DNS-BH – Malware Domain Blocklist

Occasionally this list is used as part of research into malware and domain security.   Please drop us a note if you find such a reference in an article or presentation; if you are the author, let us know.

Two papers we’ve become aware of:

Understanding the Prevalence and Use of Alternative Plans in Malware with Network Games - http://www.cc.gatech.edu/~ynadji3/docs/pubs/gzaraid2011.pdf

A Demonstration of DNS3: a Semantic-Aware DNS Service – http://iswc2011.semanticweb.org/fileadmin/iswc/Papers/PostersDemos/iswc11pd_submission_106.pdf

A few people have mentioned that we should consider compressing the files on our servers and have the end-user uncompress them

If you are willing to test this, please contact us and we’ll point you to a dedicated server.  The files will be in zip format. Thanks.

Added 64 buterat,  sql injection and other malicious domains. Sources include amada.abuse.ch, www.siteadvisor.com, support.clean-mx.de

(Every source is  listed in the domains.txt file)

Reminder:  The zone and text files are ONLY be available from a mirror and are not available from  the main site!!

Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.

These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.

Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.

Domains.txt file is the complete list along with original reference.
Justdomains contains list of only the domain names.

BOOT file is in MS DNS format. spywaredomains.zones file is in BIND format.

Also Available in AdBlock, ISA, and MaraDNS formats.

A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

The fine folks at it-mate.co.uk have set up a new mirror for us.

mirror2.malwaredomains.com

Please test. Also, please remember to use the datestamp or timestamp files to check  if there’s a new file BEFORE downloading any other files.

Here is a shell script someone has written to do just that: update-blackhole.sh. Please test it, improve upon it, etc.

We are also discussing internally options like bittorrent, jigdo, serving info via DNS, serving only the updates,  compressing the files via gzip or bz2, etc.

We are truly appreciative and humbled by the support we’ve received. (Except for the one site which was using our files as part of a “speed test” – no thanks for you) …

How can a single ip address download 100 MB in a 24 hour period??

How come we have dozens of ip addresses doing this??

These ip addresses have been blocked.

The files datestamp and timestamp were set up to increment whenever a new file is loaded.   Please use them.

Again, p-l-e-a-s-e limit your downloads to once every 12 hours or your ip address will be banned.

We are finding many hourly (or more often) pulls of our zone and text files.  Please limit all automated downloads to once every 12 hours or the ip address will be banned. We cannot afford the bandwidth costs!

The new mirror seems to be up, DNS will take a while to finish pointing to the new server… Please test and let us know if things are working. Thanks.

We are setting up a new mirror. It will take a while for DNS to propagate. Details to follow…

Our clueless hosting provider for the main mirror refuses to acknowledge that there’s a problem on their end. They are blaming (a) internet explorer, (b) our ISP, (c) the internet.

We explained that the problems happens in multiple browsers. We explained that we’ve tried from different ISPs. etc.

Time to find a new web host for the main mirror.

No scripts, a lot of static files, a lot of downloads and a lot bandwidth is needed. Low-cost, as all hosting costs are out-of-pocket.

Any suggestions are welcome.