Skip to main content

Paint It Black: Evaluating the Effectiveness of Malware Blacklists

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 8688)

Abstract

Blacklists are commonly used to protect computer systems against the tremendous number of malware threats. These lists include abusive hosts such as malware sites or botnet Command & Control and dropzone servers to raise alerts if suspicious hosts are contacted. Up to now, though, little is known about the effectiveness of malware blacklists.

In this paper, we empirically analyze 15 public malware blacklists and 4 blacklists operated by antivirus (AV) vendors. We aim to categorize the blacklist content to understand the nature of the listed domains and IP addresses. First, we propose a mechanism to identify parked domains in blacklists, which we find to constitute a substantial number of blacklist entries. Second, we develop a graph-based approach to identify sinkholes in the blacklists, i.e., servers that host malicious domains which are controlled by security organizations. In a thorough evaluation of blacklist effectiveness, we show to what extent real-world malware domains are actually covered by blacklists. We find that the union of all 15 public blacklists includes less than 20% of the malicious domains for a majority of prevalent malware families and most AV vendor blacklists fail to protect against malware that utilizes Domain Generation Algorithms.

Keywords

  • Blacklist Evaluation
  • Sinkholing Servers
  • Parking Domains

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-11379-1_1
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   64.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-11379-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   84.99
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-Cloaking Internet Malware. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 443–457. IEEE Computer Society, Washington, DC (2012)

    CrossRef  Google Scholar 

  2. Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, I.N., Dagon, D.: Detecting Malware Domains at the Upper DNS Hierarchy. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, p. 27. USENIX Association, Berkeley (2011)

    Google Scholar 

  3. Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, p. 24. USENIX Association, Berkeley (2012)

    Google Scholar 

  4. Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. In: 18th Annual Network and Distributed System Security Symposium. The Internet Society, San Diego (2011)

    Google Scholar 

  5. Rossow, C., Dietrich, C., Bos, H.: Large-Scale Analysis of Malware Downloaders. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 42–61. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  6. Kührer, M., Holz, T.: An Empirical Analysis of Malware Blacklists. Praxis der Informationsverarbeitung und Kommunikation 35(1), 11–16 (2012)

    CrossRef  Google Scholar 

  7. Microsoft Corp.: Citadel Botnet (2014), http://botnetlegalnotice.com/citadel

  8. Abuse.ch Malware Trackers (2014), http://www.abuse.ch/

  9. CyberCrime Tracker (2014), http://cybercrime-tracker.net

  10. Malc0de.com (2014), http://malc0de.com/

  11. Malware Domain List (2014), http://www.malwaredomainlist.com/

  12. Malware-Domains (2014), http://www.malware-domains.com/

  13. Shadowserver: Botnet C&C Servers (2014), http://rules.emergingthreats.net

  14. Shalla Secure Services (2014), http://www.shallalist.de/

  15. URLBlacklist (2014), http://urlblacklist.com/

  16. Kleissner & Associates (2014), http://virustracker.info/

  17. Bitdefender TrafficLight (2014), http://trafficlight.bitdefender.com/

  18. BrowserDefender (2014), http://www.browserdefender.com

  19. McAfee SiteAdvisor (2014), http://www.siteadvisor.com/

  20. Norton Safe Web (2014), http://safeweb.norton.com/

  21. Kührer, M., Rossow, C., Holz, T.: Paint it Black: Evaluating the Effectiveness of Malware Blacklists. Technical Report HGI-2014-002, University of Bochum - Horst Görtz Institute for IT Security (June 2014)

    Google Scholar 

  22. Li, Z., Alrwais, S., Xie, Y., Yu, F., Wang, X.: Finding the Linchpins of the Dark Web: A Study on Topologically Dedicated Hosts on Malicious Web Infrastructures. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP 2013, pp. 112–126. IEEE Computer Society, Washington, DC (2013)

    CrossRef  Google Scholar 

  23. Halvorson, T., Szurdi, J., Maier, G., Felegyhazi, M., Kreibich, C., Weaver, N., Levchenko, K., Paxson, V.: The BIZ Top-Level Domain: Ten Years Later. In: Taft, N., Ricciato, F. (eds.) PAM 2012. LNCS, vol. 7192, pp. 221–230. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  24. Halvorson, T., Levchenko, K., Savage, S., Voelker, G.M.: XXXtortion?: Inferring Registration Intent in the. XXX TLD. In: Proceedings of the 23rd International Conference on World Wide Web, WWW 2014, pp. 901–912. International World Wide Web Conferences Steering Committee, Geneva (2014)

