In the course of investigating suspect domains, a few sources of data are typically considered. The first source that most would think of is VirusTotal, and for good reason. A less commonly used source is Whois. We’ve used Whois information previously to observe exploit kit domain life cycles, comparing query volumes to registration dates.
By sampling our domain intelligence, a list of malicious domains was created. Querying a proprietary Whois database, a list of email addresses, which have been used to register at least one malicious domain, was created. Applying a technique often referred to as reverse Whois, this list of email addresses was then used to expand the original domain list. Feeding the labeled domains and email addresses to a semantic network library and then to OpenGraphiti – our soon-to-be open sourced 3d visualization engine, some interesting relationships were observed.
Groupings of domains which share a registrant contact email address are explored below.
Red nodes are known malicious domains (blocklisted by OpenDNS), green nodes are known benign domains (allowlisted by OpenDNS) and white nodes are either domains with no alignment, or no email addresses.
Some email addresses from our research are associated with a mix of malicious and benign domains:
Some email addresses were seen to have registered only a few malicious domains. Possible explanations include misclassification of the malicious domain, the domain was compromised and repurposed maliciously, or perhaps the domain was malicious, sinkholed, and had its registrant contact email updated. It’s also possible that the email address used to register the domains was at some point compromised and used to register a domain for malicious use:
Some email addresses registered a balanced mix of good, bad, and benign domains:
Some email addresses were observed to have registered one allowlisted domain, a few blocklisted domains, and a large set of benign domains:
Many groups had a majority of domains in our blocklist with a small minority of sibling domains categorized as benign. These particular groups are interesting as the benign domains (white) are highly suspect:
A large majority of the groups formed looked like the image below. Notice some domains are blocklisted and most are unknown. Having such a large number of domains, with a mix of alignments, sharing a single registrant contact email address is indicative of a proxy registration service. In these cases the sibling domains are likely unrelated to each other:
Similar to proxy registration email address groupings, abuse desks are another type of large group that are usually comprised of half unknown and half blocklisted domains. The lower right point in the below graphic is an abuse desk email address, while the rest of the nodes are domains registered with that Whois registrant contact email address. Red nodes are known malicious domains, while white nodes are domains with unknown or benign intent. If a domain’s Whois contact email address has recently been changed to a registrar’s abuse desk, chances are the domain has an outstanding abuse complaint and is under investigation:
Though our research into registrant-to-maliciousness has just begun, the initial results look promising enough to continue gathering data and investigating the results.