Measuring the Lifecycles of Malicious Domains

Posted on May 23rd, 2012 in Domain News by dglosser

Interesting article found here….  From the abstract:

…we present preliminary results from
on-going experiments we are conducting to track the lifetime of
malicious domains. Studying the lifecycles of malicious domain
names will provide insight into the many classes of criminal
networks that depend on DNS, and inspire the development of
new, more effective countermeasures.”


Some highlights:

  • the number of resurrected domains gravitates around 200 everyday revealing a number of domains that are intermittently inactive, which could potentially be an evasion mechanism or a correlating characteristic of instability
  • Contrary to our intuition …  many of the [malicious] domains are long-lived and more domains are being introduced than are dying.

We’ve noticed and tracked  many of the   “immortal” malware domains  but haven’t done any research into “resurrected”, or intermittently inactive/active domains. Hmmm

Again, we encourage research using our blocklists and have set up a mirror dedicated to open source projects and scholarly research.  All we  ask that you let us know about such research