDF) here.

Download the Russian report (PDF) here from Group iB.

In a quarter dominated by press stories from self-publicizing hackers such as Anonymous and LulzSec, matched with DDoS attacks and data exfiltration by others, it is easy to overlook the more widespread problems – as an example, there were around 350,000 website defacement hacks in this quarter and 1.5 million in 2010. Additionally, there are currently 800,000 plus web sites hosting malicious exploits and badware.

The need for standardization is a recurring theme for this quarter. This conclusion is reached as a result of, and based upon, our observation of the many different ways that blacklists are compiled. Differences in data sets can be explained, in part, by blacklists being produced for specific malicious activity. Rapid expansion of the blacklist community has resulted, in some cases, in an increase in the number of false positives, and often difficulty in their removal within a reasonable period of time.

After consulting with Google about the problem of false positives in relation to domain parking, Google recently made a process change to eliminate many false positives in their Safe Browsing service (used in browsers to protect end-users from malicious websites). For example, HE research shows that the removal of false positives from the Google Phishing list has resulted in a significant reduction (80 per cent) in the listings of AS21740 eNom. For eNom, now dropped out of the Top 100, this has proved to be significant, enabling them to concentrate on cleaning up the real issues. This will also be reflected across other domain registrars and domain wholesalers as well as reducing the problem of false positives that can be associated with domain parking.

In summary other findings from the report show:

  • The title of #1 Bad Host (Overall Category) goes to AS33182 HostDime for significant levels of spam, exploit servers, phishing servers and Zeus servers, as well as botnet C&C servers, badware and infected websites.
  • Nearly one half (23) of the Top 50 Bad Hosts operate from the United States. Cybercriminals like hosting services that are easy to obtain and which provide false credibility.
  • Exploit Servers represents HostExploit's most important category in the analysis of malware, phishing or badness as a whole. #1 this quarter is AS14585 CIFNet.
  • In the Current Events sector, the most up-to-date and fast-changing malicious activities, such as click jacking, counterfeit pharma, new exploit kits, SpyEye, Stuxnet and blended attacks such as MALfi, in #1 position is AS16138 Interia.pl.
  • Comparing Q1 with Q2 2011, there are few changes in terms of overall levels of badness being served. Website infections, however, are down on the corresponding period of 2010.

Hosts and corporate networks invariably do not host malicious activity with deliberate intent, but can deliver malware from servers that have been hacked or compromised and added to a network of zombies. Such networks are used to further the outreach of noxious or virulent material by masking its true origin and, thus, helping to avoid detection. For this reason HostExploit considers the category called Exploit Servers to be the most important in its analysis and why it is given added weighting. Full details of the methodology used is available in the full report.

To end on a positive note, some well-known names have shown significant reductions in levels of badness and are deserving entrants to the Most Improved Host category. Most Improved this quarter is AS47764 Netbridge, host to the popular mail client Mail.ru, which has shown a drop of 84 percent. The title of overall #1 Good Host for consistent low levels of badness this quarter is awarded toAS34744 GVM Sistem, hosted in Romania.

Note: Live AS results can be found at SiteVet. The figures contained here and in the report were correct at the time of the end-of-quarter analysis.

About Group-iB

Group iB

Group-iB is Russia's and the CIS's leading computer security company, specializing in the investigation of computer crime, information security breaches and computer forensics.

It was the first and the only company in the Russian Federation to specialize in cybercrime investigations, and post-incident consulting.

Contact: Alexander Fominenkov, fominenkov [at] group-ib.ru

Latest Blogs

  • 1
  • 2
  • 3

Newsletter

Sign up to the HostExploit newsletter to receive the latest news on HostExploit reports and other developments.
Receive

Login