Borg blacklist assimilates Cryptolocker domain name generators Cisco has developed a means to accurately identify the fleeting pop-up domains used by some of the world's worst malware. The platform builds a reputation score that is in part based on word sources including more than 60 dictionaries, Census data and Alexa top 1000 domains. Using multiple sources helps to identify the …
This post has been deleted by its author
"Does this mean that anyone who makes domains from two or more words, such as "theregister", are likely to suddenly find their domains being blocked?"
No. Darren may not have explained the process in any great detail - but he didn't suggest multiple words; I think you've inferred that from the use of dictionaries etc. It's worth clicking through to the Cisco article and reading that for more detail - and examples of the type of domain names picked up.
Surely tightening rules for registering domains would be far more effective - either requiring a person to prove who they are, and/or having a 24hr cool down period for domain registration.
i suspect this will never happen, as somebody somewhere is making a lot of money off the domain registrations.
I think there's a lot the registrars could do but that involved eating away some bottom line. Some else points out the "tasting" period as an example. I suppose it's also possible there's one or two registrars who willingly register these domains and then turn a blind eye to the names and the ones behind it.
And then we have the banks.. <ahem> enabling by blindly transferring funds and no accountability as to where the funds went.
Boils down to follow the money but that's becoming increasingly difficult with all the lack of accountability and tracking by the companies involved.
So to clarify, based on the Cisco article linked above, they're not looking for domains made out of random words, but rather domains that aren't made of words. Apparently the false positive rate (out of the Alexa top 10,000) was 0.42% (42 domains). These include some that a human would have been able to recognice as non-random, such as plsdrct2, xxeronetxx, adstrckr, 1c-bitrix, isif-life and vecteezy. Others appear to be genuine nonsense or perhaps transliterated foreign words.
So all in all, not too bad. Although it seems inevitable that if people start blocking nonsense domains, malware makers will just start making domains out of random words instead, e.g. correcthorsebatterystaple.com (which incidentally is a massage training program, how odd). And detecting that will be much harder.
Running stuff in a VM on purpose, so when net nasties drop in to say "hello" on the VM, they detect the VM and decide to bow out?
Although if they *do* happen to go nuclear and nuke everything in the VM, you'd be able to roll back to a snapshot / backup (assuming these are set up of course).
There is also the chance that the nasty can bust it's way out of the VM onto the actual machine and wreak havoc there...
</randomThought>
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
