The Words That Indicate Malicious Domain URLs

An anonymous reader writes: Researchers from AT&T have released research which improves the identification-rate of malicious URLs — such as those used for C&C servers or to distribute malware to redirected victims — by individuating words in the domain names. Though many of the words that Wei Wang and Kenneth Shirley were able to group as 'malign' are predictable, there is a strange recurrence of basketball-related words in the URL lexicon of malice, with 'bad' domains using names such as LeBron James, Kobe Bryant and Michael Jordan. By contrast 'golf' is least likely to be seen in a dangerous URL, along with state names, scenery and realty.

Diminishing Returns

[Thornburg]

This kind of research is almost self-defeating.

When you put out there a list of words that help flag a domain as "bad", you're just signaling to the malware makers to avoid those words.

Then you can make a new list of words. And then they'll avoid those words.

Eventually, the malware domains will be essentially indistinguishable from the real domains.

That's lose-lose for everyone.

Unfortunately, keeping the list secret does no good either. If it's truly secret, then no one can use it to fight malware. If it's only "secret" as in "not widely published", then the malware makers will still find it and use it.

There is no right choice.

Re:just pandering to their target derpagraphic

[Ol+Olsoc]

Seriously, it seems they know how to entice the befuddled masses in to clicking on their garbage.

Most of the time when I've found a malicious website, it's been involved with searching for household items.

Recently I caught some on a site regarding garage door openers.

Then a few days ago when I was online looking for kitchen cabinet knobs.

Not the sort of knob job people think about normally providing malware.

Did the include the following?

[wbr1]

sourceforge.net
cnet.com and download.com
softpedia.com