In part 3 we considered information about registrars as a way to detect malicious URLs. For example, we found out that the most of URLs from the given malware set have been registered by Russian registrar “REGGI-REG-RIPN”. Moreover, we noticed that Russian registrars are widely used to register malicious domains which are utilized by the popular botnets.

In part 4, we will analyse information about the creation and expiration of domains, which can be obtained using the same WhoIs protocol. We will try to make a conclusion whether a URL is malicious or not based on its lifetime.

We will use the same set of URLs, as before:
   • Trusted URLs from Alexa
   • Phishing URLs from Phishtank
   • Malware URLs extracted from a malware flow

After collecting information about creation and expiration time of domains using WhoIs, we drew the following charts:

A year of creation.

A year of expiration.

A lifetime of domains.

From the last chart we can clearly conclude that malware and phishing URLs tend to be registered for a short period of time. While phishing trends are blurred within a 5 year term and covers only 60% of URLs, the malware set clearly shows that 90% of URLs have been registered for only one year. This makes sense, as links to malware and botnet C&C usually live for only a few days, so malware distributors lease domains for the minimum period of time allowed by registrars – commonly one year.

Conversely, the “green” or “legitimate” URLs have been created evenly during more than 30 years and have an average lifetime equal to 15 years, whereas the same value for malware and phishing URLs is 1 year. Some of the trusted domains are even registered at the end of the 1980s - at the very beginning of the Internet era.

The oldest domains from 80s:

So the URLs with one year lifetime can be considered as suspicious, since the majority of phishing (24%) and malware URLs (90%) are registered for a one year, whereas the trusted websites take only 0,5% of the total amount of “white” domains.