The United States used to be the leading industrial nation in the world, producing the best cars, TVs, clothes and deep-fried Twinkies. Those days are gone, but the U.S. can still claim primacy in one important area: the most malware-infested, phishing-friendly hosting provider.
The newest report from HostExploit, an independent group that monitors the level of relative malicious activity on hosting providers around the world, shows that HostDime, a provider based in Orlando, Fla., had the highest relative levels of malware and phishing and other malicious activity in the second quarter of 2011. The servers hosted by the company had high levels of phishing, exploit servers, Zeus servers, spam and other unwanted activity, according to the report.
“It can be seen that AS33182 HostDime is ranked #1 due to a wide range of issues, including spam, exploit servers, phishing servers and Zeus servers as well as smaller concentrations of C&C servers, badware and infected Web sites,” the report says.
The HostExploit report doesn’t imply that the hosts in the list are knowingly allowing attackers, spam gangs and phishing crews to user their services. In fact, in many cases, attackers are compromising hosts in various providers’ facilities and then using them surreptitiously. A good example would be Google, which is at number 35 on the HostExploit list. Amazon also appears on the list of the worst hosting providers for botnet command-and-control servers.
Attackers know that these providers have massive address spaces and huge hosting businesses and take advantage of those facts to hide their infected servers in the forests.
HostExploit uses a weighted scoring system to determine the relative badness of hosting providers, that takes into account the number of IP addresses the provider owns as well as other factors.
“Hosts and corporate networks invariably do not host malicious activity with deliberate intent, but can deliver malware from servers that have been hacked or compromised and added to a network of zombies. Such networks are used to further the outreach of noxious or virulent material by masking its true origin and, thus, helping to avoid detection. For this reason HostExploit considers the category called Exploit Servers to be the most important in its analysis and why it is given added weighting,” Bryn Thompson wrote in a blog post on the HostExploit site.
In addition to laying claim to the top spot on the list, U.S. hosting providers also took seven of the top 10 spots on the HostExploit list. The top hosting provider for botnets–Panther Express–phishing–eNet Inc.–and exploit servers–CIFNet Inc.–are also based in the U.S. In all, 23 of the top 50 hosts in the report are based in the U.S. The number-two countries on the list, with four entries each, are Germany and China.
You can download the full HostExploit report from their site.