Key Characteristics of Malicious Domains: Report

The newness of top-level domains as well as infrastructure located in certain countries continue to be reliable signs of whether network traffic could be malicious, while the use of self-signed Secure Sockets Layer (SSL) certificates — or those issued by the free Let’s Encrypt service — are not abnormally risky, according to new research.

Internet security service DomainTools, in a new report released today, focused on active domains that exceeded certain thresholds in terms of the size of the infrastructure and found that top-level domains, IP autonomous system numbers, and IP geolocations are consistent indicators of risky content, compared with the average domain. 

Domains that use name servers maintained by Internap Japan and HostKey in the US, for example, were far more likely to be the source of risky traffic than average, according to the “DomainTools Report for Fall 2021.”

On the other hand, SSL certificates that are self-signed or from free services, such as Let’s Encrypt, were not any more likely to be malicious than average, says Tim Helming, security evangelist with DomainTools.

“We were surprised by the findings in the SSL certificates — most defenders assume Let’s Encrypt or a self-signed cert is an indication of badness, where in fact, that is really not true, statistically speaking,” he says. “The caveat is, however, that context matters so much. … If you have a domain that is mimicking a legit domain, and it uses a self-signed or Let’s Encrypt certificate, that’s a whole different ballgame.”

Domain reputation is a common input into security groups’ determination of whether certain network traffic or connections may be signs of an attack or malicious content. Phishing, malware, and spam domains are much more likely to be from newly issued top-level domains — such as .quest or .bar — or from relatively small countries, such as .ml for Mali, as compared with the average top-level domain.

DomainTools looked at relationships between domains that are a source of malware, phishing and spam, and six other characteristics: the top-level domain, IP autonomous system number (ASN), name server ASN, the geolocation of the domain’s IP address, the registrar, and the SSL certificate authority.

“We chose these characteristics because they are often used by defenders and security researchers as part of a process of building out a better understanding of a domain,” the report states. “Seasoned practitioners often develop intuitions about the implications of a given characteristic, based on their experience, expertise, and judgment in the analysis of adversary assets. In many cases, the data seen at scale tend to support those intuitions.”

“Signal Strength”
DomainTools used its own database of tracked domains and cross-referenced that with a variety of domain reputation databases and subscriptions services to classify the domains. The company compared the number of malicious domains with the overall number of domains for a specific provider, ASN, or certificate to create a relative measure of badness. 

The researchers then divided that ratio by the same ratio for so-called “neutral” domains, which are not contained in the reputation databases. The resulting number is called the signal strength, and values greater than 1.0 indicate that malicious content is more likely from that source.

The top-level domain .quest, for example, has a signal strength of 131 but rather small volumes — fewer than 1,500 domains in DomainTools’ database. Companies are not likely to see content from that domain, but if they do, they should consider it risky.

“A lot of defenders think, and with good evidence, that there are certain [top-level domains] that just host a lot of malicious stuff, and that generally is because registrations are free or very inexpensive,” Helming says. “Cost is such a big part of the whole game.”

Most of the domains, registrars, and autonomous system numbers that appear on the lists of maliciousness have relatively small numbers of domains, which means that even a moderate number of malicious domains can cause their signal strength — a measure of relative maliciousness — to jump. The ASN for Nice IT Services Group in Dominica, for example, has a signal strength of 8,047 for phishing and 463 for malware but accounts for fewer than 2,000 domains. HostKey US has 7,155 domains associated with spam and only four “neutral” domains, giving it the highest signal strength for spam: 90,200.

“Some of the signal strengths of these domains were pretty extraordinary,” Helming says. “Granted, the law of small numbers is clearly at play — some of these just have a tiny handful of domains on them. You may not be super likely to run across those, but if you do, holy smokes, that is a really, really strong indication that you should send that domain into the sun, as they say.”

Help With Triage
Interestingly, the only lists that did not have a full 10 malicious entries were SSL certificates. Overall, certificates are a weak indicator of maliciousness, and half of the lists’ entries had scores near 1.0 or less, which indicates that their domains are typically safer than average.

Companies can use such data to inform their triage of threats, DomainTools stated. Some of the relationships uncovered by the report show a strong signal of maliciousness tied to one of the six characteristics. Many others, the company warned, have strong signals for very small collections of domains.

“[S]ome of these hotspots are like neutron stars: very high ‘heat’ and density (Signal Strength), very low size (number of domains),” according to the report. “As forensic indicators, these data points are not likely to make a big impact for most organizations, as the odds of coming across any of the domains tied to them are low.”

Leave a Reply