DNS-BH – Malware Domain Blocklist

Top 50 Bad Hosts & Networks Q4 2011

HostExploit is pleased to present the Q4 2011 report on the Top 50 Bad Hosts and Networks, in collaboration with Russian security company Group-IB.

The final quarter of 2011 saw AS47583 Hosting Media move up to #1 Bad Host, having been well known in the Top 10 for some time. The Lithuanian-based host was found to be supporting some of the worst types of threats including several botnet-related activities such as Zeus as well as C&smp;C servers, exploit servers, phishing servers, malware and badware.

HostExploit analyzed all 39,796 publicly-advertised Autonomous Systems (including web hosts, commercial networks and registrars) with the results represented in a number of ways. Also included are features on the latest threats such as smartphone infections and the “Dirt Jumper” DDoS botnet.

Your appliance is killing our servers!

Please change all references to www.malwaredomains.com/files/spywaredomains.zones (which does not exist and is currently a redirect) to mirror2.malwaredomains.com/files/spywaredomains.zones IMMEDIATELY.

Added 110 domains yesterday (forgot to post) associated with bphoster, zeus, drivebys, pihar and other badness. Sources include amada.abuse.ch, google safebrowsing, www.spamhaus.org

(every source is  listed in the domains.txt file)

Reminder: the mirror for compressed zip files is up and running – please contact us for details – right now it has very little usage.

Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.

These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.

Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned!

Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.

Domains.txt file is the complete list along with original reference.
Justdomains contains list of only the domain names.

Also Available in AdBlock, ISA, and MaraDNS formats.

A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

Some  bandwidth abuse statistics  for Jan1-Jan22 2012:

One IP in 50.56.126.x range = 1.3 GB data downloaded
One IP in 173.60.198.x range = 1.1 GB data downloaded
One IP in 85.18.188.x range = 1.0 GB data downloaded

You are all blocked — and will remain blocked — until you kindly explain how you managed to download a GB of this data in 22 days and contribute to the bandwidth costs which you have so selfishly abused.

Guy has updated his DNS Sinkhole Scripts. More info here.  Also check out his DNS Sinkhole ISO.

A research paper using our data:

EFFORT: Efficient and Effective Bot Malware Detection – http://faculty.cs.tamu.edu/guofei/paper/Shin_Infocom12_EFFORT.pdf

Again, we encourage research using our data, but please let us know so we can reference it here.

Added over 220 domains associated with zbot-bgz, rogue, ramnit and other badness. Sources include contagiodump.blogspot.com (thanks Kevin), www.sophos.com. Please update your blocklists/sinkhole according to our Terms of Use.

Added 111 domains associated with BPHoster, Sykipot, malvertising, BH Exploit Kit, and others. Sources include symantec.com, malwaredomainlist.com, isc.sans.org, amada.abuse.ch  (every source is  listed in the domains.txt file)

Reminder: the mirror for compressed zip files is up and running – please contact us for details – right now it has very little usage.

Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.

These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.

Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned!

Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.

Domains.txt file is the complete list along with original reference.
Justdomains contains list of only the domain names.

Also Available in AdBlock, ISA, and MaraDNS formats.

A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

Ramnit is Zeus-like malware with rootkit capabilities. Seculert has a nice write-up about a  financial variant which is steals Facebook credentials.   According to Contiago, samples are being spread via Blackhole exploit kit.

We’ve added over 200 Ramnit domains (thanks Kevin). As a bonus, 29 more “Redret” malspam  domains from dynamoo have also been added to our malware blacklist. Please update your blocklists/sinkhole  and please review our Terms of Use.