“As malware continues to evolve, and cybercriminals continue to learn, one particular fundamental remains constant – almost all malicious threats are physically hosted somewhere,” Host Exploit noted. “For this reason, it remains as important as ever to examine hosting practices and standards and consider how they can be improved.”
The study found that five of the top 20 malicious autonomous systems (AS) are to be found in the US, and four are in Russia. Only one is located in China.
Chinanet Backbone, at No. 11, is China’s lone entry into the list. However, it has the largest number of IPs under its wings out of any of the providers, coming in at more than 116 million IPs – meaning that volume-wise, it likely accounts for a significant amount of bad acting. Nonetheless, the top culprit of the quarter comes from the unassuming Netherlands.
In the first quarter of 2013, the worst host overall was found to be Ecatel Network in the Netherlands, which, while hosting only 13,000 IPs, still manages to host more than it's fair share of malicious content. “This quarter we see the return of Dutch hosting provider Ecatel to the No. 1 rank, having held the position at various times in the past,” Host Exploit said. “Ecatel does not top the rankings for any particular category of activity, but rather for a consistently poor showing across the board.” Botnets in particular seem to like the Dutch provider.
Then there are the sites that are hosting publicly dangerous websites, capable of delivering malware via exploit kits. Host Exploit said that, in fact, the hosting provider harboring the highest number of infected sites overall is Russian: Mail.ru.
"The number of malicious URLs on Mail.ru’s servers has risen rapidly over the last quarter, with the vast majority being stored on its file hosting service and download manager,” Host Exploit said in its report. “This rise has seen it move into the overall top 10 hosts. Such a sudden increase in malicious files being hosted could either be the result of new features, a change in policy or down to cybercriminals choosing Mail.ru as a temporary hosting service.”
When it comes to the US rankings, Landis Holdings comes in ninth for overall hosting issues, with 28,000 IPs under its umbrella. But when talking about hosting the highest concentration of infected websites, two big names jump out: Amazon, which has 2 million IPs, is No.4, while Google, which comes in at number seven, has about 667,000 IPs.
Overall, Russia and the US showed up across the rankings, from phishing ponds to botnet hosting. However, the Host Exploit results should be taken with perspective. “The malicious activity that Host Exploit tracks generally comprises malware hosting, botnet C&C hosting and the like, and does not necessarily include command-and-control servers for targeted attacks or the like,” Kaspersky's Threatpost blog caveated. “Still, the data the organizations compiled shows that the hosting of malicious servers is not a localized problem, it's a global one.”