“A typical phishing or Web-based malware attack usually isn’t terribly complex,” says a report on Threat Post. “But they need a few things in order to work, and one of the key components often is a malicious domain. Researchers spend a lot of time identifying and taking these domains down, but some researchers now are trying to stay a step ahead of the game by predicting which domains will be used for malicious purposes.”
According to the report, “Like bored tweens at the mall, malicious domains tend to cluster together, showing up in large groups at certain hosting providers. Often, these are so-called bulletproof hosting companies that aren’t overly concerned with what kind of activity is emanating from the domains on its platform.”
Dozens of domains are often registered at a time, “typically with nonsensical alphanumeric URLs, and use them as needed, discarding them whenever they’re identified as malicious.”
To counter these attackers, researchers at Palo Alto Networks have been looking at their behaviours. And as a result they have “identified a few things that can help them predict which domains may end up being malicious at some point. They found that one domains are identified as malicious and blacklisted by reputation services, the attackers will abandon them. Then, after a period of time, the domain is removed from the reputation systems and other blacklists and will fall back into a pool of domains that are useful to attackers. In research presented at the Virus Bulletin conference here Wednesday, Wei Xu, Yanxin Zhang and Kyle Sanders of Palo Alto said that they have developed a formula that enables them to predict which of those domains will be used by attackers again.”