Currently, undesirable software such as computer viruses, worms, spyware, etc. (generally, malware) affect a great many computers daily and efforts are constantly under way to prevent, detect and remove such malware. One current detection technique is to scan files on a computer using antivirus software that can detect known computer viruses. Existing viruses are analyzed in a laboratory, and these samples produce a unique virus pattern, or virus signature, that is then used by the antivirus software to detect the known computer viruses on a computer. One drawback with this technique is that samples of viruses are required in order to detect future infections.
An improvement upon this technique extracts any URLs present in the computer virus and then the antivirus software (or similar software) is able to block traffic associated with this URL. It is assumed that a URL within the malware, or the URL from where the malware originated (by e-mail, file transfer, Internet download, etc.) is a malicious URL. Again, this improvement requires samples of existing computer viruses or other malware.
For new malware, i.e., malware that affects computers for the first time and has not been seen or analyzed before (also referred to as a zero-day attack), it can be more difficult to prevent and detect such malware. Domain parking and inexpensive registered domain names can make detection more difficult. As known in the art, domain parking is a process where one registers a domain but does not enter the domain name servers of the hosting company. A domain parking service hosts the domain and offers the owner revenue from the parked domain when a user clicks upon it. It can be difficult for a backend anti-malware service to detect and block malware in real time coming from these parked domains or from inexpensive registered domains because one cannot predict which domains will be registered and assigned to serve as malicious URLs. Further, one is not able to retrieve a full list of all fully-qualified domain names from the registrars. Thus, the backend service cannot see these domain names until they are revealed to the users, and, when revealed, this means that someone has already been infected and the infection has started to spread.
In other words, anti-malware software can predict malware threats and can block such threats based upon previous samples of malware and known malicious URLs, but can find it difficult to detect and block zero-day malware and malware from URLs that have not been identified as malicious. A technique to detect such malware would be desirable.