265 Researchers Take Down 100,000 Malware Distribution Websites

January 31, 2019
Website Malware protection

Security researchers over the globe joined in a venture committed to sharing URLs used in malicious campaigns managed to take down close to 100,000 websites actively engaged in malware distribution.

The task called URLhaus was started by abuse.ch, a non-benefit cybersecurity association in Switzerland. The operations began towards the end of March 2018 and recorded a daily average of 300 submissions from 265 security researchers.


Chinese hosting networks are slow to react


The takedown activity involved in the participation of the organizations hosting the offensive websites on their infrastructure, some of them are not rushing to respond to abuse reports.


Chinese hosting providers took the longest to react to complaints against some websites’ involvement in malicious activities.


ChinaNet, China Unicom, and Alibaba did not rush into taking the appropriate measures, leaving the compromised websites active for one month and ~10 days, one month and 23 days, and one month and 2 days, individually. The complete number of malware URLs reported to them was near 500.


The fastest to react to URLhaus reports was Unified Layer in the U.S. They took two days and a half to get down 127 malicious URLs. The full list with the best 15 hosting providers and the amount they took to respond.

Chinese hosting networks

The full list of the hosting providers contacted and the time they took to respond to the abuse report is available here(https://urlhaus.abuse.ch/statistics/reactiontime/). In some cases, the reaction came as late as three months.


Bargained websites essentially push Emotet


Emotet is at the highest priority on the rundown of malware distributed through the websites submitted to the URLhaus venture. This malware family is normally spread through emails carrying a document with a malicious macro.


At the point when the document is launched, the macro downloads Emotet (otherwise called Heodo) from a compromised website and executes it.


URLhaus gathered around 380,000 malware samples in the course of recent months and very nearly 16,000 of them were Emotet payloads, putting it in the top spot.


Gozi banking trojan falls in the second place with almost 13,000 payloads, followed by GandCrab ransomware with a little over 6,000 samples.




No anti malware can protect your network and users, best implementation is to employ URLhaus blocklists that are available for free. There are different formats available, including DNS RPZ and Snort/Suricata IDS rules:

About the author

Leave a Reply