Detecting Malicious URLs - Part 3. “Suspicious Registrars”

In part 2 we analysed the geographic locations of trusted, phishing and malware URLs. At the end we found interesting peculiarities related to the location of malware URLs. Many of them are hosted in former Soviet Union countries and even in Antarctica. In part 3, we will analyse information about registrars which can be obtained using the WhoIs protocol to determine if information about a registrar can be used to help detect phishing or malware URLs. We will use the same set of URLs as before:
   • Trusted URLs from Alexa
   • Phishing URLs from Phishtank
   • Malware URLs extracted from a malware flow

After collecting available WhoIs data for our URL sets we have the following picture. Trusted URLs registrars:

Phishing URLs registrars:

Malware URLs registrars:

Let us first compare Phishing and Trusted registrars. We can see that the top rank among trusted registrars is occupied by “GODADDY.COM, LLC” (17%), whereas the first position on the Phishing diagram contains information about three different registrars “GODADDY.COM, LLC, PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM, GODADDY.COM, LLC, TUCOWS.COM CO.” (31%) at the same time. This looks strange and can be used to help identify a phishing URL. The following Malware registrars chart shows a clear leader. The registrar “REGGI-REG-RIPN” is used in 78% of cases where the domain has been used for spreading malware or running a C&C botnet server. “REGGI-REG-RIPN” or “Reggi Business Ltd” is a popular Russian domain registration company.

The “-REG-RIPN” suffix means that a registrar originates from Russia, where “RIPN” is Russian Institute for Public Networks – the Russian Backbone Network operator which is responsible for creating a cyberspace for science and education in Russian Federation. The list of all Russian registrars (RU domains) can be found here.

While the trusted “RU-CENTER-REG-RIPN” registrar is mentioned in the “green” list with 3% of links, another Russian registrar “REGRU-REG-RIPN” is being used many times to register Zeus botnet domains.

As we can see the majority of malware links are registered by Russian registrars (REGGI-REG-RIPN, REGRU-REG-RIPN), which can be explained by the fact that the Russian hackers are behind the biggest botnets (Zeus, Shiz, Carperb) and use RU domains for C&C servers as a cheap and safe way to maintain zombie networks.

The links registered on REGGI-REG-RIPN have a similar structure and led to malware files:

hxxp://uwfekfyj.ru/avalon3.exe
hxxp://ycjukgup.ru/keybex3.exe
hxxp://ystinqoc.ru/newtor4.exe
hxxp://xylyvkan.ru/rasta01.exe
hxxp://wofgyqyv.ru/calc.exe

After scanning all downloaded files with our internal engine we had the following verdicts:

The majority of verdicts are botnet variants that steal confidential data from users’ computers. A detailed description of the one of these Trojans,“SonyAgent”(TrojanPSW.FTPAgent), can be found in our Malware Encyclopedia.

On the basis of the stats collected so far it is possible to conclude that a list of potentially dangerous registrars can be used to prevent a user from accessing a webpage that contains malware even without using a blacklist of URLs.

  • Back to articles


  • Share this post:    Twitter Facebook