Malware Domains
  • 1 Minute to read
  • Contributors
  • Dark
    Light
  • PDF

Malware Domains

  • Dark
    Light
  • PDF

The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. This project creates the Bind and Windows zone files required to serve fake replies to localhost for any requests to these, thus preventing many spyware installs and reporting.

Malware Domains feeds provided here are for free for noncommercial use as part of the fight against malware. Any use of this list commercially is strictly prohibited without prior approval.

Use the http://mirror1.malwaredomains.com/files/domains.txt list only on an internal DNS server for which you are not being charged.

Pre-requisites to use Malware Domains feeds API and DNIF

Outbound access required to request Malware Domains feeds API

Protocol Source IP Source Port Direction Destination Domain Destination Port
TCP AD, A10 Any Egress github.com 443
TCP AD, A10 Any Egress malwaredomains.com 80

API link on Github: https://github.com/dnif/enrich-malwaredomains

Getting Started with malwaredomains feed API

  • Login to your Adapter/A10 container, connect to your docker container.
  • Move to the /dnif/<D-Key>/enrichment_plugins folder path.
$ cd /dnif/<D-Key>/enrichment_plugins/
  • Clone using the following command,
$ git clone https://github.com/dnif/enrich-malwaredomains.git malwaredomains

Example of API feed output

{'EvtType': 'DOMAIN',
'EvtName': 'ybobvntcrub.pw', 
'AddFields':{
'IntelRefURL': ['spamhaus.org'],
'ThreatType': ['botnet'],
'IntelRef': ['MALWAREDOMAINS']}}

The output displays the following fields:

Fields Description
EvtType An Domain
EvtName The IOC
IntelRef Feed Name
IntelRefURL Feed URL
ThreatType DNIF Feed Identification Name

Was this article helpful?

What's Next