Detecting Malicious URLs - Part 4. “Lifelines”

In part 3 we considered information about registrars as a way to detect malicious URLs. For example, we found out that the most of URLs from the given malware set have been registered by Russian registrar “REGGI-REG-RIPN”. Moreover, we noticed that Russian registrars are widely used to register malicious domains which are utilized by the popular botnets.

In part 4, we will analyse information about the creation and expiration of domains, which can be obtained using the same WhoIs protocol. We will try to make a conclusion whether a URL is malicious or not based on its lifetime.

We will use the same set of URLs, as before:
   • Trusted URLs from Alexa
   • Phishing URLs from Phishtank
   • Malware URLs extracted from a malware flow

After collecting information about creation and expiration time of domains using WhoIs, we drew the following charts:

A year of creation.

A year of expiration.

A lifetime of domains.

From the last chart we can clearly conclude that malware and phishing URLs tend to be registered for a short period of time. While phishing trends are blurred within a 5 year term and covers only 60% of URLs, the malware set clearly shows that 90% of URLs have been registered for only one year. This makes sense, as links to malware and botnet C&C usually live for only a few days, so malware distributors lease domains for the minimum period of time allowed by registrars – commonly one year.

Conversely, the “green” or “legitimate” URLs have been created evenly during more than 30 years and have an average lifetime equal to 15 years, whereas the same value for malware and phishing URLs is 1 year. Some of the trusted domains are even registered at the end of the 1980s - at the very beginning of the Internet era.

The oldest domains from 80s:

Domain name   Country     Creation Date US 03 Mar 1986 US 19 Mar 1986 US 19 Mar 1986 US 25 Mar 1986 US 25 Mar 1986 US 25 Apr 1986 US 05 Aug 1986 DE 29 Sep 1986 US 17 Nov 1986 US 17 Nov 1986 US 19 Feb 1987 US 04 Apr 1987 US 14 May 1987 GB 31 Mar 1988 US 27 May 1988 US 05 Aug 1988 US 01 Sep 1988 US 16 Sep 1988 US 22 Nov 1988 US 02 Dec 1988 US 25 Apr 1989 US 16 May 1989 US 25 May 1989 US 07 Jul 1989 GB 15 Jul 1989 US 03 Aug 1989 US 25 Oct 1989 US 01 Nov 1989

So the URLs with one year lifetime can be considered as suspicious, since the majority of phishing (24%) and malware URLs (90%) are registered for a one year, whereas the trusted websites take only 0,5% of the total amount of “white” domains.

  • Back to articles

  • Share this post:    Twitter Facebook