Domain classification service, for security researchers

1. Enter your domains here
2. Classify them
3. ????
4. PROFIT!

K&A offers a new free domain classification service on Virus Tracker for security researchers. For classifying malware domains, following types are introduced:

      Parked/expired    Domains that are parked or (about to be) expired
      Collision         When there is a legitimate domain colliding with a DGA
      Suspended         Suspended by the registrar
      Criminals         If the domain wasn't detected as any other type
      Fast flux         When there are multiple A records
      Sinkhole by X     Sinkhole by a known entity
      Not registered    Non registered domain
      Ghosted           Domain without any A records

Please note that “Criminals” means nothing more than “probable active C&C”. As the intension is to classify a bunch of known malware domains, the program cannot distinguish between a legitimate website/server and a maliciously used one. The output format is CSV. Here is an example of the output of the classification service:

Domain,IP,NS,Owner
arqogipjsbcdmk.com,72.172.91.230,arqogipjsbcdmk.com,Parked/expired
axigleyldgeq.com,176.31.62.76,ns1.suspended-domain.org,Sinkhole by zinkhole.org
caosuihgsvivlxh.com,204.13.162.116,ns1.dsredirection.com,Parked/expired
carrerfullezz.com,69.43.161.180,ns1.above.com,Parked/expired
nbykkrkevuri.com,198.61.227.6,ns0.sinkdns.com.nbykkrkevuri.com,Sinkhole by Georgia Institute of Technology

This becomes handy when analyzing malware and you see the DNS requests but you don’t know which of the domains are actually still active or are already expired and so on.

A short look behind the curtains

Behind the Virus Tracker system there is a program called “Datenkrake” (English: data kraken) which is doing the entire magic. It checks the domains, contacts the C&Cs, the name servers, knows the sinkholes, the malware protocols and has heuristic detection algorithms implemented. It generates the data displayed on Virus Tracker.

Datenkrake

We check automatically 102.131 domains every day, using Google’s DNS servers, thanks Google! Through the DNS requests we know exactly which domains are actively used by the criminals which allows further operations (such as takedown and sharing the knowledge and intel with the security community).