Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Words That Indicate Malicious Domain URLs

Posted by timothy on from the strange-world-we-live-in dept.

An anonymous reader writes: Researchers from AT&T have released research which improves the identification-rate of malicious URLs — such as those used for C&C servers or to distribute malware to redirected victims — by individuating words in the domain names. Though many of the words that Wei Wang and Kenneth Shirley were able to group as 'malign' are predictable, there is a strange recurrence of basketball-related words in the URL lexicon of malice, with 'bad' domains using names such as LeBron James, Kobe Bryant and Michael Jordan. By contrast 'golf' is least likely to be seen in a dangerous URL, along with state names, scenery and realty.

43 of 84 comments (clear)

  1. Clearly the solution is to ban basketball. by Anonymous Coward · · Score: 2, Funny

    'nuff said.

    1. Re:Clearly the solution is to ban basketball. by Holi · · Score: 2

      I could back that

      --
      Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
    2. Re:Clearly the solution is to ban basketball. by Anamelech · · Score: 2

      It's about time. I need those baskets back.

    3. Re:Clearly the solution is to ban basketball. by gstoddart · · Score: 1

      LOL ... well played!

      --
      Lost at C:>. Found at C.
    4. Re:Clearly the solution is to ban basketball. by rudy_wayne · · Score: 1, Troll

      By contrast 'golf' is least likely to be seen in a dangerous URL

      I don't know about "dangerous" but I get lots of spam for golf clubs. Seriously. I have never played golf and dislike anyone who does. It originates from constantly changing URLs that all contain "golf" in some way or another. So now I just block everything containing the word golf.

    5. Re:Clearly the solution is to ban basketball. by davester666 · · Score: 1

      Just another Canadian LIE!

      --
      Sleep your way to a whiter smile...date a dentist!
  2. just pandering to their target derpagraphic by Revek · · Score: 2

    Seriously, it seems they know how to entice the befuddled masses in to clicking on their garbage.

    1. Re:just pandering to their target derpagraphic by Ol+Olsoc · · Score: 3, Insightful

      Seriously, it seems they know how to entice the befuddled masses in to clicking on their garbage.

      Most of the time when I've found a malicious website, it's been involved with searching for household items.

      Recently I caught some on a site regarding garage door openers.

      Then a few days ago when I was online looking for kitchen cabinet knobs.

      Not the sort of knob job people think about normally providing malware.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  3. LOL ... golf ... by gstoddart · · Score: 1

    Nobody expects gold to be sinister, that's just misdirection.

    The real evil is in the golf.

    --
    Lost at C:>. Found at C.
    1. Re:LOL ... golf ... by gstoddart · · Score: 1

      Nobody expects gold to be sinister

      *facepalm* Preview button.

      --
      Lost at C:>. Found at C.
    2. Re:LOL ... golf ... by ArcadeMan · · Score: 1

      Preview button or not...

      https://en.wikipedia.org/wiki/...
      https://en.wikipedia.org/wiki/...
      https://en.wikipedia.org/wiki/...

      --
      Get free satoshi (Bitcoin) and Dogecoins
    3. Re:LOL ... golf ... by freeze128 · · Score: 2

      What really SHOULD be evil is Gorf! Those Gorfians want to kill us all!

    4. Re:LOL ... golf ... by Travco · · Score: 1

      GORF! Ha Ha! Who remembers Gorf! Heck I was at an arcade playing Gorf just last we.. uh m.. well um... millennium. No really it was April in Vegass. WAY more fun than gambling

  4. Diminishing Returns by Thornburg · · Score: 3, Insightful

    This kind of research is almost self-defeating.

    When you put out there a list of words that help flag a domain as "bad", you're just signaling to the malware makers to avoid those words.

    Then you can make a new list of words. And then they'll avoid those words.

    Eventually, the malware domains will be essentially indistinguishable from the real domains.

    That's lose-lose for everyone.

    Unfortunately, keeping the list secret does no good either. If it's truly secret, then no one can use it to fight malware. If it's only "secret" as in "not widely published", then the malware makers will still find it and use it.

    There is no right choice.

    1. Re:Diminishing Returns by thedonger · · Score: 1

      This kind of research is almost self-defeating.

      I feel the same way about stock market prediction.

      --
      Help fight poverty: Punch a poor person.
    2. Re:Diminishing Returns by ledow · · Score: 2

      Tip: Do not base any security or malware decision on what keywords are contained on a site / URL, what signatures exist (or don't) in a file or anything along similar lines.

      It pissed me off when people say "You can tell if you have virus X because it create file Y or registry entry Z". Yes, and it takes a microsecond to produce an identical virus that DOESN'T.

      Don't base your decision to visit a website on the keywords or URL. Base it on knowing that your browser will not ever execute any code from there without asking first, will not give out your personal information, and won't let you go to a previously unvisited site without warning you massively about entering your passwords etc. And certainly won't "just go" there by you viewing an email with that URL on it somewhere.

      Security by "good boy / naughty boy" lists is not security.

    3. Re:Diminishing Returns by JustAnotherOldGuy · · Score: 2

      I'm totally onboard with this. We should start a KickStarter campaign to fund a team of heavily-armed anti-malware commandos. I would donate to that.

      --
      Just cruising through this digital world at 33 1/3 rpm...
  5. A hyphen by Anonymous Coward · · Score: 1, Interesting

    I cannot remember the last time I visited a legitimate website with a hyphen in the URL.

    1. Re:A hyphen by Anonymous Coward · · Score: 1

      I cannot remember the last time I visited a legitimate website with a hyphen in the URL.

