Claudiu Musat BitDefender
Alin Octavian Damian BitDefender
The presented work outlines a system that employs reverse IP and reverse Whois queries to proactively detect malicious domains in an industrial manner.
The main advantage and also main novelty of the technique is that it is able to block spam, fraud and malware even for the recipients of the first instances of an outbreak. Most threat detection techniques are only mildly proactive in a sense that their detection is based on previous malicious activity, which means some users will have been affected by the wrongdoing prior to the threat being identified.
The aim of the presented filtering technique is to identify a new campaign at the first hints of future malicious activity - the registration of the domain that will be used in said outbreak. The idea of using reverse IP queries is not new in itself, however its usage alongside reverse Whois queries in an automated process is. We prove that host IPs and emails used in the registration process are reused, and compute the ratio of threats that can be filtered in their incipient phase. Our results also show a significant interconnection of various malicious domain types, which underlines the benefits of an integrated protection system.