Security Boffins Block 100K Malicious Sites in 10 Months

Written by

Hundreds of security researchers have come together in a global non-profit project, working to take down 100,000 malicious websites in just 10 months.

Revealed on Monday, the stats are testament to the power of information sharing among the information security community and hosting providers, when they work together to fight a common foe, according to

The non-profit’s URLhaus project saw 265 researchers work together to identify and submit 300 malware sites each day over the period. This makes it easier for hosters to spot and remediate any bad domains on their networks.

“This is not an easy task, especially for large hosting providers that have tens of thousands of customers and hence a significant amount of hijacked websites in their network that are getting abused by cyber-criminals to distribute malware,” the non-profit explained.

However, despite its early success, there’s still a long way to go. URLhaus claimed to observe 4-5000 active malware distribution sites every day, and that they stay active for over eight days on average, potentially infecting thousands of devices in the process.

In China, things are even worse: the three top malware hosting networks have an “average abuse desk reaction time” of over a month.

Of the 380,000 malware samples collected by the project over the past 10 months, Emotet/Heodo was the most common.

“Emotet gets propagated through spam that hits users inbox almost every day. These malspam campaigns usually contain a malicious Office document with macros. Once the victim opens the document and enables macros, it will automatically download and execute Emotet from a comprised website,” explained.

“To bypass spam filters, these malspam campaigns sometimes point to a compromised website that hosts the malicious Office document instead of attaching it to the email directly. To dismantle these campaigns and prevent that users are getting infected with Emotet, it is essential that the associated malware distribution sites are getting cleaned up in time by the responsible hosting provider.”

The group urged national CERTs, ASN operators and TLD owners to subscribe to the free URLhaus feed and implement its free block lists.

What’s hot on Infosecurity Magazine?