      You've just opened one here : http://tech.slashdot.org/story...

    2. Re:A hyphen by ArcadeMan · · Score: 1

      I think he may have meant "domain" rather than "URL".

      --
      Get free satoshi (Bitcoin) and Dogecoins
    3. Re:A hyphen by Sique · · Score: 1
      I used to work for one. A company with ~17,000 employees. And a hyphen in the URL.

      And right now, most remote services like their OWA servers, VPN and VoIP access still have hyphens in their URL.

      --
      .sig: Sique *sigh*
    4. Re:A hyphen by Megane · · Score: 1

      I've noticed on those late night TV commercials, the really crappy stuff has two random digits in the domain name.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
    5. Re:A hyphen by ledow · · Score: 1

      national-lottery.co.uk

      (No, seriously... try the alternatives without the hyphen and it redirects to the hyphened domain).

    6. Re:A hyphen by tomknight · · Score: 1

      Once upon a time, Experts Exchange (www.experts-exchange.com) *didn't* have a hyphen in its name. I think it looked a little more dodgy then....

      --
      Oh arse
    7. Re:A hyphen by Dazzadowling · · Score: 1

      Sometimes it is very much needed for clarity

      http://www.barking-dagenham-sc...

  6. Interesting, but doubt it's very effective by dskoll · · Score: 4, Interesting

    The paper is interesting, but I doubt it's very effective. An awful lot of the malicious URLs we seen in our filters are legitimate web sites that have been compromised and had malicious content inserted. We have thousands of malicious URLs containing "wp-content", just to give you an idea...

  7. Re:Porn not included on the list! Yes!!! by ArcadeMan · · Score: 4, Funny

    You know, if you weren't waiting to post these stupid comments on Slashdot, you'd have more time to fap.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  8. Re:Porn not included on the list! Yes!!! by disposable60 · · Score: 2

    Unless that's the thing that gets him/her going.

    --
    You're looking for quotes? See my journal.
  9. Did the include the following? by wbr1 · · Score: 2, Insightful

    sourceforge.net
    cnet.com and download.com
    softpedia.com

    --
    Silence is a state of mime.
  10. "individuating"? by Anonymous Coward · · Score: 1

    I can't believe that's a word...

    1. Re:"individuating"? by KGIII · · Score: 1

      I am not alone!!! Yay!

      Anyhow, I did not say anything because I am too lazy to look and do not want to appear as stupid as I am.

      --
      "So long and thanks for all the fish."
  11. North Korea's leader Kim Jung-un likes basketball by Anonymous Coward · · Score: 1

    Coincidence?

  12. Self-defeating research? Maybe not... by davidwr · · Score: 1

    The first studies that showed "password" "0000" "1234" etc. were among the most-common passwords/PINs was published so long ago that I don't remember when it was.

    Studies since then and even recent ones keep showing similar results.

    PS: It's time for me to change my /. password. I'm trying to decide between passw0rd and 1248, any advice?

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  13. Re:Porn not included on the list! Yes!!! by ArcadeMan · · Score: 2

    So you only enjoy one of your two penises? That's only half the fun!

    --
    Get free satoshi (Bitcoin) and Dogecoins
  14. Re:Best protection vs. malicious domains = hosts by dave420 · · Score: 1

    Stop spamming. You realise that if you had an account here, it would be banned, as you are no better than any of the other spammers that crop up. You didn't listen to Nietzsche and now the abyss is staring deep into you. You are now the problem you sought to alleviate. Happy?

  15. Re:Superior Protection vs. online malware = hosts by dave420 · · Score: 1

    Ladies and gentlemen, here we have APK pretending to be some kind-hearted supporter of himself, in a vain attempt to lend credence to his tenuous position. APK thinks so highly of this audience that he spams us and thinks we're retarded.

    The real irony is his anti-advertising solution can't block his advertising. He's his own worst enemy, yet has no idea. Mental illness is a bitch.

  16. And now, they will all change by gweihir · · Score: 1

    Because thanks to this valuable research, all the "bad URL owners" will get different "bad" ones. I propose to go to soccer instead, with the FIFA serving as easy example why these are "bad".

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  17. Re:goat by gweihir · · Score: 2

    www.goat-simulator.com

    Unless you consider motivating people to wasting time to be malicious....

    Note: google(url:goat) gives you many more of these insidious "goat" pages, including one that seems to be "non-vet" medical emergency services for goats.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  18. This faces the "Asimov's Foundation" problem by Aristos+Mazer · · Score: 1

    You can't tell people about this kind of research because then the malignant people change their words. The only benefit is in keeping it quiet.

  19. Re:goat by Tablizer · · Score: 1

    The sounds sinister. That's enough.

    --
    Table-ized A.I.
  20. Re:this is easy, it's because by KGIII · · Score: 1

    There was some bot on here spamming (just last night it was here still) something about J Lebron in the URL but it went to a dead link in Turkey. I checked the site out and it seems you can volunteer to do some digging there with the archaeologists. I have always wanted to do that but this one looked way to complicated (like needing to apply nine months ahead)/

    --
    "So long and thanks for all the fish."
  21. Domain Shadowing goes nuclear .. by nickweller · · Score: 1

    "Talos has discussed domain shadowing before at a high level. It’s a technique where threat actors use compromised registrant accounts to create large amounts of malicious subdomains. This is what Talos has found Nuclear using in this most recent campaign. It has been effectively rotating IP addresses, subdomains, and parent domains at a relatively quick rate." ref

  22. C&C?!? by MenThal · · Score: 1

    There's a new Command and Conquer coming out? Hmm, or am I being scammed?