Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2014: Research in Attacks, Intrusions and Defenses pp 1–21Cite as

Paint It Black: Evaluating the Effectiveness of Malware Blacklists

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8688))

Abstract

Blacklists are commonly used to protect computer systems against the tremendous number of malware threats. These lists include abusive hosts such as malware sites or botnet Command & Control and dropzone servers to raise alerts if suspicious hosts are contacted. Up to now, though, little is known about the effectiveness of malware blacklists.

In this paper, we empirically analyze 15 public malware blacklists and 4 blacklists operated by antivirus (AV) vendors. We aim to categorize the blacklist content to understand the nature of the listed domains and IP addresses. First, we propose a mechanism to identify parked domains in blacklists, which we find to constitute a substantial number of blacklist entries. Second, we develop a graph-based approach to identify sinkholes in the blacklists, i.e., servers that host malicious domains which are controlled by security organizations. In a thorough evaluation of blacklist effectiveness, we show to what extent real-world malware domains are actually covered by blacklists. We find that the union of all 15 public blacklists includes less than 20% of the malicious domains for a majority of prevalent malware families and most AV vendor blacklists fail to protect against malware that utilizes Domain Generation Algorithms.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-Cloaking Internet Malware. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 443–457. IEEE Computer Society, Washington, DC (2012)

    Chapter  Google Scholar 

  2. Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, I.N., Dagon, D.: Detecting Malware Domains at the Upper DNS Hierarchy. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, p. 27. USENIX Association, Berkeley (2011)

    Google Scholar 

  3. Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, p. 24. USENIX Association, Berkeley (2012)

    Google Scholar 

  4. Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. In: 18th Annual Network and Distributed System Security Symposium. The Internet Society, San Diego (2011)

    Google Scholar 

  5. Rossow, C., Dietrich, C., Bos, H.: Large-Scale Analysis of Malware Downloaders. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 42–61. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  6. Kührer, M., Holz, T.: An Empirical Analysis of Malware Blacklists. Praxis der Informationsverarbeitung und Kommunikation 35(1), 11–16 (2012)

    Article  Google Scholar 

  7. Microsoft Corp.: Citadel Botnet (2014), http://botnetlegalnotice.com/citadel

  8. Abuse.ch Malware Trackers (2014), http://www.abuse.ch/

  9. CyberCrime Tracker (2014), http://cybercrime-tracker.net

  10. Malc0de.com (2014), http://malc0de.com/

  11. Malware Domain List (2014), http://www.malwaredomainlist.com/

  12. Malware-Domains (2014), http://www.malware-domains.com/

  13. Shadowserver: Botnet C&C Servers (2014), http://rules.emergingthreats.net

  14. Shalla Secure Services (2014), http://www.shallalist.de/

  15. URLBlacklist (2014), http://urlblacklist.com/

  16. Kleissner & Associates (2014), http://virustracker.info/

  17. Bitdefender TrafficLight (2014), http://trafficlight.bitdefender.com/

  18. BrowserDefender (2014), http://www.browserdefender.com

  19. McAfee SiteAdvisor (2014), http://www.siteadvisor.com/

  20. Norton Safe Web (2014), http://safeweb.norton.com/

  21. Kührer, M., Rossow, C., Holz, T.: Paint it Black: Evaluating the Effectiveness of Malware Blacklists. Technical Report HGI-2014-002, University of Bochum - Horst Görtz Institute for IT Security (June 2014)

    Google Scholar 

  22. Li, Z., Alrwais, S., Xie, Y., Yu, F., Wang, X.: Finding the Linchpins of the Dark Web: A Study on Topologically Dedicated Hosts on Malicious Web Infrastructures. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP 2013, pp. 112–126. IEEE Computer Society, Washington, DC (2013)

    Chapter  Google Scholar 

  23. Halvorson, T., Szurdi, J., Maier, G., Felegyhazi, M., Kreibich, C., Weaver, N., Levchenko, K., Paxson, V.: The BIZ Top-Level Domain: Ten Years Later. In: Taft, N., Ricciato, F. (eds.) PAM 2012. LNCS, vol. 7192, pp. 221–230. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  24. Halvorson, T., Levchenko, K., Savage, S., Voelker, G.M.: XXXtortion?: Inferring Registration Intent in the. XXX TLD. In: Proceedings of the 23rd International Conference on World Wide Web, WWW 2014, pp. 901–912. International World Wide Web Conferences Steering Committee, Geneva (2014)

    Chapter  Google Scholar 

  25. Farsight Security, Inc.: DNS Database (2014), https://www.dnsdb.info/

  26. Alexa Internet, Inc.: Top 1M Websites (2013), http://www.alexa.com/topsites/

  27. Damerau, F.J.: A Technique for Computer Detection and Correction of Spelling Errors. Commun. ACM 7(3), 171–176 (1964)

