Advertisement

Paint It Black: Evaluating the Effectiveness of Malware Blacklists

  • Marc Kührer
  • Christian Rossow
  • Thorsten Holz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8688)

Abstract

Blacklists are commonly used to protect computer systems against the tremendous number of malware threats. These lists include abusive hosts such as malware sites or botnet Command & Control and dropzone servers to raise alerts if suspicious hosts are contacted. Up to now, though, little is known about the effectiveness of malware blacklists.

In this paper, we empirically analyze 15 public malware blacklists and 4 blacklists operated by antivirus (AV) vendors. We aim to categorize the blacklist content to understand the nature of the listed domains and IP addresses. First, we propose a mechanism to identify parked domains in blacklists, which we find to constitute a substantial number of blacklist entries. Second, we develop a graph-based approach to identify sinkholes in the blacklists, i.e., servers that host malicious domains which are controlled by security organizations. In a thorough evaluation of blacklist effectiveness, we show to what extent real-world malware domains are actually covered by blacklists. We find that the union of all 15 public blacklists includes less than 20% of the malicious domains for a majority of prevalent malware families and most AV vendor blacklists fail to protect against malware that utilizes Domain Generation Algorithms.

Keywords

Blacklist Evaluation Sinkholing Servers Parking Domains 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-Cloaking Internet Malware. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 443–457. IEEE Computer Society, Washington, DC (2012)CrossRefGoogle Scholar
  2. 2.
    Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, I.N., Dagon, D.: Detecting Malware Domains at the Upper DNS Hierarchy. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, p. 27. USENIX Association, Berkeley (2011)Google Scholar
  3. 3.
    Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, p. 24. USENIX Association, Berkeley (2012)Google Scholar
  4. 4.
    Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. In: 18th Annual Network and Distributed System Security Symposium. The Internet Society, San Diego (2011)Google Scholar
  5. 5.
    Rossow, C., Dietrich, C., Bos, H.: Large-Scale Analysis of Malware Downloaders. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 42–61. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  6. 6.
    Kührer, M., Holz, T.: An Empirical Analysis of Malware Blacklists. Praxis der Informationsverarbeitung und Kommunikation 35(1), 11–16 (2012)CrossRefGoogle Scholar
  7. 7.
    Microsoft Corp.: Citadel Botnet (2014), http://botnetlegalnotice.com/citadel
  8. 8.
    Abuse.ch Malware Trackers (2014), http://www.abuse.ch/
  9. 9.
    CyberCrime Tracker (2014), http://cybercrime-tracker.net
  10. 10.
    Malc0de.com (2014), http://malc0de.com/
  11. 11.
    Malware Domain List (2014), http://www.malwaredomainlist.com/
  12. 12.
    Malware-Domains (2014), http://www.malware-domains.com/
  13. 13.
    Shadowserver: Botnet C&C Servers (2014), http://rules.emergingthreats.net
  14. 14.
    Shalla Secure Services (2014), http://www.shallalist.de/
  15. 15.
    URLBlacklist (2014), http://urlblacklist.com/
  16. 16.
    Kleissner & Associates (2014), http://virustracker.info/
  17. 17.
    Bitdefender TrafficLight (2014), http://trafficlight.bitdefender.com/
  18. 18.
    BrowserDefender (2014), http://www.browserdefender.com
  19. 19.
    McAfee SiteAdvisor (2014), http://www.siteadvisor.com/
  20. 20.
    Norton Safe Web (2014), http://safeweb.norton.com/
  21. 21.
    Kührer, M., Rossow, C., Holz, T.: Paint it Black: Evaluating the Effectiveness of Malware Blacklists. Technical Report HGI-2014-002, University of Bochum - Horst Görtz Institute for IT Security (June 2014)Google Scholar
  22. 22.
    Li, Z., Alrwais, S., Xie, Y., Yu, F., Wang, X.: Finding the Linchpins of the Dark Web: A Study on Topologically Dedicated Hosts on Malicious Web Infrastructures. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP 2013, pp. 112–126. IEEE Computer Society, Washington, DC (2013)CrossRefGoogle Scholar
  23. 23.
    Halvorson, T., Szurdi, J., Maier, G., Felegyhazi, M., Kreibich, C., Weaver, N., Levchenko, K., Paxson, V.: The BIZ Top-Level Domain: Ten Years Later. In: Taft, N., Ricciato, F. (eds.) PAM 2012. LNCS, vol. 7192, pp. 221–230. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  24. 24.
