Feed

Measuring the Lifecycles of Malicious Domains

Posted on May 23rd, 2012 in Domain News by dglosser

Interesting article found here….  From the abstract:

…we present preliminary results from
on-going experiments we are conducting to track the lifetime of
malicious domains. Studying the lifecycles of malicious domain
names will provide insight into the many classes of criminal
networks that depend on DNS, and inspire the development of
new, more effective countermeasures.”

 

Some highlights:

  • the number of resurrected domains gravitates around 200 everyday revealing a number of domains that are intermittently inactive, which could potentially be an evasion mechanism or a correlating characteristic of instability
  • Contrary to our intuition …  many of the [malicious] domains are long-lived and more domains are being introduced than are dying.

We’ve noticed and tracked  many of the   “immortal” malware domains  but haven’t done any research into “resurrected”, or intermittently inactive/active domains. Hmmm

Again, we encourage research using our blocklists and have set up a mirror dedicated to open source projects and scholarly research.  All we  ask that you let us know about such research

Check your download scripts ASAP

Posted on April 29th, 2012 in Domain News,mirror by dglosser

Check your download scripts ASAP….

Too many users are STILL pointing to the main www site for the zone files, which have not been here for MONTHS…

PLEASE update your scripts to pull from one of the download mirrors. DO NOT point to the www (blog) site  as there is nothing to download.

 

Adblock Plus Issue

Posted on April 24th, 2012 in New Domains by dglosser

We realize there are problems with the Adblock Plus subscriptions. The issue is being looked at and should be resolved soon.

The Suspicious Domains List at SANS

Posted on April 18th, 2012 in Domain News by dglosser

After some maintenance downtime, the Suspicious Domains lists at https://isc.sans.edu/tools/suspicious_domains.html have been re-launched. This project was developed by handler Jason Lam and is an effort to assemble weighted lists of suspicious domains based on tracking, malware and other sources

.

 

 

List revalidation: 1700+ domains removed

Posted on April 3rd, 2012 in Domain News,Removed Domains by dglosser

We just reevaluated 1824 domains… 1720 were removed,  79 were STILL actively blacklisted by google after many months and were added our  “immortal” list.

List of removed domains is: http://mirror2.malwaredomains.com/files/removed-domains-20120402.txt

List of “immortal” malware domains:  http://mirror2.malwaredomains.com/files/immortal_domains.txt

 

 

List Recertification: Over 1300 Domains Removed

Posted on February 25th, 2012 in Domain News,Removed Domains by dglosser

Over 1300 domains have been delisted.   Please update your blocklists

Reminders:

  • the main site does not contain any zone files. Please download files from one our our download mirrors
  • Pull ONLY the file you need – there is no need to pull every zone file!  Abusers will be banned!
  • Anyone pulling files more than every 12 hours will be banned!
  • We also have a mirror dedicated to research and Open Source Projects – contact us for details.
  • Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned! Use the “wget -N”!

Mirror is Back Online (also new mirror)

Posted on February 15th, 2012 in Domain News by dglosser

mirror2.malwaredomains.com is back up – direct access to the zone files is working but things like displaying directory indices is a work-in-progress.

We are also testing another mirror  –  compressed full zone files only  –  located at  http://www.malware-domains.com/ (note the dash)

Please give it a try and let us know…

 

 

mirror2.malwaredomains.com temporarily down

Posted on February 14th, 2012 in Domain News by dglosser

mirror2.malwaredmains.com is temporarily down; we will update you once it is back up.  In the meantime, please use one of the other mirrors or contact us for details regarding the mirror handling only compressed files.

 

Guy Bruneau’s DNS Sinkhole Script – Fixes & Updates

Posted on January 21st, 2012 in Domain News by dglosser

Guy has updated his DNS Sinkhole Scripts. More info here.  Also check out his DNS Sinkhole ISO.

Immortal Malware Domains

Posted on January 4th, 2012 in Domain News,immortal,Removed Domains by dglosser

We recently revalidated about 800 long-lived, “immortal” malware domains.

These are domains which were identified as malicious anywhere between 90 and 360 days ago. but according to google safebrowsing, are still actively involved in badness.
Some of these domains have been on the DNS-BH List for YEARS.

Of these 800 domains,  55 were removed. That means that 745, or over 93%, are still actively associated with malware.

List of removed (non immortal?) domains:  removed-domains-20120104.txt

List of “the immortals: immortal_domains.txt

A “psychohistory” of these long-lived malicious domains would be interesting and we’d be happy to help with any of those research efforts.

745 still “immortal”
55 removed