Check out the new USENIX Web site.

Malware hosting infrastructure.

Throughout our measurement period we detected $ 9,430$ malware distribution sites. In $ 90\%$ of the cases each site is hosted on a single IP address. The remaining $ 10\%$ sites are hosted on IP addresses that host multiple malware distribution sites. Our results show IP addresses that hosted up to $ 210$ malware distribution sites. Closer inspection revealed that these addresses refer to public hosting servers that allow users to create their own accounts. These accounts appear as sub-folders of the the virtual hosting server DNS name (e.g., 512j.com/akgy, 512j.com/alavin, 512j.com/anti) or in many cases as separate DNS aliases that resolve to the IP address of the hosting server. We also observed several cases where the hosting server is a public blog that allows users to have their own pages (e.g., mihanblog.com/abadan2, mihanblog.com/askbox).

Figure 12: CDF of the normalized pairwise intersection between landing sites across distribution networks.
\includegraphics[width=3in]{graphs/cdf-landing.confusion.eps}



Niels Provos 2008-05-13