I want to write a passive "infected machine detector" which will sniff network traffic and identify machines on my LAN that are infested with adware or spyware. I aim to sniff all DNS resolutions, cache the results, and then use a blacklist lookup to tie resolved IP addresses to the bad guy sites.
I know there are a number of realtime black lists for spam-forwarding mail servers. Is there anything like that for servers used for disseminating adware/spyware apps, or catching uploaded spyware data?
I'll award the full 500 for a slam-dunk answer, somewhat less for research suggestions (I'm wasting too much time doing research, and not getting very far).