- Security Center
- English ▾
Detecting Malicious URLs - Part 4. “Lifelines”
In part 3 we considered information about registrars as a way to detect malicious URLs. For example, we found out that the most of URLs from the given malware set have been registered by Russian registrar “REGGI-REG-RIPN”. Moreover, we noticed that Russian registrars are widely used to register malicious domains which are utilized by the popular botnets.
In part 4, we will analyse information about the creation and expiration of domains, which can be obtained using the same WhoIs protocol. We will try to make a conclusion whether a URL is malicious or not based on its lifetime.
After collecting information about creation and expiration time of domains using WhoIs, we drew the following charts:
A year of creation.
A year of expiration.
A lifetime of domains.
From the last chart we can clearly conclude that malware and phishing URLs tend to be registered for a short period of time. While phishing trends are blurred within a 5 year term and covers only 60% of URLs, the malware set clearly shows that 90% of URLs have been registered for only one year. This makes sense, as links to malware and botnet C&C usually live for only a few days, so malware distributors lease domains for the minimum period of time allowed by registrars – commonly one year.
Conversely, the “green” or “legitimate” URLs have been created evenly during more than 30 years and have an average lifetime equal to 15 years, whereas the same value for malware and phishing URLs is 1 year. Some of the trusted domains are even registered at the end of the 1980s - at the very beginning of the Internet era.
The oldest domains from 80s:
|Domain name||Country||Creation Date|
|http://hp.com/||US||03 Mar 1986|
|http://ibm.com/||US||19 Mar 1986|
|http://sun.com/||US||19 Mar 1986|
|http://intel.com/||US||25 Mar 1986|
|http://ti.com/||US||25 Mar 1986|
|http://att.com/||US||25 Apr 1986|
|http://ge.com/||US||05 Aug 1986|
|http://siemens.com/||DE||29 Sep 1986|
|http://amd.com/||US||17 Nov 1986|
|http://adobe.com/||US||17 Nov 1986|
|http://apple.com/||US||19 Feb 1987|
|http://philips.com/||US||04 Apr 1987|
|http://cisco.com/||US||14 May 1987|
|http://sky.com/||GB||31 Mar 1988|
|http://3m.com/||US||27 May 1988|
|http://guru.com/||US||05 Aug 1988|
|http://ford.com/||US||01 Sep 1988|
|http://kodak.com/||US||16 Sep 1988|
|http://dell.com/||US||22 Nov 1988|
|http://oracle.com/||US||02 Dec 1988|
|http://morningstar.com/||US||25 Apr 1989|
|http://sagepub.com/||US||16 May 1989|
|http://dhl.com/||US||25 May 1989|
|http://sony.com/||US||07 Jul 1989|
|http://bbc.com/||GB||15 Jul 1989|
|http://autodesk.com/||US||03 Aug 1989|
|http://honda.com/||US||25 Oct 1989|
|http://info.com/||US||01 Nov 1989|
So the URLs with one year lifetime can be considered as suspicious, since the majority of phishing (24%) and malware URLs (90%) are registered for a one year, whereas the trusted websites take only 0,5% of the total amount of “white” domains.
Share this post: Twitter Facebook