In an email discussion over the weekend (which was based in part on this post by Brian Krebs) about the distributors of malware it was noted that much of it came from one particular AS - AS49469 Sa Nova Telecom Grup SRL. As is usually the case when I get this kind of email I take a look at our database to see what we know about the subject. In this case I discovered that AS49469 is one of the 64 ASes whose IP address ranges are completely covered by one or more of our blocklists.
This is an interesting group to be in, and I may do some more analysis of it over time, but for today I think I will just note that AS49469 is arguably merely third worst AS of the lot because it has a very small number of associated IPs (2816) but yet manages to rack up a total of 62 entries across 7 different feeds in our database broken down as follows:
DSHIELD Top 4000: 2 entries
Spamhaus Don't Route or Peer: 9 entries
Parasites, Hijackers and Spyware Domains: 9 entries
ZeuS Blocklist: 6 entries
Autoshun Block List: 2 entries
Malware Domain List: 27 entries
Russian Business Network: 7 entries
That's an impressive achievement (in a bad way) but it doesn't quite make it the winner. The broadest range of hits goes a very small AS - AS48709 XISOFT SRL which manages to notch up 22 separate reports in 8 lists for just 512 addresses.
DSHIELD Top 4000: 1 entries
Spamhaus Don't Route or Peer: 1 entries
Parasites, Hijackers and Spyware Domains: 1 entries
Autoshun Block List: 6 entries
SpyEye Blocklist: 4 entries
Malware Domain List: 6 entries
Russian Business Network: 2 entries
AMaDa C&C IP Blocklist: 1 entries
In the interests of completeness, the 'silver medal' position goes to AS51699 Antarktida-Plus LLC which has a mere 256 addresses and also manages to notch up 8 separate lists but with half the number of total hits (11):
DSHIELD Top 4000: 1 entries
Spamhaus Don't Route or Peer: 1 entries
ZeuS Blocklist: 1 entries
Autoshun Block List: 1 entries
SpyEye Blocklist: 2 entries
Malware Domain List: 3 entries
Russian Business Network: 1 entries
VOIP Abuse Blocklist: 1 entries
I suppose one could argue that since AS49469 is bigger it is worse than the other two, and perhaps it will manage to notch up a few more hits in the next few days and overtake them, but for right now we'll leave it as #3. Not that it really matters as far the rest of the world is concerned: no computer anywhere should ever communicate with any of the IP addresses of these 3 ASes.