Check out the new USENIX Web site.

Malware hosting infrastructure.

Throughout our measurement period we detected $ 9,430$ malware distribution sites. In $ 90\%$ of the cases each site is hosted on a single IP address. The remaining $ 10\%$ sites are hosted on IP addresses that host multiple malware distribution sites. Our results show IP addresses that hosted up to $ 210$ malware distribution sites. Closer inspection revealed that these addresses refer to public hosting servers that allow users to create their own accounts. These accounts appear as sub-folders of the the virtual hosting server DNS name (e.g.,,, or in many cases as separate DNS aliases that resolve to the IP address of the hosting server. We also observed several cases where the hosting server is a public blog that allows users to have their own pages (e.g.,,

Figure 12: CDF of the normalized pairwise intersection between landing sites across distribution networks.

Niels Provos 2008-05-13