A study of malicious Internet activity: Russia is again in the lead

Group-IB - the Russian leader in the computer crime investigation market - together with the HostExploit community , presents the next Top 50 “ Worst Networks and Hosts” report for the second quarter of 2012. This time, domestic providers significantly worsened their position in this rating. This directly affected the position of Russia in the overall standings of the countries in which it was on the top line.

In the II quarter of 2012, the overall rating of the Russian host WEBALTA, which already headed the list at the beginning of 2011, returned to first place. The HE index of the “winner” was 214.67. This autonomous system jumped from fourth to first because of the high concentration of malware and other threats, including XSS attacks and RFI. Recall that last year WEBALTA was already at the top line due to the huge number of exploit servers and Zeus servers.

It should be noted that autonomous systems registered in Russia continue to worsen their situation. If in Q1 2012 they occupied five positions in the Top 50 list, this time they are already nine, including the first and second places in the overall rating. Russian hosts are also leaders in the categories of "C & C-servers" and "Phishing servers." Unfortunately, a consequence of this trend has been a deterioration in Russia's overall rating. In the standings of countries, the Russian Federation with an index of 359.3 "won" the top line, ahead of Luxembourg, Latvia and Ukraine. This state of affairs shows that, despite the success of large-scale operations against cybercriminal groups in the so-called Carberp club, much work remains to be done to clean up the systems registered in Russia.

But hosts from the United States continue to show record improvements: for the second quarter in a row, not a single autonomous system registered in America has taken first place in this or that category. The total number of US hosts in the Top 50 ranking fell from 17 in the first quarter to 13 in the second.

As they say, a holy place is never empty, which was demonstrated by unexpected changes in the category of “Deteriorating Hosts”. The most “outstanding” host of the quarter is the Iranian AS48159 Telecommunication Infrastructure Company, which showed a huge increase in malicious content (12888%) due to massive spam mailings. A similar incredible leap (12044.3%) was made by AS44553 SNS-BG-AS Smart Network Solutions Ltd, registered in Bulgaria. This time, the reason was a significant increase in the number of hosted C&C servers and the same spamming.

We should also praise the AS45634 HOSTING-MEDIA system from Lithuania. She finally took the appropriate measures to rectify the situation and eventually dropped from second place to position # 600. Thus, this quarter she became the "Most Improved Host."

The current report on the results of the second quarter of 2012 was prepared on the basis of a study of 41,635 registered autonomous systems, which is 957 more than it was at the end of the first quarter of 2012.

HostExploit Engaged in non-profit research on information security and the fight against cybercrime. Reports on the level of content of malicious content in hosts have been issued by the community for more than two years and during this time they have become a reliable source of information on this issue. Based on the results of analysts' work, a list of the Top 50 most dangerous autonomous systems (hosts and networks) is compiled, on the basis of which the implementation of increased malicious activity was recorded. All studies are conducted with the direct participation of Group-IB specialists.

The full report is available at: http://www.group-ib.ru/images/media/top_50_bad_hosts_201206_en.pdf . You can read its English version at the following address: http://hostexploit.com/downloads/viewdownload/7/41.html .