Top Malicious Hosting Providers

Monday, April 1, 2013 @ 06:04 PM gHale

When there is some type of cyber attack or malware campaign, the first place people think of is China. While some reputations are slow to fad away, it seems China is not even in the top ten of malicious hosting providers, a new survey said.

United States and Russia have many more bad hosting providers in the top 20 than China does, according to a survey compiled in Host Exploit’s quarterly World Hosts Report.

Huge DDoS Attack a New Approach
Cisco’s Stronger Passwords get Weaker
Insecure Web-Facing Devices
SAS: Keeping an Eye on Mobile Devices

The malicious activity Host Exploit tracks generally consists of malware hosting, botnet C&C hosting, and does not necessarily include command-and-control servers for targeted attacks. Still, the data the organizations compiled shows that the hosting of malicious servers is not a localized problem, it’s a global one.

Of the top 20 malicious autonomous systems (AS) — ranked according to an index that Host Exploit calculates based on a number of factors — five are in the United States, four are in Russia and just one is in China. Even drawing it out to the entire top 50 malicious AS find just one other host in China. Host Exploit bases its index on a calculation of the concentration of malicious activity coming from each AS, which is a large block of routes assigned to one host or ISP.

In the first quarter of 2013, the host ranked as the worst in this report is Ecatel Network in the Netherlands, a host that has a relatively small number of IPs assigned to it, at slightly more than 13,000. By comparison, Chinanet Backbone, the lone Chinese host in the top 20, has more than 116 million IPs. So the absolute level of malicious activity on Chinanet is obviously far higher than that on Ecatel Network. The highest-ranked U.S. host is Landis Holdings, which comes in ninth and has 28,000 IPs.

Host Exploit tracks several different kinds of malicious hosting activity including botnet traffic, spam hosting, badware hosting and phishing sites. The breakdown of how much of each kind of activity a given provider is hosting makes for interesting reading. For example, Ecatel Network carries a lot of botnet traffic, but when it comes to activity related to the Zeus botnet, Ideal Solution, a Russian host with fewer than 3,000 IPs, is the largest culprit in the top 10.

Amazon also appears in the top 10 list of providers hosting the highest concentration of infected Web sites. These are the kind of sites used in drive-by download attacks and to deliver exploits from exploit packs. Amazon, with more than two million IPs, ranks fourth in the list of providers hosting infected sites. Also on that list is Google, which comes in at number seven. The top spot belongs to, a Russian hosting provider.

“The number of malicious URLs on’s servers has risen rapidly over the last quarter, with the vast majority being stored on its file hosting service and download manager. This rise has seen it move into the overall top 10 hosts. Such a sudden increase in malicious files being hosted could either be the result of new features, a change in policy or down to cybercriminals choosing as a temporary hosting service,” Host Exploit said in its report.

When it comes to phishing sites, the U.S. had four of the top 10 hosting providers.

Leave a Reply

You must be logged in to post a comment.