Oct 27, 2010 14:55 GMT  ·  By

According to a report from security vendor Damballa, over half of the world's botnet command and control (CnC) servers are hosted by Internet service providers in US, Germany and France.

Botnets are the biggest Internet threat at the moment and they can be very powerful and flexible in the illegal activities they can perform.

These armies of infected computers are used to launch crippling Distributed Denial of Service (DDoS) attacks, send billions of spam emails every day, deliver targeted malware to computers in specific regions, as well as for more complex tasks.

In one case we covered in July, a botnet was used in almost every step of a check counterfeiting operation.

This involved crawling repositories for check scans, posting fake job offers on recruitment sites or registering email accounts en masse.

The CnC server is one of the key elements of every botnet, because without a place to control it from, it's like a ship dead in the water.

As it turns out, the majority of these CnC servers are located in countries with strong anti-cybercriminal legislation enforcement.

"Half of the servers used by cyber-criminals for the purpose of controlling their botnet empires are located in commercial hosting facilities within countries not traditionally associated with this kind of crime," notes Gunter Ollmann, vice-president of research at Damballa, a company specializing in botnet detection and monitoring.

"[…] The ability to host a server is typically independent of where the criminals are actually located and the type of victims they are trying to capture," he explains.

According to statistics compiled by the security vendor, 23.9% of them are hosted in US, 17.9% in Germany and 8.6% in France.

The top ten of botnet CnC server hosting countries is completed by Italy (6.4%), Russia (4.2%), China (3.5%), UK (3.1%), The Netherlands (2.2%), Canada (2.0%) and Taiwan (2.0%).

The most offending ISP is 1&1 Internet AG from Germany, which is responsible for hosting one in every ten botnet CnC servers.

Ironically, the company is one of the sponsoring members of the government-backed Anti-Botnet Initiative in Germany.

The second most botnet-CnC-friendly ISP is the French OVH. This is followed by the Italian Aruba S.p.A. and the US-based AT&T Internet Services.

"It is important to note that there is no evidence that the ISP’s and hosting providers listed in the top-10 are conducting criminal practices, but they have found themselves in the position of being unwitting hosts for the criminals operating the botnets," Ollmann concludes.