Researchers Work to Predict Malicious Domains

Some researchers are trying to stay a step ahead of the game by predicting which domains will be used for malicious purposes.

SEATTLE–A typical phishing or Web-based malware attack usually isn’t terribly complex. But they need a few things in order to work, and one of the key components often is a malicious domain. Researchers spend a lot of time identifying and taking these domains down, but some researchers now are trying to stay a step ahead of the game by predicting which domains will be used for malicious purposes.

Like bored tweens at the mall, malicious domains tend to cluster together, showing up in large groups at certain hosting providers. Often, these are so-called bulletproof hosting companies that aren’t overly concerned with what kind of activity is emanating from the domains on its platform. Attackers of all stripes–bot herders, phishing gangs, malware authors–love these providers and will use their services to host botnet command-and-control infrastructures, phishing pages and all kinds of other badness. They often will register dozens of domains at a time, typically with nonsensical alphanumeric URLs, and use them as needed, discarding them whenever they’re identified as malicious.

Researchers at Palo Alto Networks have been looking at the behaviors of the attackers that use these methods and identified a few things that can help them predict which domains may end up being malicious at some point. They found that one domains are identified as malicious and blacklisted by reputation services, the attackers will abandon them. Then, after a period of time, the domain is removed from the reputation systems and other blacklists and will fall back into a pool of domains that are useful to attackers. In research presented at the Virus Bulletin conference here Wednesday, Wei Xu, Yanxin Zhang and Kyle Sanders of Palo Alto said that they have developed a formula that enables them to predict which of those domains will be used by attackers again.

“Right now, malicious domain detection happens after the domains are in use.”

“Right now, malicious domain detection happens after the domains are in use. The attackers make sure that these domains are short-lived,” said Xu.

Their formula takes into account the domain name, the gTLD it uses, changes in IP address for the domain and the price for a domain transfer. Each gTLD has a different weight in the formula, and the researchers said they’ve been successful in identifying domains that will become malicious at some point down the road.

“We’re focusing on newly registered domains and trying to provide early warning,” Xu said. “We can calculate how likely previously malicious domains are to be used again.”

Xu said that the approach does produce some false positives, but that the formula can still be adjusted to help address that.

Suggested articles