Are Domains Malicious?
The most basic capability of malware is the ability to communicate. Most malware will use the DNS protocol to enable robust communication. Typical malware payloads will use such techniques to download files to the compromised machine, or to communicate with the Command and Control (CnC) servers in order to control activities or exfiltrate data.
These days, the defensive perimeter is becoming a vague concept. This reality is the result of more personal devices getting in and out of the network. Moreover, networks have to contend with IoT devices that are missing embedded protection and often invisible to corporate monitoring and defensive planning. Situations like these are why security teams need to examine network traffic, and block malicious activity.
The biggest challenge organizations face when looking at network traffic and analyzing suspicious domains is determining which of them are malicious and which are benign. In most cases, the domain name is out of context as a stand alone indicator for malicious activity. More information is typically needed in order to add context and provide a better understanding of the domain in question.
In this post, we'll help you get better context on the potential for malicious activity when looking at suspicious domains. There are a variety of security intelligence data sources and services available to the public, both free and paid, that with can greatly increase the accuracy of decision making.
Ready, Get Set, Let's Go...
One of the first things an enterprise security specialist needs to do when analyzing traffic is determine if a suspicious domain was accessed from within the enterprise to a remote resource. In this scenario, we look for possible indicators and resources that might help with context to the inspected domain.
When examining the domain we should take several things into consideration:
Was the domain classified as being malicious in the past?
What can we learn from domain's registrant information?
What can we learn from the history of that domain?
Are there indicators based on whois records and where the domain is hosted?
Can we see any relationship, similarity, or pivots between the inspected domain and other malicious domains?
Can we learn something from the traffic and popularity of the inspected domain?
Third Party Indicators
Our first step when looking into a suspicious domain is to understand if there is already evidence in the wild tying this domain to malicious activity. There are many publicly available tools offering information about domains and the indicators flagging them as either malicious or benign.
Before we dive into using tools, remember that many of the results that come from third-party resources should be taken with a grain of salt. Many of these tools are automatic, black and white mechanisms, and are not 100% accurate. However, several red flags together can be a strong indicator of something malicious.
One of the most well known public services is VirusTotal. This service allows you to easily determine if a given domain is linked to malicious malware activity by variety of antivirus vendors. VirusTotal can, in some cases, show the relationship between the suspicious domain and malicious files hosted on the domain.
Figure 1: VirusTotal community analysis portal for suspicious files and URLs detection
There are many other reliable services that give the users the ability to automatically analyze a domain and get indications its maliciousness. Another simple, yet effective, approach is to query your favorite search engine for indications that tie the suspected domain to other malicious activities. In this case, a simple search for the domain with keywords like "malicious" or "phishing" will do the job. Be careful not to accidentally browse to the suspected domain and expose your computer to unnecessary threats.
Here is a short list of services that may help with determining if a domain is malicious:
WOT - Ranking service that support public reviews for a domain.
Domain Information and History
Sometimes, there isn't a third party indicator available on the domain in question. In these situations, we can look for other publicly available information related to the domain, such as registration details, or WHOIS records.
A WHOIS service can create additional context for the inspected domain. The more interesting fields are the date-formatted fields and the registrant fields. The date-formatted fields generally indicate the age of a domain. For example, a newly registered (or changed) domain should be inspected more carefully as it may represent an emerging threat. A malicious domain may be registered with fake information and analyzing that information may help with determining the true identity behind the domain.
The "domain privacy" service may also be used by domain owners (explain) and the usage of privacy should be considered in the overall context of other findings on the suspicious domain.
WHOIS services can be queried in several ways:
Linux bash - type "whois example.com" in the terminal (or see some docs here).
Windows command line - a simple windows binary querying tool available for download from here.
Many common scams, phishing, and malware distribution domains can be discovered by the URL. We strongly advise against linking directly to a suspicious domain. However, some online services can take a screenshot for us and safely do the job. Try Urlscan.io or Web-capture.net.
Figure 2: urlscan.io sandbox for the web
The next step in our analysis focuses on the actual resources hosting the suspicious domain. For example, a domain being used for Command and Control (C&C) communication may use unique protocols or ports.
Indications for such activity can be found when looking at the host of the C&C server. One of the options for discovering protocol usage is by scanning open ports with a basic scanner (e.g ZenMap). However, we don't recommend using a local port scanner since it may be considered illegal in some countries, and because it can be recognized an attacker easily. Use an online scanning service instead.
Shodan or Censys are examples of services that help you understand the communication specs for a given domain (and its resolved IP), opened ports, headers and some information about each available port.
Figure 3: shodan.io search engine for Internet-connected devices
For example, domains running resources on non-standard, open ports are frequently used for C&C communication and should raise suspicion levels.
Domain Pivoting to Other Indicators
Something else that may help with domain analysis is the ability to connect the dots between different indicators.
There are a few relations between indicators that can be used: domain to associated IP address or domain to malicious files previously hosted there. For example, looking at newly registered domains and seeing the resolved IP address was already associated with known malware can help with connecting the dots and give a better understanding of the risk involved.
VirusTotal Graph can give, for example, visibility into the relationship between suspected domains and malicious files previously hosted on that domain, malicious files communicating with that domain and its resolved IP addresses.
Figure 4: VirusTotal Indicators of Compromise (IoC) relation graph
Domain Traffic and Popularity
Looking at domain popularity can also help with identifying malicious activity. The most common use case will be reflected by a rapid change in traffic and visitors within a short amount of time. A good example can be observed with a dedicated phishing campaign. When looking at a graph representing the number of visitors over time, we see almost no activity until the campaign was activated and all the phishing victims land on website.
One well known popularity ranking service is Alexa. Alexa shows the popularity of a site based traffic parameters.
Another example of malicious activity that was recognized by ranking mechanisms, is a recently popular phishing campaign named "topphoneapps.mobi".
Here, we can see "topphoneapps.mobi" earned a high popularity ranking during a short period of time when it was introduced around April 18, 2018. Looking at this rapid change in Alexa ranking give researchers additional context for their threat analysis.
Figure 5: Alexa website traffic, statistics, and analytics
There are many different ways to determine whether domains are malicious or not . We've gone through some of the basics of checking for indicators on suspicious domains, and there are more techniques out there that can be used to enrich context and analysis.
Malware is considered an on-going and long-lived threat to enterprise environments, and the threat continues to evolve and penetrate organizations through cracks in the vague network perimeter.
As this area advances, many methodologies and tools will continue to be available for analyzing a domains and applying context to various indicators. Changes in enterprise boundaries are leading to an increased need for network monitoring capabilities, as well as a need to build the skills needed to deploy the right solutions.