Recently, I learned that an analytical method I had experimented with a while back was being used by an organization to generate intelligence. It would have been nice to have been given proper credit, but regardless, it's still great that the method is in use. I've called the method "Passive DNS Expansion" for lack of a better term. The basic idea is that you use a combination of forward DNS resolution and passive DNS data to generate lists of malicious domain names that can be used for analysis and/or network defense purposes. It turns out to be a pretty handy way to generate some actionable intelligence. The basic algorithm is as follows:
1) Begin with a known malicious domain name
2) Forward resolve the known malicious domain name and obtain its current IP address
3) Leverage passive DNS data to identify the domain's IP address history
4) Search passive DNS data for the IP addresses to obtain a list of domain names associated with those IP addresses
5) Perform some cursory research on the domain names to determine whether or not they can be reliably used for analysis/network defense
I'd like to illustrate this with an example. I picked the domain name at the top of the Zeus Tracker list this morning to use as an example for illustrative purposes:
1) I begin with the domain name freetop[.]mobi, which I obtained from the Zeus Tracker list
2) The domain name forward resolves to 69[.]175[.]127[.]82
3) Passive DNS data shows only one IP address for this domain: 69[.]175[.]127[.]82
4) In this case, there is only one additional domain name associated with this IP address in passive DNS data: mymobilewap[.]info
5) A Google search for mymobilewap[.]info indicates that the domain name is most likely malicious and could probably be used reliably for network traffic analysis purposes.
I'm a big fan of this method. In the past, I've scripted these steps to automate the process with positive results. Feel free to give it a try and let me know your thoughts!