back to article Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'

Security geeks have worked out a formula for determining which of a series of formerly blacklisted domains would be reused in malware attacks. The method combines the domain name with the generic Top Level Domain, IP address alterations and the cost of a domain transfer. Under the right conditions, the researchers sway, the …

  1. bitten

    Predicting the past

    Boffins predicting yesterdays good enough schemes

  2. PassingStrange

    "Under the right conditions, the researchers sway..."

    So, indeed, do most people.

    1. Message From A Self-Destructing Turnip
      Pint

      Re: "Under the right conditions, the researchers sway..."

      You forgot the icon ---->

      FTFY

  3. Anonymous Coward
    Anonymous Coward

    First thing they should do

    is evict all the squatters holding perfectly legitimate domains that you 'can buy for the great bargain of $4,403', free these back up for joe public and remove what is essentially, internet extortion.

  4. Graham Marsden
    Thumb Down

    Another great idea...

    ... from the Department of Pre-Crime...

  5. Alistair
    Windows

    We can predict where the terrorists will sit on the plane.

    And just shoot those seats.

    what could go wrong?

  6. John Gamble

    I'm wondering about the degree of randomness the domain generators use.

    The spam from the random-four-letters dot eu addresses seem to be tapering off, but that seems to be a factor of the anit-spam utilities, and surely it can't be that hard to reset the code creating these malware domains. Particularly if the paper and future ones give a list of techniques to avoid.

    It makes me think of the early days of creating crypto-level hash and random number generators, and the race to crack them. Which resulted in better, more difficult to crack functions. We may be seeing something similar here.

    1. Charles 9

      I think the article notes however that domains cost real money and are generally held for a decent length of time (say at least one year), so there's an incentive to reuse the domains, just not right away. IOW, a malcontent wanting to maximize the RoI on the domain will want to figure out how long to lay the domain low before using it again.

      Furthermore, the algorithm used to generate the domain names has to be portable since the malware has to know the code, too. This requirement also reduces the odds of changing the algorithm in mid-flight since doing so requires a way to pass along the new technique to the botnet, some nodes of which may fall out of the loop before being updated.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like