    Halvorson, T., Levchenko, K., Savage, S., Voelker, G.M.: XXXtortion?: Inferring Registration Intent in the. XXX TLD. In: Proceedings of the 23rd International Conference on World Wide Web, WWW 2014, pp. 901–912. International World Wide Web Conferences Steering Committee, Geneva (2014)CrossRefGoogle Scholar
  25. 25.
    Farsight Security, Inc.: DNS Database (2014), https://www.dnsdb.info/
  26. 26.
    Alexa Internet, Inc.: Top 1M Websites (2013), http://www.alexa.com/topsites/
  27. 27.
    Damerau, F.J.: A Technique for Computer Detection and Correction of Spelling Errors. Commun. ACM 7(3), 171–176 (1964)CrossRefGoogle Scholar
  28. 28.
    RapidMiner, Inc. (2014), http://rapidminer.com/
  29. 29.
    Hofmann, T., Schölkopf, B., Smola, A.J.: Kernel Methods in Machine Learning. Annals of Statistics 36, 1171–1220 (2008)CrossRefzbMATHMathSciNetGoogle Scholar
  30. 30.
    Rossow, C., Dietrich, C.J., Kreibich, C., Grier, C., Paxson, V., Pohlmann, N., Bos, H., van Steen, M.: Prudent Practices for Designing Malware Experiments: Status Quo and Outlook. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012. IEEE Computer Society, San Francisco (2012)Google Scholar
  31. 31.
    Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., van Steen, M., Freiling, F.C., Pohlmann, N.: Sandnet: Network Traffic Analysis of Malicious Software. In: Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, BADGERS 2011, pp. 78–88. ACM, NY (2011)CrossRefGoogle Scholar
  32. 32.
    Dietrich, C.J., Rossow, C., Pohlmann, N.: CoCoSpot: Clustering and Recognizing Botnet Command and Control Channels using Traffic Analysis. Comput. Netw. 57(2), 475–486 (2013)CrossRefGoogle Scholar
  33. 33.
    Rossow, C., Dietrich, C.J.: ProVeX: Detecting Botnets with Encrypted Command and Control Channels. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 21–40. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  34. 34.
    VirusTotal (2014), http://www.virustotal.com/
  35. 35.
    Rossow, C., Andriesse, D., Werner, T., Stone-Gross, B., Plohmann, D., Dietrich, C.J., Bos, H.: P2PWNED: Modeling and Evaluating the Resilience of Peer-to-Peer Botnets. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP 2013, pp. 97–111. IEEE Computer Society, Washington, DC (2013)CrossRefGoogle Scholar
  36. 36.
    Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-cloaking Internet Malware. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 443–457. IEEE Computer Society, Washington, DC (2012)CrossRefGoogle Scholar
  37. 37.
    Rahbarinia, B., Perdisci, R., Antonakakis, M., Dagon, D.: SinkMiner: Mining Botnet Sinkholes for Fun and Profit. In: 6th USENIX Workshop on Large-Scale Exploits and Emergent Threats. USENIX, Berkeley (2013)Google Scholar
  38. 38.
    Thomas, K., Grier, C., Ma, J., Paxson, V., Song, D.: Design and Evaluation of a Real-Time URL Spam Filtering Service. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP 2011, pp. 447–462. IEEE Computer Society, Washington, DC (2011)CrossRefGoogle Scholar
  39. 39.
    Sinha, S., Bailey, M., Jahanian, F.: Shades of Grey: On the effectiveness of reputation-based “blacklists”. In: 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008, pp. 57–64 (2008)Google Scholar
  40. 40.
    Rossow, C., Czerwinski, T., Dietrich, C.J., Pohlmann, N.: Detecting Gray in Black and White. In: MIT Spam Conference (2010)Google Scholar
  41. 41.
    Dietrich, C.J., Rossow, C.: Empirical Research on IP Blacklisting. In: Proceedings of the 5th Conference on Email and Anti-Spam, CEAS (2008)Google Scholar
  42. 42.
    Sheng, S., Wardman, B., Warner, G., Cranor, L.F., Hong, J., Zhang, C.: An Empirical Analysis of Phishing Blacklists. In: Proceedings of the Sixth Conference on Email and Anti-Spam (2009)Google Scholar
  43. 43.
    Neugschwandtner, M., Comparetti, P.M., Platzer, C.: Detecting Malware’s Failover C&C Strategies with Squeeze. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC 2011, pp. 21–30. ACM, NY (2011)Google Scholar
  44. 44.
    Stone-Gross, B., Kruegel, C., Almeroth, K., Moser, A., Kirda, E.: FIRE: FInding Rogue nEtworks. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 231–240. IEEE Computer Society, Washington, DC (2009)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Marc Kührer
    • 1
  • Christian Rossow
    • 1
  • Thorsten Holz
    • 1
  1. 1.Horst Görtz Institute for IT-SecurityRuhr-University BochumGermany

Personalised recommendations