A technical paper by Fraser Howard, SophosLabs, UK
4.3 Countries hosting Blackhole
The countries where Blackhole was being hosted were then analysed. Sites known to have hosted the exploit kit in the past 3 months were used in this analysis. At the time of this analysis, approximately 60% of the domain names failed to resolve to an IP address, and so no host country could be determined. The country distribution for the remaining 40% is illustrated in Figure 16.
Figure 16: Countries where Blackhole has been hosted during the past 3 months (excludes sites where the host country was not possible to determine).
As you can see, the bulk of host sites are supplied by hosting providers in Russia and the US. This is contrary to the picture we see when looking at similar data but for all web threats, where the US dominate with approximately 50% and Russia is not even placed within the top 10.
The volume of Blackhole hosted on compromised sites (Section 4.5) is currently estimated to be fairly small. However, if this increases, then the above distribution would change (it would tend towards the distribution expected for all web threats).