The Malware DNS Scraper project was started by Ben as a simple way to check to see if computers on his network were trying to check into known Botnet command and control servers. Ben initially had the idea while while staring at the ZeuS Tracker Domain Block list and trying his usual method of manually entering domains to query the firewalls. Then, a moment of inspiration hit: He didn’t care about all the domains, just the domains that people visit. Who knows what domains people visit? The DNS servers! A simple non-recursive DNS lookup on the local DNS server can tell you if someone queried for the host recently. If the DNS servers had cached entries of "known bad" domains, that means someone on his network was querying for them likely indicating an infection.
The Malicious Host List was created partially to provide a list for the Malware DNS scraper to check and partially to make a comprehensive list of malicious hosts that we can play with. This list is fairly simple, as it merely combines three different sources of malware information into one list. We currently use information from the following sources:
- Abuse.ch's Zeus Tracker's Domain Blocklist
- MalwareDomainList.com's Hosts List
- MalwarePatrol Malware Block List
This is a bit of a work in progress and does have issues with false positives on shared hosting sites (rapidshare.com, sites.google.com) and advertising networks.
Share and Enjoy!