In recent months, the trend of benign websites being affected by code injection clearly show that attacks to inject malware into unsuspecting websites is on the rise. It is important to understand the profile of the ASes which are actually providing transit to infected websites hosted within their systems. Since each AS provides bandwidth and resources supporting the downloading of malware to computers which belong to unsuspecting visitors of a compromised website. ASes, more specifically hosting companies and other network operators (rather than ASes) should play a pivotal role in addressing compromised websites.

At StopTheHacker.com, we have conducted extensive experiments to analyze and profile over 20,000 ASes to identify which ASes are the worst offenders in terms of hosting Blacklisted websites.  We have used Google safebrowsing data, also accessible via StopBadware.org, (which sources data from Google and Sunbelt)to identify and trend which ASes are responsible for the proliferation of badware on the Internet. We have correlated AS size with data available from CAIDA to determine whether larger ASes are more at fault or not.

We present some brief results below:

1. The average percentage of blacklisted websites in
   • Top 10 ASes (according to number of sites noted by Google) is 3.5%
   • ASes with Ranks 11-23 (according to number of sites noted by Google) is 3.75%
   • ASes with Ranks 24-40 (according to number of sites noted by Google) is 5.01%
2. The AS with the highest percentage of blacklisted sites, is AS 16557 (Colo Solutions, Inc.), with close to 60% of 10,000 sites blacklisted.
3. The Top 50 ASes, which host more than 10,000 sites each and have at least 6% of websites blacklisted, host 151,000 blacklisted sites, combined.

Interesting observations:

1. AS 16557 (Colo Solutions, Inc.), is well known for popping up on blacklists related to peer-to-peer networks [Is someone tracking P2P users]. It seems that this AS, which is not really concerned about P2P traffic emanating from within its systems, traffic which is potentially used to exchange copyrighted material, is also not interested in paying attention to malware infected websites hosted within its networks.
2. AS 15169 (Google Inc.), had 590734 sites analyzed and 6046 of them were found to contain malware.
3. AS 14173 (Photobucket), had zero sites infected out of 399424 sites analyzed.
4. The Largest AS (Level 3 Communications) according to connection degree, see CAIDA’s AS listing, was hosting 571 infected sites out of 136305 sites analyzed by Google.
5. AS 7018 (AT&T), was hosting 97 infected sites out of 7947 sites analyzed by Google.
6. AS 701 (Verizon), was hosting 117 infected sites out of 7248 sites analyzed by Google.
7. AS 1239 (Sprint), was hosting 117 infected sites out of 3958 sites analyzed by Google.

Making Sense of the Results

Below we present some graphs to highlight the percentage of blacklisted websites hosted by the top few ASes. Note that all AS rankings below are based on the number of websites analyzed by Google. An AS with rank 1 hosts more websites, analyzed by Google than an AS with rank 2.

Nearly 50 ASes host at least 600 blacklisted sites each

Top 10 ASes host lage percentages of blacklisted sites

ASes hosting more than 10,000 sites (each having more than 6% infected sites)

Below follows the list of ASes, which host more than 10,000 sites each. Of those, at least 6% (600) are blacklisted by Google. Perhaps more attention needs to be focused on fighting malware from within these ASes. There are quite a few prominent web-hosting companies in this list. Note that all ASes below are ranked based on the number of websites analyzed by Google. An AS which appears earlier in the list hosts more websites, analyzed by Google than an AS which appears later on in the list.

ASN             Name
21844           ThePlanet.com Internet Services, Inc.
4837            CNC
11798           Bluehost Inc. US
4812            CABLENETSWISS-HITTNAU Cablenetswiss	CH
26347           New Dream Network, LLC	US
29629           INETWORK-AS IEUROP AS	FR
32244           Liquid Web, Inc.	US
16265           LEASEWEB LEASEWEB AS	NL
3786            LGDACOM LG DACOM Corporation	KR
3595            Global Net Access, LLC	US
32392           Ecommerce Corporation	US
32613           iWeb Technologies Inc.	CA
4847            CNIX
33182           HostDime.com, Inc.	US
21788           Network Operations Center Inc.	US
38356           TIMENET BeiJing Sincerity-times Network Technology Project Ltd.	CN
15244           Lunar Pages	US
25074           INETBONE-AS INET-People Provider Services	DE
25532           MASTERHOST-AS .masterhost autonomous system	RU
30496           Colo4Dallas LP	US
12824           HOMEPL-AS home.pl autonomous system	PL
9929            CNCNET-CN China Netcom Corp.	CN
28753           NETDIRECT AS NETDIRECT Frankfurt, DE
11388           Peer 1 Dedicated Hosting	US
9121            TTNET TTnet Autonomous System	TR
13237           LAMBDANET-AS European Backbone of LambdaNet	EU
9931            CAT-AP The Communication Authoity of Thailand, CAT	TH
46475           Limestone Networks, Inc.	US
29671           SERVAGE Servage GmbH	DE
15685           Casablanca INT Autonomous system	CZ
39392           SUPERNETWORK-AS SuperNetwork s.r.o.	CZ
8342            RTCOMM-AS RTComm.RU Autonomous System	RU
34104           TELETEK-AS TELETEK TELEKOMINIKASYON HIZMETLERI A.S	TR
42910           SADECEHOSTING-COM Sadecehosting-Com	TR
8358            INTERWARE-AS InterWare Autonomus System	HU
25653           FortressITX	US
26277           A+ Hosting, Inc.	US
12363           DADA-AS DADA S.p.a.	IT
23352           Server Central Network	US
17964           DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.	CN
24400           CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd.	CN
30176           Priority Colo	CA
4750            CSLOXINFO-ISP-AS-AP CSLOXINFO Public Company Limited.	TH
32181           GigeNET	US
27823           Dattatec.com	AR
16557           Colo Solutions, Inc.	US
5617            TPNET Polish Telecom's commercial IP network	PL
39561           AGAVA Agava JSC AS number	RU
19318           NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC	US
9848            GNGAS Enterprise Networks	KR