A Ukrainian hosting provider struck by fire last weekend had been taking steps in recent months to cleanse its network of servers used by cybercriminals, according to a security expert.
Hosting.ua, based in Odessa, Ukraine, reportedly experienced a fire on March 27 that destroyed part of its infrastructure. The main Web page for the provider was still offline as of Wednesday, and efforts to reach officials there by e-mail and phone were unsuccessful.
Hosting.ua ranked fourth on a list of bad providers at the end of last year for hosting servers that supported spam, malware and other nefarious activity, according to a security researcher who uses the pseudonym Jart Armin. He edits the Web site HostExploit.com, which tracks how malicious software propagates across the Internet.
But Hosting.ua, which hosted upwards of 500,000 Web sites, has improved over the last three months. Armin said HostExploit’s latest study, due to be released on Thursday, shows Hosting.ua comes in at No. 381 among some 36,000 hosting providers that HostExploit scans for malicious activity.
“Actually, we have seen that [bad activity] has gone,” Armin said.
The effort to clean up its network may have come as the result of increased pressure from law enforcement agencies and other stakeholders. Hosting crimeware servers is bad for business, and once identified, it can make it more difficult for a hosting provider to do legitimate business, Armin said.
If a hosting provider allows harmful Web sites, it is possible that its IP (Internet Protocol) range will end up on blacklists used by system administrators to block users from going to those sites. But the blacklists may also block legitimate Web sites hosted by the company as well.
Since the fire, a few of the bad Web sites that used Hosting.ua have now migrated to hosting providers in the U.S., Armin said. It’s further evidence of how cybercriminals have built redundant networks in case one has a problem, he said.
As far as the fire, Armin said sources within the Ukraine believe the fire alarm may have been intentionally disconnected, indicating possible arson.