An Empirical Analysis of Malware Blacklists

Marc Kührer, Thorsten Holz

PIK - Praxis der Informationsverarbeitung und Kommunikation. Volume 35, Issue 1, Pages 11–16, April 2012


Besides all the advantages and reliefs the Internet brought us over the years, there are also a lot of suspicious and malicious activities taking place. Attackers are constantly developing new techniques to compromise computer systems. Furthermore, there are many malicious servers on the Internet that host, for example, exploits, drive-by download toolkits, or malicious software. We want to track the network locations of these malicious servers by analyzing di erent kinds of blacklists that provide a listing of suspicious servers.

In this article, we present the design and implementation of our blacklist parser system that tracks 49 di erent blacklists. We have collected more than 2.2 million distinct blacklist entries and more than 410,000 distinct URLs in the rst 80 days of running the system. Besides discussing the design, we also provide an overview of the rst empirical results of analyzing the collected data. In the future, we plan to extend the system such that it provides a comprehensive overview of malicious activities on the Internet.

ISSN (Online) 1865-8342, ISSN (Print) 0930-5157, DOI: 10.1515/pik-2012-0003piko.2012.35.1.11


tags: Blacklist Evaluation, Measurements