The Internet is an open platform and provides a diffusion network, thus enabling easy malware dissemination. Prior studies have focused on how social networking sites such as Facebook or Twitter are harnessed for diffusing malware extensively. They have also analyzed various inter-correlations between follower-followee in malware delivery behaviors. However, the findings cannot sufficiently explain malware distribution networks. The aim of this study is to find high-degree nodes that perform core roles in spreading malware on malware distribution networks. To do so, I first built a system to gather malicious URLs that participated in malware distribution. Second, I comprehensively learned the properties of malicious URLs. For instance, attackers construct the geolocation between landing sites that users first access and exploit sites that launch attacks in a different manner. Different geographic locations make it difficult for defenders to detect and block core malicious URLs. Hence, defenders need to search for other malicious URLs at possible control locations. Third, all websites involved in malware distribution were reconstructed into a network with nodes. Each node was assigned a risk. For instance, the contamination rate of malware that propagates through Google with many users definitely differs from that of websites with few users. Based on this approach, a method for measuring the overall risk of malware distribution networks was proposed. This model helps in finding significant nodes that largely influence malware diffusion.