Over the last couple of days there have been reports that "Vietnam is a haven of malware" with "more than half of [the .vn domains] hosting malware" and that the ISP "1&1" accounts for one in 10 botnet Command & Control (C&C) hosts.

Now these are not the same complaint but they are similar and I thought it might be interesting to see what is in the ThreatSTOP database for both. The results are interesting.

[ I got the 1&1 address space from a lookup at Hurricane Electric of AS 8560 and I took the Vietnam address space from MaxMind's GeoLite Country database]

In raw numbers 1&1 pips Vietnam but the two are pretty similar. For recently active addresses (addresses that have been found to be bad since October 1), 1&1 has 100 entries whereas Vietnam has 91. However the 1&1 entries include 34 entries on the "parasites" list which is generally less bad than our other feeds whereas Vietnam has just one. On the other hand 1&1 has 19 live C&C hosts identified by ShadowServer plus one ZeuS C&C host while Vietnam has just 4 identified by ShadowServer and one Zeus. 1&1 also has a number of Phishing sites while Vietnam has none, which is somewhat surprising as Phishing sites typically morph into malware droppers and vice-versa and Vietnam we, are told, is a haven for malware infected websites.

Just for comparison the large French ISP SFR-neuf-cegetel has 14 recently active IP addresses, including two ShadowServer C&C hosts and no ZeuS ones, which suggests that yes in absolute terms both 1&1 and Vietnam are indeed bad.

A PDF with the raw output data is here: Vietnam_vs_1and1

PS Over the last 4 years that ThreatSTOP has been gathering data, ip addresses in the Vietnam list have 966 hits while 1&1 has 1286. However I consider this data to be suspect since various IP address ranges have been reassigned in that time.