Abstract: Disclosed is a malicious code blocking system including: a fake website detector that repeatedly accesses a website to be monitored to detect an attack, stores a detection log of the attacked site, and provides a URL address of the attacked site or server; a malicious URL storage that temporarily stores a URL address of the attacked site or server and stores a status flag indicating whether or not a malicious URL list containing information on malicious URLs changes; and a URL filter associated with a user terminal to monitor a network packet transmitted or received by the user terminal, check whether or not the status flag changes in a case where DNS query request for visiting a specific site is generated, and update a malicious URL list containing information on a malicious URL based on information stored in the malicious URL storage if the status flag changes.