Alot has been publicized regarding malicious hosts, both by myself and many others. Of course, in the cybercrime world, along with campaigns to infect you, the criminals are also fighting with each other, to out-do each other.
ASs such as AlfaHost (AS50793), Ecatel (AS29073), GlobalNET (AS42560), VLineTelecom (AS39150), ALTNET-LV (AS41390), Akrino Inc (AS44571), VolgaHost (Bondarenko Dmitriy Vladimirovich, AS29106), to name but a few, are all top of the leader board of the most active rogue, malware/exploit and botnet C&C servers for example (excluding compromised sites). However, the biggest problem with these ASs isn't actually the ASs themselves - the biggest problem is Ripe, the registry that leases the IP ranges to these criminals.
Taking down an entire AS is no mean feat, but is something Ripe could do in an instant. Quite why they're letting this continue is puzzling - but the likely reason is money.
To take GlobalNet as just one example, these are by far one of the most active for the distribution of fake scanner websites and the payload servers for fake AVs. They're not even exactly trying to hide this. For example, pick any IP on 22.214.171.124/24 or 126.96.36.199/24, just two of their ranges (not the only ones with malicous content by any stretch, but they are the most active of the lot) - and you'll find a rogue living there. All they're doing is moving it to the next IP in the range periodically. Ripe could quite easily put a stop to this instantly, so why aren't they?
Just a small example of maliciousness that's been seen at GlobalNet includes;
AlphaHost and VolgaHost, just two ASs that are 100% malicious, could quite easily be taken offline if Ripe revoked their ranges, making things alot easier for the public (albeit in the short term, until they found another range), so why aren't they?
I've tried asking Ripe this question myself, but questions have gone ignored, so evidently it's going to take someone with a lot more influence than myself to get them to explain themselves.
It should be noted, as I didn't make it clear, Ripe aren't the only registry that issue IP ranges, there's a few others such as Arin, they just happen to be the associated registry in this case.