Written by: Amiram CohenAre Domains Malicious?
The most basic capability of malware is the ability to communicate. Most malware will use the DNS protocol to enable robust communication. Typical malware payloads will use such techniques to download files to the compromised machine, or to communicate with the Command and Control (CnC) servers in order to control activities or exfiltrate data.
These days, the defensive perimeter is becoming a vague concept. This reality is the result of more personal devices getting in and out of the network. Moreover, networks have to contend with IoT devices that are missing embedded protection and often invisible to corporate monitoring and defensive planning. Situations like these are why security teams need to examine network traffic, and block malicious activity.
The biggest challenge organizations face when looking at network traffic and analyzing suspicious domains is determining which of them are malicious and which are benign. In most cases, the domain name is out of context as a stand alone indicator for malicious activity. More information is typically needed in order to add context and provide a better understanding of the domain in question.
In this post, we'll help you get better context on the potential for malicious activity when looking at suspicious domains. There are a variety of security intelligence data sources and services available to the public, both free and paid, that with can greatly increase the accuracy of decision making.Ready, Get Set, Let's Go...
One of the first things an enterprise security specialist needs to do when analyzing traffic is determine if a suspicious domain was accessed from within the enterprise to a remote resource. In this scenario, we look for possible indicators and resources that might help with context to the inspected domain.
When examining the domain we should take several things into consideration:
Was the domain classified as being malicious in the past?
What can we learn from domain's registrant information?
What can we learn from the history of that domain?
Are there indicators based on whois records and where the domain is hosted?
Can we see any relationship, similarity, or pivots between the inspected domain and other malicious domains?
Can we learn something from the traffic and popularity of the inspected domain?Third Party Indicators
Our first step when looking into a suspicious domain is to understand if there is already evidence in the wild tying this domain to malicious activity. There are many publicly available tools offering information about domains and the indicators flagging them as either malicious or benign.
Before we dive into using tools, remember that many of the results that come from third-party resources should be taken with a grain of salt. Many of these tools are automatic, black and white mechanisms, and are not 100% accurate. However, several red flags together can be a strong indicator of something malicious.
One of the most well known public services is VirusTotal. This service allows you to easily determine if a given domain is linked to malicious malware activity by variety of antivirus vendors. VirusTotal can, in some cases, show the relationship between the suspicious domain and malicious files hosted on the domain.
Figure 1: VirusTotal community analysis portal for suspicious files and URLs detection
There are many other reliable services that give the users the ability to automatically analyze a domain and get indications its maliciousness. Another simple, yet effective, approach is to query your favorite search engine for indications that tie the suspected domain to other malicious activities. In this case, a simple search for the domain with keywords like "malicious" or "phishing" will do the job. Be careful not to accidentally browse to the suspected domain and expose your computer to unnecessary threats.
Here is a short list of services that may help with determining if a domain is malicious:
PhishCheck or CheckPhish - Online, on-demand phishing check engine.
Malwares.com / Hybrid-analysis.com / Totalhash - Malware analysis systems.
WOT - Ranking service that support public reviews for a domain.Domain Information and History
Sometimes, there isn't a third party indicator available on the domain in question. In these situations, we can look for other publicly available information related to the domain, such as registration details, or WHOIS records.A WHOIS service can create additional context for the inspected domain. The more interesting fields are the date-formatted fields and the registrant fields. The date-formatted fields generally indicate the age of a domain. For example, a newly registered (or changed) domain should be inspected more carefully as it may represent an emerging threat. A malicious domain may be registered with fake information and analyzing that information may help with determining the true identity behind the domain.
The " domain privacy " service may also be used by domain owners (explain) and the usage of privacy should be considered in the overall context of other findings on the suspicious domain.
WHOIS services can be queried in several ways:
linux bash - type "whois example.com" in the terminal (or see some docs here ).
windows command line - a simple windows binary querying tool available for download from here .
Online Whois service - a nice way to separate ourselves from the suspected domain. there are many services out there, who.is is the simplest one.Many common scams, phishing, and malware distribution domains can be discovered by the URL. We strongly advise against linking directly to a suspicious domain. However, some online services can take a screenshots for us and safely do the job. Try