OpenDNS Security Labs has developed a new way to automatically detect and block sites used to distribute malware almost instantaneously without having to scan them. The approach uses natural language processing and other analytics to detect malicious domains before they can attack by spotting host names that are designed as camouflage. Called NLPRank, it spots DNS requests for sites that have names similar to legitimate sites, but with IP addresses that are outside the expected address blocks and other related data that hints at sketchiness.
The practice of using look-alike domain names as part of an effort to fool victims into visiting websites or approving downloads is a well-worn approach in computer crime. But recent crafted attacks via “phishing” links in e-mails and social media have gone past the well-worn “typo-squatting” approach by using domain names that appear close to those of trusted sites, registered just in time for attacks to fly under reputation-scoring security tools to make blacklisting them harder.
Many security services can screen out malicious sites based on techniques such as reputation analysis—checking a centralized database to see if a site name has been associated with any malware attacks. But because attackers are able to rapidly register new domains with scripted systems that look relatively legitimate to the average computer user, they can often bypass reputation checks—especially when using their specially crafted domain names in highly targeted attacks.
The system performs an analysis on frequently queried domain names in tens of billions of DNS requests that flow through OpenDNS daily, looking for patterns, and applying a set of ranking scores to domain names that match the pattern. If it’s a Facebook-related domain and not associated with Facebook’s IP address space, it would be flagged. And the system can also do HTML analysis of websites associated with the domain names to check if there’s a match.
Be wary of the site URL’s that you visit and ensure that they’re legitimate.
(Image Source: iCLIPART)