Malicious servers are online hosts that are set up and controlled by cyber criminals to perform a variety of malicious activities. Some of these servers are set up to serve malware binaries, exploits, phishing, and/or credential stealing attacks. Some of these servers act as mother-ships that malware can use to retrieve commands after successfully compromising a machine.
One challenge in detecting malicious servers lies in gathering intelligence from these servers without alerting cyber criminals who are actively engaged in monitoring server connections to evade detection. Most of the malicious hosts log and monitor all connections to their servers and can block or reset a connection the moment they realize that someone is trying to investigate or is spying on them.
Another challenge lies not just in gathering but also in utilizing the different forensic intelligence available from online servers to accurately and automatically detect whether a given server is malicious or benign.