Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Stats The Internet IT

The Words That Indicate Malicious Domain URLs 84

An anonymous reader writes: Researchers from AT&T have released research which improves the identification-rate of malicious URLs — such as those used for C&C servers or to distribute malware to redirected victims — by individuating words in the domain names. Though many of the words that Wei Wang and Kenneth Shirley were able to group as 'malign' are predictable, there is a strange recurrence of basketball-related words in the URL lexicon of malice, with 'bad' domains using names such as LeBron James, Kobe Bryant and Michael Jordan. By contrast 'golf' is least likely to be seen in a dangerous URL, along with state names, scenery and realty.
This discussion has been archived. No new comments can be posted.

The Words That Indicate Malicious Domain URLs

Comments Filter:
  • by Anonymous Coward

    'nuff said.

  • by Revek ( 133289 ) on Tuesday June 16, 2015 @08:03AM (#49920717)

    Seriously, it seems they know how to entice the befuddled masses in to clicking on their garbage.

    • by Ol Olsoc ( 1175323 ) on Tuesday June 16, 2015 @08:35AM (#49920903)

      Seriously, it seems they know how to entice the befuddled masses in to clicking on their garbage.

      Most of the time when I've found a malicious website, it's been involved with searching for household items.

      Recently I caught some on a site regarding garage door openers.

      Then a few days ago when I was online looking for kitchen cabinet knobs.

      Not the sort of knob job people think about normally providing malware.

  • Nobody expects gold to be sinister, that's just misdirection.

    The real evil is in the golf.

  • by Thornburg ( 264444 ) on Tuesday June 16, 2015 @08:05AM (#49920731)

    This kind of research is almost self-defeating.

    When you put out there a list of words that help flag a domain as "bad", you're just signaling to the malware makers to avoid those words.

    Then you can make a new list of words. And then they'll avoid those words.

    Eventually, the malware domains will be essentially indistinguishable from the real domains.

    That's lose-lose for everyone.

    Unfortunately, keeping the list secret does no good either. If it's truly secret, then no one can use it to fight malware. If it's only "secret" as in "not widely published", then the malware makers will still find it and use it.

    There is no right choice.

    • This kind of research is almost self-defeating.

      I feel the same way about stock market prediction.

    • by ledow ( 319597 )

      Tip: Do not base any security or malware decision on what keywords are contained on a site / URL, what signatures exist (or don't) in a file or anything along similar lines.

      It pissed me off when people say "You can tell if you have virus X because it create file Y or registry entry Z". Yes, and it takes a microsecond to produce an identical virus that DOESN'T.

      Don't base your decision to visit a website on the keywords or URL. Base it on knowing that your browser will not ever execute any code from there

    • The first studies that showed "password" "0000" "1234" etc. were among the most-common passwords/PINs was published so long ago that I don't remember when it was.

      Studies since then and even recent ones keep showing similar results.

      PS: It's time for me to change my /. password. I'm trying to decide between passw0rd and 1248, any advice?

  • A hyphen (Score:1, Interesting)

    by Anonymous Coward

    I cannot remember the last time I visited a legitimate website with a hyphen in the URL.

  • by dskoll ( 99328 ) on Tuesday June 16, 2015 @08:16AM (#49920795) Homepage

    The paper is interesting, but I doubt it's very effective. An awful lot of the malicious URLs we seen in our filters are legitimate web sites that have been compromised and had malicious content inserted. We have thousands of malicious URLs containing "wp-content", just to give you an idea...

  • by wbr1 ( 2538558 ) on Tuesday June 16, 2015 @09:27AM (#49921199)
    sourceforge.net
    cnet.com and download.com
    softpedia.com
  • by Anonymous Coward

    I can't believe that's a word...

    • by KGIII ( 973947 )

      I am not alone!!! Yay!

      Anyhow, I did not say anything because I am too lazy to look and do not want to appear as stupid as I am.

  • Coincidence?

  • Because thanks to this valuable research, all the "bad URL owners" will get different "bad" ones. I propose to go to soccer instead, with the FIFA serving as easy example why these are "bad".

  • You can't tell people about this kind of research because then the malignant people change their words. The only benefit is in keeping it quiet.

  • "Talos has discussed domain shadowing before at a high level. It’s a technique where threat actors use compromised registrant accounts to create large amounts of malicious subdomains. This is what Talos has found Nuclear using in this most recent campaign. It has been effectively rotating IP addresses, subdomains, and parent domains at a relatively quick rate." ref [cisco.com]
  • There's a new Command and Conquer coming out? Hmm, or am I being scammed?

Trap full -- please empty.

Working...