An Empirical Analysis of Malware Blacklists

Besides all the advantages and reliefs the Internet brought us over the years, there are also a lot of suspicious and malicious activities taking place. Attackers are constantly developing new techniques to compromise computer systems. Furthermore, there are many malicious servers on the Internet that host, for example, exploits, drive-by download toolkits, or malicious software. We want to track the network locations of these malicious servers by analyzing different kinds of blacklists that provide a listing of suspicious servers. In this article, we present the design and implementation of our blacklist parser system that tracks 49 different blacklists. We have collected more than 2.2 million distinct blacklist entries and more than 410,000 distinct URLs in the first 80 days of running the system. Besides discussing the design, we also provide an overview of the first empirical results of analyzing the collected data. In the future, we plan to extend the system such that it provides a comprehensive overview of malicious activities on the Internet.

[1]  Guofei Gu,et al.  A Taxonomy of Botnet Structures , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[2]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[3]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[4]  Felix C. Freiling,et al.  Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones , 2009, ESORICS.

[5]  Ramana Rao Kompella,et al.  PhishNet: Predictive Blacklisting to Detect Phishing Attacks , 2010, 2010 Proceedings IEEE INFOCOM.

[6]  Lorrie Faith Cranor,et al.  Phinding Phish: Evaluating Anti-Phishing Tools , 2006 .

[7]  Vern Paxson,et al.  On the Potential of Proactive Domain Blacklisting , 2010, LEET.

[8]  Farnam Jahanian,et al.  Shades of grey: On the effectiveness of reputation-based “blacklists” , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[9]  Nick Feamster,et al.  Can DNS-Based Blacklists Keep Up with Bots? , 2006, CEAS.

[10]  Phillip A. Porras,et al.  Highly Predictive Blacklisting , 2008, USENIX Security Symposium.

[11]  Lorrie Faith Cranor,et al.  An Empirical Analysis of Phishing Blacklists , 2009, CEAS 2009.