CircleID reports that abuse.ch, a non-profit cybersecurity organization based in Switzerland kicked off a volunteer-based information sharing project called URLhaus in March 2018. URLhaus collects and shares URLs identified to be distributing malware. Since its start up, URLhaus has proven to be quite effective in taking down over 124,000 malware distribution sites.
Abus
e.ch’s URLhaus project allows anyone to sign up with a Twitter account to report malicious URLs. The system will download and analyze the site’s payload and try to identify it before submitting it to Anti-Virus vendors and blacklist providers such as Google Safe Browsing, Spamhaus DBL, and SURBL, according to the blog post.
CircleID reports that 265 security researchers located all over the world have identified and submitted on average 300 malware sites to URLhaus each day. The article said URLhaus succeeded beyond the infosec community; the project also managed to get the attention of many hosting providers which is not an easy task, especially for large hosting providers that have tens of thousands of customers and hence a significant amount hijacked websites in their network that are getting abused by cybercriminals to distribute malware.
The chart below produced by abuse.ch shows the number of active malware distribution sites tracked since the launch of URLhaus.
abuse.ch reports that the US or China hosts 2/3 of the top malware hosting networks. The overall average malicious site take-down time is 8 days, 10 hours, 24 minutes. The three top Chinese malware hosting networks have an average abuse desk reaction time of more than a month!
That’s more than enough time to infect thousands of devices every day.
Top malware hosting networks
The top malware hosting networks, hosting active malware content identified by abuse.ch as of January 2019.| Rank | ASN | Country | Average Reaction Time | Malware URLs |
|---|---|---|---|---|
| 1 | AS14061 DIGITALOCEAN-ASN - DigitalOcean, LLC | US | 6 days, 12 hours, 56 minutes | 307 |
| 2 | AS4134 CHINANET-BACKBONE No.31,Jin-rong Street | CN | 1 month, 9 days, 19 hours, 22 minutes | 256 |
| 3 | AS4837 CHINA169-BACKBONE CHINA UNICOM China169 | CN | 1 month, 23 days, 8 hours, 41 minutes | 163 |
| 4 | AS48815 CRITICALCASE | IT | 21 hours, 58 minutes | 151 |
| 5 | AS46606 UNIFIEDLAYER-AS-1 - Unified Layer | US | 2 days, 11 hours, 54 minutes | 127 |
| 6 | AS53667 PONYNET - FranTech Solutions | US | 13 days, 3 hours, 37 minutes | 105 |
| 7 | AS16276 OVH | FR | 5 days, 22 hours, 6 minutes | 104 |
| 8 | AS60144 THREE-W-INFRA-AS -- TRANSIT -- | NL | 9 days, 10 hours, 37 minutes | 83 |
| 9 | AS13335 CLOUDFLARENET - Cloudflare, Inc. | US | 13 days, 7 hours, 5 minutes | 67 |
| 10 | AS37963 CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba | CN | 1 month, 2 days, 0 hours, 1 minutes | 66 |
| 11 | AS8342 RTCOMM-AS | RU | 10 days, 8 hours, 9 minutes | 63 |
| 12 | AS36352 AS-COLOCROSSING - ColoCrossing | US | 16 days, 9 hours, 57 minutes | 53 |
| 13 | AS3462 HINET Data Communication Business Group | TW | 17 days, 6 hours, 19 minutes | 51 |
| 14 | AS23650 CHINANET-JS-AS-AP CHINANET jiangsu province | CN | 3 days, 11 hours, 50 minutes | 51 |
| 15 | AS3462 HINET Data Communication Business | TW | 17 days, 6 hours, 19 minutes | 51 |
rb-
abuse.ch offers the URLhaus black list for free to help protect your networks and users from malware. You can get more details from abuse.ch here.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.