New Techniques Predict Malicious Domain Names
Researchers at Palo Alto Networks have devised a means for guessing malicious domain names before they are used in a malware attack. A paper titled “We Know It Before You Do: Predicting Malicious Domains,” by Wei Xu, Kyle Sanders, and Yanxin Zhang, highlights a number of factors that play a role in how attackers acquire and deploy new domain names.
The authors point out that attackers don’t keep a domain for long. Spam and antivirus blacklists quickly identify a malicious domain, rendering it ineffective. Attackers are therefore constantly registering new names to use temporarily. By the time the blacklists discover a name, the attackers are often ready to let the name go and move on to a new one. The overall effect is a revolving door of names that are acquired, exploited, and discarded. The authors describe a variety of techniques for predicting malicious names before they are used, including:
- DGA: Attackers often use Domain Generation Algorithms (DGA) to create new domain names. The presence of DGA domain names in certain contexts indicates a possible malicious site.
- Re-use of domain names: Attackers often abandon a name, then wait for it to fall off the blacklists, then re-register it at a later date.
- Observing DNS queries: Certain specific patterns of DNS queries indicate the presence of an attacker searching for an available name.
- Connections between malicious domains: A domain that is about to be used for an attack is often identifiable by its connections to other malicious domains
The authors tested their techniques and found that they predicted domains that were soon to be malicious with 83% accuracy. The study offers an illuminating glimpse into the strategies used by attackers to secure and exploit malicious domain names. The authors say they will continue to look for “more connections and evidence” that suggest a name will be used for malicious purposes.