    CrossRef  Google Scholar 

  25. Farsight Security, Inc.: DNS Database (2014), https://www.dnsdb.info/

  26. Alexa Internet, Inc.: Top 1M Websites (2013), http://www.alexa.com/topsites/

  27. Damerau, F.J.: A Technique for Computer Detection and Correction of Spelling Errors. Commun. ACM 7(3), 171–176 (1964)

    CrossRef  Google Scholar 

  28. RapidMiner, Inc. (2014), http://rapidminer.com/

  29. Hofmann, T., Schölkopf, B., Smola, A.J.: Kernel Methods in Machine Learning. Annals of Statistics 36, 1171–1220 (2008)

    CrossRef  MATH  MathSciNet  Google Scholar 

  30. Rossow, C., Dietrich, C.J., Kreibich, C., Grier, C., Paxson, V., Pohlmann, N., Bos, H., van Steen, M.: Prudent Practices for Designing Malware Experiments: Status Quo and Outlook. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012. IEEE Computer Society, San Francisco (2012)

    Google Scholar 

  31. Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., van Steen, M., Freiling, F.C., Pohlmann, N.: Sandnet: Network Traffic Analysis of Malicious Software. In: Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, BADGERS 2011, pp. 78–88. ACM, NY (2011)

    CrossRef  Google Scholar 

  32. Dietrich, C.J., Rossow, C., Pohlmann, N.: CoCoSpot: Clustering and Recognizing Botnet Command and Control Channels using Traffic Analysis. Comput. Netw. 57(2), 475–486 (2013)

    CrossRef  Google Scholar 

  33. Rossow, C., Dietrich, C.J.: ProVeX: Detecting Botnets with Encrypted Command and Control Channels. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 21–40. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  34. VirusTotal (2014), http://www.virustotal.com/

  35. Rossow, C., Andriesse, D., Werner, T., Stone-Gross, B., Plohmann, D., Dietrich, C.J., Bos, H.: P2PWNED: Modeling and Evaluating the Resilience of Peer-to-Peer Botnets. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP 2013, pp. 97–111. IEEE Computer Society, Washington, DC (2013)

    CrossRef  Google Scholar 

  36. Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-cloaking Internet Malware. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 443–457. IEEE Computer Society, Washington, DC (2012)

    CrossRef  Google Scholar 

  37. Rahbarinia, B., Perdisci, R., Antonakakis, M., Dagon, D.: SinkMiner: Mining Botnet Sinkholes for Fun and Profit. In: 6th USENIX Workshop on Large-Scale Exploits and Emergent Threats. USENIX, Berkeley (2013)

    Google Scholar 

  38. Thomas, K., Grier, C., Ma, J., Paxson, V., Song, D.: Design and Evaluation of a Real-Time URL Spam Filtering Service. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP 2011, pp. 447–462. IEEE Computer Society, Washington, DC (2011)

    CrossRef  Google Scholar 

  39. Sinha, S., Bailey, M., Jahanian, F.: Shades of Grey: On the effectiveness of reputation-based “blacklists”. In: 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008, pp. 57–64 (2008)

    Google Scholar 

  40. Rossow, C., Czerwinski, T., Dietrich, C.J., Pohlmann, N.: Detecting Gray in Black and White. In: MIT Spam Conference (2010)

    Google Scholar 

  41. Dietrich, C.J., Rossow, C.: Empirical Research on IP Blacklisting. In: Proceedings of the 5th Conference on Email and Anti-Spam, CEAS (2008)

    Google Scholar 

  42. Sheng, S., Wardman, B., Warner, G., Cranor, L.F., Hong, J., Zhang, C.: An Empirical Analysis of Phishing Blacklists. In: Proceedings of the Sixth Conference on Email and Anti-Spam (2009)

    Google Scholar 

  43. Neugschwandtner, M., Comparetti, P.M., Platzer, C.: Detecting Malware’s Failover C&C Strategies with Squeeze. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC 2011, pp. 21–30. ACM, NY (2011)

    Google Scholar 

  44. Stone-Gross, B., Kruegel, C., Almeroth, K., Moser, A., Kirda, E.: FIRE: FInding Rogue nEtworks. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 231–240. IEEE Computer Society, Washington, DC (2009)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Kührer, M., Rossow, C., Holz, T. (2014). Paint It Black: Evaluating the Effectiveness of Malware Blacklists. In: Stavrou, A., Bos, H., Portokalidis, G. (eds) Research in Attacks, Intrusions and Defenses. RAID 2014. Lecture Notes in Computer Science, vol 8688. Springer, Cham. https://doi.org/10.1007/978-3-319-11379-1_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-11379-1_1

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-11378-4

  • Online ISBN: 978-3-319-11379-1

  • eBook Packages: Computer ScienceComputer Science (R0)