Correlating Domain Registrations and DNS First Activity in General and for Malware
• White Paper
Software Engineering Institute
From the date that a domain name is registered with a registrar, there should be a pattern in the amount of time it takes for that domain to be actively resolved on the Internet. We first attempt to describe that pattern in general terms by correlating data from registries for several top-level domains and a large passive DNS data source. This pattern is then used as a baseline for a comparison with the pattern of activity in domains that malicious software utilizes. While our quantitative results are not to be considered representative of the patterns exhibited by all types of malware, the malicious domains are found to have a significantly different pattern than the standard domains.