How to takedown 100,000 malware sites

Published on 21th January 2019, 11:23:48 UTC

End of March 2018, launched it's most recent project called URLhaus. The goal of URLhaus is to collect and share URLs that are being used for distributing malware. The project is a huge success: with the help of the community, URLhaus was able to takedown almost 100,000 malware distribution sites within just 10 months! During that time, 265 security researchers located all over the world have identified and submitted in average 300 malware sites to URLhaus each day, helping others to protect their network and users from malware campaigns.

But it is not only the infosec community that makes URLhaus a success story: Together with the community, URLhaus also managed to get the attention of many hosting providers, helping them to identify and re-mediate compromised websites hosted in their network. This is not an easy task, specially for large hosting providers that have tens of thousands of customers and hence a significant amount hijacked websites in their network that are getting abused by cybercriminals to distribute malware.

Nevertheless, URLhaus in average counts between 4,000 and 5,000 active malware distribution sites every day, which is a way too much. The following chart shows the number of active malware distribution sites tracked since the launch of URLhaus. The blue line indicates the number of abuse reports sent out to the correpsoning hosting providers and network owners.

Having a look at the average takedown time doesn't make the situation any better: In average, malware distribution sites stay active for more than a week (8 days, 10 hours, 24 minutes). That's more than enough time to infect thousands of device every day.

The table below shows the top malware hosting networks, hosting active malware content (counting online malware distribution sites only as of Jan 20th, 2019). As you can easily spot, 2/3 of the top malware hosting networks are hosted either in the US or China.

RankASNCountryAverage Reaction TimeMalware URLs
1AS14061 DIGITALOCEAN-ASN - DigitalOcean, LLC- US6 days, 12 hours, 56 minutes307
2AS4134 CHINANET-BACKBONE No.31,Jin-rong Street- CN1 month, 9 days, 19 hours, 22 minutes256
3AS4837 CHINA169-BACKBONE CHINA UNICOM China169- CN1 month, 23 days, 8 hours, 41 minutes163
4AS48815 CRITICALCASE- IT21 hours, 58 minutes151
5AS46606 UNIFIEDLAYER-AS-1 - Unified Layer- US2 days, 11 hours, 54 minutes127
6AS53667 PONYNET - FranTech Solutions- US13 days, 3 hours, 37 minutes105
7AS16276 OVH- FR5 days, 22 hours, 6 minutes104
8AS60144 THREE-W-INFRA-AS -- TRANSIT --- NL9 days, 10 hours, 37 minutes83
9AS13335 CLOUDFLARENET - Cloudflare, Inc.- US13 days, 7 hours, 5 minutes67
10AS37963 CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba- CN1 month, 2 days, 0 hours, 1 minutes66
11AS8342 RTCOMM-AS- RU10 days, 8 hours, 9 minutes63
12AS36352 AS-COLOCROSSING - ColoCrossing- US16 days, 9 hours, 57 minutes53
13AS3462 HINET Data Communication Business Group- TW17 days, 6 hours, 19 minutes51
14AS23650 CHINANET-JS-AS-AP CHINANET jiangsu province- CN3 days, 11 hours, 50 minutes51
15AS3462 HINET Data Communication Business- TW17 days, 6 hours, 19 minutes51

What is also an eye-catcher is the takedown time of malware sites hosted in China: The three top Chinese malware hosting networks have an average abuse desk reaction time of more than a month!

A vast amount of the malware distribution sites tracked by URLhaus are related to Emotet (aka Heodo). Emotet gets propagated through spam that hits users inbox almost every day. These malspam campaigns usually contain a malicious office document with macros. Once the victim opens the document and enables macros, it will automatically download and execute Emotet from a comprised website. To bypass spam filters, these malspam campaigns sometimes point to a comprised website that hosts the malicious office document instead of attaching it to the email directly. To dismantle these campaigns and prevent that users are getting infected with Emotet, it is essential that the associated malware distribution sites are getting cleaned up in time by the responsible hosting provider.

The weight that Emotet has in the current threat landspace also becomes more clear when having a look at the identified malware families associated with the payloads URLhaus received from the tracked malware distribution sites. Across the 380,000 malware samples (payloads) that URLhaus has collected over the past 10 months, Emotet/Heodo is the top malware as the following chart documents.


URLhaus wouldn't be successful without the help of the community. It proofs that the key in figthing malware and botnets is sharing.

But we are not where we should be yet. There is still a long way to go with regards to response time of abuse desks. An average reaction time of more than a week is just too much and proofs a bad internet hygiene. I do also hope that the Chinese hosting providers weak up and start taking care about the abuse problems in their networks in time. Having malware distribution sites staying active for over a month is just not acceptable.

If you have your own ASN, you are a CERT with national responsibility or you are a ccTLD or gTLD owner, I do recommend you to subscribe to the appropriate URLhaus feed that is available for free. I should fetch it every 15 minutes and act upon it accordingly:

To protect your network and users, you may also want to implement one of the URLhaus blocklists that are available for free too. There are different formats available, including DNS RPZ and Snort/Suricata IDS rules:

Further reading

Blog Archive