An Empirical Analysis of Malware Blacklists

Besides all the advantages and reliefs the Internet brought us over the years, there are also a lot of suspicious and malicious activities taking place. Attackers are constantly developing new techniques to compromise computer systems. Furthermore, there are many malicious servers on the Internet that host, for example, exploits, drive-by download toolkits, or malicious software. We want to track the network locations of these malicious servers by analyzing different kinds of blacklists that provide a listing of suspicious servers. In this article, we present the design and implementation of our blacklist parser system that tracks 49 different blacklists. We have collected more than 2.2 million distinct blacklist entries and more than 410,000 distinct URLs in the first 80 days of running the system. Besides discussing the design, we also provide an overview of the first empirical results of analyzing the collected data. In the future, we plan to extend the system such that it provides a comprehensive overview of malicious activities on the Internet.