A Command and Control (C&C) infrastructure may include servers and various other network components, which may be used to control malware or networks established for annoying or malicious purposes (such as botnets). For example, botnets may be used to repetitively (robotically) send spam email or participate in distributed denial-of-service attacks; wherein, C&C servers issue commands controlling such activity. Malware operators may directly control these C&C servers or the servers may run on hardware compromised by malware. Designers of C&C infrastructure may implement the use of Fast-flux Domain Name System (DNS), which may be used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. Thus, C&C servers are difficult to track down, because these may change from day to day. C&C servers may also hop from one DNS domain to another, where domain generating algorithms are used to create new DNS names for the C&C servers.
Conventionally, C&C related malware is detected by statically searching for some logic in source code associated with an application. For example, a system may detect whether the application includes code relating to the receipt of commands. Further, suspicious behaviour of leaking private information or sending premium texts may be identified. Since, however, numerous variations of malware related to C&C exist and these can proliferate rather quickly, the method that solely targets software can be insufficient to prevent numerous devices from being victimized within a short period of time. Alternatively, the use of static analysis may be used to identify C&C URLs. However, since most C&C malware continuously changes associated C&C URLs through the receipt of commands from C&C servers, the use of static analysis is an ineffective solution. It is within this context that the embodiments arise.