Malware is everywhere!
Updated every hour
Online since 06/2005 - 7.000.000 hits/month
Last database update: 2018-07-18 16:20 UTC

Search MBL#:    

Bookmark and Share

Commercial licenses

Thank you for considering commercially licensing our data feeds. Please note that if you are a final user, system or network administrator who simply wants to use our block lists to protect you and your network users, in a small office for instance, you don't need a commercial license. All you need is a subscription. Our advice is that you choose the Premium option that presents better and more up to date protection.

On the other hand, if you are looking for up to date and reliable feeds to use in your products, services or research activities, we want to talk with you. Notice that a commercial license is required by anyone who uses our data in any products or services that they charge or may charge for and also for research and development purposes on commercial companies. If you are in doubt, please contact us at: commercial (a t) malwarepatrol (dot) net and we'll be more than happy to assist you.

Our data feeds

The Malware Patrol project is a community driven effort to maintain feeds of malicious activities on the Internet. We collect, analyze, block, send alerts and monitor malicious URLs. The project started in June 2005 and since then is helping the Internet community block infections.

The following data feeds are available for commercial use. The fees collected help maintain our infrastructure, develop new features and to establish more spamtraps and partnerships with CSIRTs and security groups around the world.

  • Our Feeds
  • Malicious URLs
  • Malicious IPs
  • Malware samples
  • CryptoLocker C&Cs
  • Exploit kits

The Malware Patrol project provides feeds of Malicious URLs, Malware samples and CryptoLocker C&Cs.

They are downloadable via authenticated HTTP requests and the format customized to fulfill your needs.

We are open to establishing a testing period when your company can evaluate our data feeds. During this period, you'll be able to determine that it presents the expected quality. Please let us know if this is of your interest.

Contact us at commercial (a t) malwarepatrol (dot) net and we'll be happy to discuss your needs and present the appropriate solution.

URL feeds are updated every hour and can be a customized text or XML file, including the following information:

MBL ID (for internal reference)

Malware URL (sanitized or unsanitized)

Date of insertion of the URL in our database (first time seen)

Malware classification

Malware MD5 and SHA-1 hashes

AS number where the malware is hosted

ASN basic data where the malware is hosted

Host/domain where the malware is hosted

Country where the malware is hosted

Protocol used (http, https or ftp)

Extension of the malware file

Feeds are provided with URLs in two formats: "sanitized", which includes protocol, hostname, domain name and directories, but not the binary file name; and "unsanitized", including protocol, hostname, domain name, directories and also the file name and extension of the malware. The "sanitized" feed is useful when there is no need to download the binary or to block it granularly. When downloading and/or monitoring the malware is important, the "unsanitized" feed is a better choice.

It is important to note that our feeds include active URLs only. Automated processes run every hour to analyze new URLs. All active addresses are verified every day. Inactive URLs are also checked regularly.

We do not provide information on the source of URLs. It can be one of our spamtraps, partner CSIRTs, partner security groups or personal contributors. Our agreements with CSIRTs and security groups prohibit us from disclosing this information.

Malicious IPs feed are updated every hour in plain text format, including the IP addresses of servers known to actively host malware.

Malware samples are collected from malicious URLs and analyzed by multiple anti-virus products. If no Malware is detected, our automated engines make a superficial analysis to figure out if the binary is potentially a new (unclassified) Malware. This analysis included packer detection and a revision of the binary.s characteristics. Samples are then compressed and sent to customers, including the following information:

MBL ID (for internal reference)

Malware classification

Malware MD5 and SHA-1 hashes

Extension of the file

Please note that as we are not anti-virus developers the following conditions apply:

Binaries are collected around the world and many of them are brand new variants of Malware with very low anti-virus detection rates

It is not possible to completely avoid false positives, we do our best but cannot guarantee that samples sent are really Malware

A sample may be sent multiple times if it is found hosted in multiple URLs

CryptoLocker is a ransomware, currently very active, that upon execution in a victim's computer contacts its command and control servers to download a key that is used to encrypt important/personal files. A message is then presented asking for a ransom in exchange for having the files restored. The malware generates a list of 1,000 domains every day, according to its algorithm (DGA), that is tries until a server is successfully contacted.

We offer a feed of domains and corresponding IP addresses used by CryptoLocker. The feed of domains is updated every day and contains the domains for the current day, the day before and the day after. The feed of IP addresses is updated every hour.

To block access to the domains and IP addresses used by CryptoLocker is an effective way to prevent the malware from encrypting the victim's files. Paying a ransom is strongly discouraged.

We are currently working to prepare a feed of URLs and information related to Exploit kits. Please let us know if this is of interest to you. We'll update this page as soon as the feed becomes available.

What we do

Malware Patrol is an automated and community driven effort to monitor URLs that host Malware. We also monitor the command and control systems used by ransomware, like CryptoLocker.

Big Image

Our objectives are:

Collect: our crawlling system automatically collects URLs pointing to dangerous file extensions.

Analyze: every URL is analyzed for the presence of Malware using multiple anti-virus products.

Block: we provide data feeds updated every hour and in various formats, according to your needs.

Alert: domain owners, server admins and ISPs hosting Malware receive an e-mail alert from us. Some security groups and CSIRTs are also notified.

Monitor: infected URLs are continuously monitored to ensure our data feeds are fresh and up to date. Every URL in our database is verified daily.

Our thanks to