Malware domain detection using passive DNS

What is claimed is: 1. A system for malware domain detection using passive Domain Name Service (DNS), comprising: a processor; and a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to: generate a malware association graph that associates a plurality of malware samples with malware source information, wherein the malware association graph includes a searchable directed graph that associates related Internet Protocol (IP) address information and related domain information with a first malware sample, and wherein the malware source information includes a first domain of the malware association graph, the first domain being associated with the first malware sample; generate a reputation score for the first domain using the malware association graph and passive DNS information, wherein the generating of the reputation score comprises to: identify a first path and a second path both linking the first domain to a known malware node of the malware associate graph, the first path having a first relation type and the second path having a second relation type, each relation type being associated with resolving to the same Internet Protocol (IP) address of the known malware node, resolving using the same name server (NS) as the known malware node, having an IP address belonging to the same border gateway protocol (BGP) prefix as the known malware node, having an IP address belonging to the same autonomous system (AS) as the known malware node, or any combination thereof, the first relation type being different from the second relation type; determine, for the first relation type, a first score based on a first damping factor associated with the first relation type and the first relation type; weigh the first score by a first weight to obtain a first weighted reputation; determine, for the second relation type, a second score based on a second damping factor associated with the second relation type and the second relation type; weigh the second score by a second weight to obtain a second weighted reputation; and generate the reputation score of the first domain based at least in part on the first weighted reputation and the second weighted reputation; determine whether the first domain is a malware domain based on the reputation score for the first domain; and in response to a determination that the first domain is the malware domain, perform a responsive action, wherein the response action includes generate a new signature for a new malware, generate an alert and/or a notification to a user, or a combination thereof, and associate the new malware with the malware domain. 2. The system recited in claim 1 , wherein the reputation score is based at least in part on a determination that the first domain resolves to a first Internet Protocol (IP) address associated with a first cluster in the malware association graph, and wherein the first domain is determined to be a malware domain if the reputation score for the first domain exceeds a threshold value. 3. The system recited in claim 1 , wherein a first cluster of the malware association graph associates related Internet Protocol (IP) address information and related domain information with the first malware sample. 4. The system recited in claim 1 , wherein the processor is further configured to: determine that a bad Internet Protocol (IP) address resolves to one or more additional domain addresses using passive DNS information. 5. The system recited in claim 1 , wherein the processor is further configured to: determine that the first domain resolves to a first Internet Protocol (IP) address associated with a first cluster of the malware association graph. 6. The system recited in claim 1 , wherein the processor is further configured to: determine that the first domain is associated with malware based on a first cluster of the malware association graph. 7. The system recited in claim 1 , wherein the processor is further configured to: generate a first cluster of the malware association graph associating a plurality of source information with the first malware sample, wherein the plurality of source information includes the first domain. 8. The system recited in claim 1 , wherein the processor is further configured to: generate a first cluster of the malware association graph associating Internet Protocol (IP) address related source information and domain related source information with the first malware sample, wherein the IP address related source information includes the first domain. 9. The system recited in claim 1 , wherein the processor is further configured to: determine whether a DNS name server is malicious. 10. A method of malware domain detection using passive Domain Name Service (DNS), comprising: generating, using a hardware processor, a malware association graph that associates a plurality of malware samples with malware source information, wherein the malware association graph includes a searchable directed graph that associates related Internet Protocol (IP) address information and related domain information with a first malware sample, and wherein the malware source information includes a first domain of the malware association graph, the first domain being associated with the first malware sample; generating, using the hardware processor, a reputation score for the first domain using the malware association graph and passive DNS information, wherein the generating of the reputation score comprises: identifying a first path and a second path both linking the first domain to a known malware node of the malware associate graph, the first path having a first relation type and the second path having a second relation type, each relation type being associated with resolving to the same Internet Protocol (IP) address of the known malware node, resolving using the same name server (NS) as the known malware node, having an IP address belonging to the same border gateway protocol (BGP) prefix as the known malware node, having an IP address belonging to the same autonomous system (AS) as the known malware node, or any combination thereof, the first relation type being different from the second relation type; determining, for the first relation type, a first score based on a first damping factor associated with the first relation type and the first relation type; weighing the first score by a first weight to obtain a first weighted reputation; determining, for the second relation type, a second score based on a second damping factor associated with the second relation type and the second relation type; weighing the second score by a second weight to obtain a second weighted reputation; and generating the reputation score of the first domain based at least in part on the first weighted reputation and the second weighted reputation; determining, using the hardware processor, whether the first domain is a malware domain based on the reputation score for the first domain; and in response to a determination that the first domain is the malware domain, performing a responsive action, wherein the response action includes generating a new signature for a new malware, generating an alert and/or a notification to a user, or a combination thereof, and associating the new malware with the malware domain. 11. The method of claim 10 , wherein the reputation score is based at least in part on a determination that the first domain resolves to a first Internet Protocol (IP) address associated with a first cluster in the malware association graph, and wherein the first domain is determined to be a malware domain if the reputation score for