World-wide leader in botnet CnC-hosting according to an Gunter Ollmann, VP Research of security provider Damballa, is the German ISP 1&1 Internet AG.
1&1 headquarters will be relieved to read this:
It is important to note that the ISP’s and hosting providers listed in the top-10 do not necessarily conduct criminal practices, but they have found themselves in a position of being “preferred” by the criminals operating the botnets.
It it surprising to see 1&1 spearheading CnC hosting. The data for a study released earlier this year by my TU Delft colleagues Michel van Eeten, Hadi Asghari et al. reveals that 1&1 is among the best ISPs when it comes to dealing with malware and spam. In that perspective, 1&1 has one of the cleanest ASNs, much better than, say, Deutsche Telekom.
I’ve briefly skimmed through some Gambella papers, but I could find a description of their method to detect CnC servers.