Predicting the past
Boffins predicting yesterdays good enough schemes
Security geeks have worked out a formula for determining which of a series of formerly blacklisted domains would be reused in malware attacks. The method combines the domain name with the generic Top Level Domain, IP address alterations and the cost of a domain transfer. Under the right conditions, the researchers sway, the …
I'm wondering about the degree of randomness the domain generators use.
The spam from the random-four-letters dot eu addresses seem to be tapering off, but that seems to be a factor of the anit-spam utilities, and surely it can't be that hard to reset the code creating these malware domains. Particularly if the paper and future ones give a list of techniques to avoid.
It makes me think of the early days of creating crypto-level hash and random number generators, and the race to crack them. Which resulted in better, more difficult to crack functions. We may be seeing something similar here.
I think the article notes however that domains cost real money and are generally held for a decent length of time (say at least one year), so there's an incentive to reuse the domains, just not right away. IOW, a malcontent wanting to maximize the RoI on the domain will want to figure out how long to lay the domain low before using it again.
Furthermore, the algorithm used to generate the domain names has to be portable since the malware has to know the code, too. This requirement also reduces the odds of changing the algorithm in mid-flight since doing so requires a way to pass along the new technique to the botnet, some nodes of which may fall out of the loop before being updated.