    Article  Google Scholar 

  28. RapidMiner, Inc. (2014), http://rapidminer.com/

  29. Hofmann, T., Schölkopf, B., Smola, A.J.: Kernel Methods in Machine Learning. Annals of Statistics 36, 1171–1220 (2008)

    Article  MATH  MathSciNet  Google Scholar 

  30. Rossow, C., Dietrich, C.J., Kreibich, C., Grier, C., Paxson, V., Pohlmann, N., Bos, H., van Steen, M.: Prudent Practices for Designing Malware Experiments: Status Quo and Outlook. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012. IEEE Computer Society, San Francisco (2012)

    Google Scholar 

  31. Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., van Steen, M., Freiling, F.C., Pohlmann, N.: Sandnet: Network Traffic Analysis of Malicious Software. In: Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, BADGERS 2011, pp. 78–88. ACM, NY (2011)

    Chapter  Google Scholar 

  32. Dietrich, C.J., Rossow, C., Pohlmann, N.: CoCoSpot: Clustering and Recognizing Botnet Command and Control Channels using Traffic Analysis. Comput. Netw. 57(2), 475–486 (2013)

    Article  Google Scholar 

  33. Rossow, C., Dietrich, C.J.: ProVeX: Detecting Botnets with Encrypted Command and Control Channels. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 21–40. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  34. VirusTotal (2014), http://www.virustotal.com/

  35. Rossow, C., Andriesse, D., Werner, T., Stone-Gross, B., Plohmann, D., Dietrich, C.J., Bos, H.: P2PWNED: Modeling and Evaluating the Resilience of Peer-to-Peer Botnets. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP 2013, pp. 97–111. IEEE Computer Society, Washington, DC (2013)

    Chapter  Google Scholar 

  36. Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-cloaking Internet Malware. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 443–457. IEEE Computer Society, Washington, DC (2012)

    Chapter  Google Scholar 

  37. Rahbarinia, B., Perdisci, R., Antonakakis, M., Dagon, D.: SinkMiner: Mining Botnet Sinkholes for Fun and Profit. In: 6th USENIX Workshop on Large-Scale Exploits and Emergent Threats. USENIX, Berkeley (2013)

    Google Scholar 

  38. Thomas, K., Grier, C., Ma, J., Paxson, V., Song, D.: Design and Evaluation of a Real-Time URL Spam Filtering Service. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP 2011, pp. 447–462. IEEE Computer Society, Washington, DC (2011)

    Chapter  Google Scholar 

  39. Sinha, S., Bailey, M., Jahanian, F.: Shades of Grey: On the effectiveness of reputation-based “blacklists”. In: 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008, pp. 57–64 (2008)

    Google Scholar 

  40. Rossow, C., Czerwinski, T., Dietrich, C.J., Pohlmann, N.: Detecting Gray in Black and White. In: MIT Spam Conference (2010)

    Google Scholar 

  41. Dietrich, C.J., Rossow, C.: Empirical Research on IP Blacklisting. In: Proceedings of the 5th Conference on Email and Anti-Spam, CEAS (2008)

    Google Scholar 

  42. Sheng, S., Wardman, B., Warner, G., Cranor, L.F., Hong, J., Zhang, C.: An Empirical Analysis of Phishing Blacklists. In: Proceedings of the Sixth Conference on Email and Anti-Spam (2009)

    Google Scholar 

  43. Neugschwandtner, M., Comparetti, P.M., Platzer, C.: Detecting Malware’s Failover C&C Strategies with Squeeze. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC 2011, pp. 21–30. ACM, NY (2011)

    Google Scholar 

  44. Stone-Gross, B., Kruegel, C., Almeroth, K., Moser, A., Kirda, E.: FIRE: FInding Rogue nEtworks. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 231–240. IEEE Computer Society, Washington, DC (2009)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany

    Marc Kührer, Christian Rossow & Thorsten Holz

Authors
  1. Marc Kührer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christian Rossow
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thorsten Holz
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. George Mason University, Fairfax, VA, USA

    Angelos Stavrou

  2. VU University Amsterdam, The Netherlands

    Herbert Bos

  3. Stevens Institute of Technology, NJ, USA

    Georgios Portokalidis

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Kührer, M., Rossow, C., Holz, T. (2014). Paint It Black: Evaluating the Effectiveness of Malware Blacklists. In: Stavrou, A., Bos, H., Portokalidis, G. (eds) Research in Attacks, Intrusions and Defenses. RAID 2014. Lecture Notes in Computer Science, vol 8688. Springer, Cham. https://doi.org/10.1007/978-3-319-11379-1_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-11379-1_1

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-11378-4

  • Online ISBN: 978-3-319-11379-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation