Malware domain list, what it is and how to build it

Why it is important to rely on a browsing protection service

A malware domain list is a list of domain names, that is, sites, from which malware attacks are known to originate. These are continuously updated, public lists of domain names which all cyber attack protection services use. In this article, we will explain how malware domain lists are built and why it is important to rely on a browsing protection service to utilize them.

1. What it is and how malware spreads

In order to elaborate on our discussion of malware domain lists, let us begin by recalling what malware is and how it spreads. The term malware (MALicious softWARE) refers to software created to harm a user’s electronic activity. Once infected, in addition to the computer or device, malware can also affect the other devices with which it communicates. Malware, therefore, spreads quickly along a computer network.

There are different types of malware. A malware can be a worm, a Trojan, or a more complex computer virus, such as ransomware. Malware, viruses, and (however) malicious code belong to the same family, but they are not the same thing. Each type of malware has a different target, and it is now well understood that an antivirus is not the best weapon to use. Malware can affect desktop computers, laptops, smartphones, and IoT devices, virtually any digital device connected to the internet. Not even operating systems are safe. Windows, Android, iOS, or Apple macOS are all vulnerable to attack. In reality, there are no digital devices that are potentially immune to malware, and, more importantly, it is commonly accepted that it is not a matter of “if” but “when.” In other words, it is better to assume that a company will be hit sooner or later and not kid yourself that you can get around it.

Let’s quickly look at the kinds of malware and what types of damage a malware can cause.

» Trojan. The user receives a chat or e-mail message and is asked to click on a link. Once this happens, a small piece of software is installed on the victim’s device which can do a variety of different types of damage. For example, it can take over the computer and monitor all its activities, such as typing on the keyboard.
» Worm. A worm is a malicious code created with various objectives. In general, the intention is to damage corporate devices and networks. By its nature, the worm replicates within the corporate network and, like the Trojan, also introduces itself via links, but not only that way.
» Exploit. An exploit is a defect found in corporate software. Malware can be created which, creeping into the corporate IT architecture, takes advantage of the exploit and modifies the software by making it perform different tasks. An example? Think of a self-driving car whose software is modified.
» Phishing. In a phishing attack, the user is asked to perform a certain activity. For example, in a message, the user is asked to click on a link and enter his/her home banking user ID and password. The site requesting the data looks identical to the bank’s website, but it is not. Phishing often precedes a malware attack.
» Rootkits and bootkits. Rootkits and bootkits act at an even higher level than malwares which utilize software exploits. Their goal is to crash computer systems. These codes can also be spread as malware.
» Adware and spyware. Adware infests the infected device with advertisements, while spyware spies on user activity. Spyware collects the information and sends it to the system that activated it. Keyloggers are spywares that spy on whatever the user types on the keyboard. A drop in device performance may be due to spyware.
» Botnet. Through a botnet, one takes control of the device, which becomes the servant of cyber criminals. To give a very common example nowadays, a device may be “forced” to mine cryptocurrency. On the other hand, malware might “force” the device to be part of a DDOS attack.
» Ransomware. We finally arrive at the most widespread malware of all. The installation of software into the corporate network through a user’s device with the intent of extortion. The goal is to “take” corporate data “hostage,” block access to it, and demand a ransom to unblock it.

Today, attacks intended for reasons other than profit are much rarer than they used to be. Most of the malware that is seen is ransomware. Cyber criminals, organized into real gangs, aim (almost) exclusively at financial gain.

2. How a malware domain list is built

Having clarified what malware is and how it spreads, it becomes quite easy to understand what a malware domain list is. There is a Malware Domain List (MDL), a non-profit community project. It is a site that hosts a database of sites known to host or be vehicles for the spread of malware.

Anyone can list a domain. In addition, the database is fed by automatic alerts which come from the control centers of the various IT security companies. The companies activate a two-way connector for the linking software code in order to compare and update the database in real time.

Although other public malware domain lists have been created in the past, today they all refer to the MDL. As mentioned, the update is done either manually or in an automatic mode by connectors. As soon as an entity that is fighting cyber crime registers the spread of a new threat, the domain, usually a site or web page from which the threat originated, is identified and reported.


>> If you have already activated FlashStart, read this guide that explains how to extend blacklists for internet DNS filtering


3. Why it is important to update the domain list

Unfortunately, notification occurs only after the malware has been circulated. So, it is only possible to alert protection systems after a company has already suffered an attack. In that case, time is a major factor. In other words, if, for example, a malicious activity is detected from a domain, let’s say Chinese or Russian, the user must try to block its spread by playing on the time zone. In this way, he/she should be able to prevent damage to Western companies. All in all, it is a race against time.

It should be mentioned that today’s site filtering systems, particularly DNS, use artificial intelligence algorithms. So, based on the behavior and content of particular sites, it can be predicted in advance whether or not a domain is carrying malware. This probabilistic method, however, can lead to the reporting of so-called false negatives, that is, flagging, and thus blocking, access to a site that may likely be carrying malware but is not.

Generally, experience has shown that it is better to activate the block and then, at a later verification, unblock the site and remove it from the malware domain list.

4. Why it is better to trust a DNS filtering service

The services which are most involved in generating malware domain lists are DNS filters such as FlashStart. Both free versions and those for purchase exist, with obvious differences in terms of the accuracy of the database of malicious sites (blacklists).


>> FlashStart leads the competition → Ask for prices


Let’s see why it is more cost-effective for a company to activate a paid DNS filter like FlashStart. First and foremost, filtering from the DNSs of sites is significantly more effective. If one based the filtering on the domain name, it would be much easier for cyber criminals to bypass the protections because, for example, they can completely clone a bank’s site, as is the case with sites made for phishing operations.

Another distinguishing feature of a DNS filter like FlashStart is Anycast network monitoring. This is a global service for monitoring sites and the paths used to reach them. In technical terms, utilizing the Anycast network minimizes latency while monitoring the site that is being requested by the user.


>> FlashStart protects you from a vast array of threats and blocks access to malicious sites → Start your free trial now


A quality DNS filter like FlashStart also uses artificial intelligence to automatically update blacklists. The artificial intelligence algorithms contained within the FlashStart service allow it to examine up to 200 thousand sites per day, support twenty-four different languages, and recognize ninety categories based on content. It is estimated that approximately 250 thousand new sites are created in the world every twenty-four hours.

Another feature that sets FlashStart apart from the competition is its native integration with Microsoft’s Active Directory service, that is, within Microsoft networks. A further special function of the FlashStart solution is geoblocking: blocking access to sites geographically located in countries which are deemed to be dangerous.

The cloud-based FlashStart service is available in several models. FlashStart PRO is designed to protect SMEs and families. PRO Plus expands on its capabilities in order to protect businesses, schools, and government agencies. The hybrid firewall is a complete protection solution which also includes the hardware appliance, and, finally, FlashStart has a specific solution for internet service providers and carriers.


You can activate the FlashStart® Cloud protection on any sort of Router and Firewall to secure desktop and mobile devices and IoT devices on local networks. 

Related posts