Talos : Building World-Wide Domain Reputation

Copyright 2009 Trend Micro Inc.

Talos:Building World-Wide Domain ReputationRay Liao ([email protected]) Jerry J Wu ([email protected])Trend Micro Inc.

04/22/2023

Talos . External

Copyright 2009 Trend Micro Inc.Classification 04/22/2023 2


Types of Analysis

04/22/2023

Talos . External

TALOS


Goal• Comprehensive domain reputation

– High risk domains– Legitimate domains – Not compromised sites

• Rate by intention

04/22/2023

Talos . External


How?• Domain Snapshot• Domain History • Analysis

– Identify classes of event worthy of investigation. – Identify domains associated with suspicious events.

04/22/2023

Talos . External

5


Sourcing• How to get a whole picture, domain-wise?

– No single type of sourcing is perfect (legal, anonymous services, etc…)

– Combination of various types of data sources – Observational data.

04/22/2023

Talos . External


Building the network structure• Organize domains by

– Structural relationship– Custom defined.– Indexing for fast lookup.

04/22/2023

Talos . External

Copyright 2009 Trend Micro Inc.04/22/2023

System Architecture

Talos . External


Static Analysis• Analysis based on a single snapshot of world-

wide domains– Analysis by keyword– Analysis by structure (relationship)

04/22/2023

Talos . External


Keyword analysis• Phishing attack

– Masquerading as other trustworthy entity.– Similarity to the object of the masquerade

• Content • Domain name

• Template generated disposable domains

04/22/2023

Talos . External


Static Analysis – Example (1)

04/22/2023

Talos . External


Analysis by relationship• Form follows function

• Reuse of the existing network structure– Business reuse infrastructure– So does bad guys – Most attacks are not alone

• Observation– Good guy: likes repels likes– Bad guy: likes attract likes

04/22/2023

Talos . External



04/22/2023

Talos . External



04/22/2023

Talos . External



04/22/2023

Talos . External


Dynamic Analysis• Analysis across multiple snapshots

– More complex than static analysis– Type of change (from X to Y)– What is being changed (value)– Rate of change– More

04/22/2023

Talos . External


Dynamic Analysis – Example (4)

04/22/2023

Talos . External

LCS Domains Rating Registrant Date[item] ideaitem.info. Malicious George --- 4/24[item] itemgroup.info. Malicious George --- 4/24[item] itemhosting.info. Malicious George --- 4/24[item] itemmusic.info. Malicious George --- 4/24[item] propertyitem.info. No Rating George --- 4/24[item] youitem.info. No Rating George --- 4/24[item] ideaitem.info. Malicious George --- 4/24[item] imageitem.info. Malicious George --- 4/24[item] itemgroup.info. Malicious George --- 4/24[item] itemhosting.info. Malicious George --- 4/24[item] itemsoft.info. Malicious George --- 4/24[item] propertyitem.info. No Rating George --- 4/24[item] youitem.info. No Rating George --- 4/24[yahoo] coolyahoo.info. Malicious Dorothy --- 4/24[yahoo] dotyahoo.info. Malicious Dorothy --- 4/24[yahoo] lifeyahoo.info. Malicious Dorothy --- 4/24[yahoo] www.yahooauto.info. Malicious Dorothy --- 4/24[yahoo] yahooblue.info. Malicious Dorothy --- 4/24


qebinehuh.com

Classification 04/22/202318


Some Statistics about Talos • 9 billions of domain related records as input per day• 4TB of domain information in the past three months,

in which 1 billion domains are involved and been frequently accessed

• 1 million domains identified as white-listed domains– Refreshed daily

Classification 04/22/2023 19


Questions?



Thank You


Talos : Building World-Wide Domain Reputation

Documents

trend micro

external copyright

static analysis example

presentation title talos

dynamic analysis example

static analysisanalysis

disposable domains

static analysistype