Botnets generally use a domain name rather than actual IP address to connect its subordinated bot programs. The latest “watering hole attack” enables the botnet to propagate itself not only passively but actively. As the victim’s computer visits some webpages which contain malicious files, the victim is redirected to the C&C server and automatically downloads the newest version of malware. A botnet master, the owner and administrator of it, typically registers many a domain name of random string for their C&C server, so it is a low-cost strategy to defense against botnet by way of identifying malicious domains by their names. Once the connections to the C&C server are blocked, the botnet master can no longer control the victim computers remotely. To detect malicious domain names, especially for those without vowels, a new lexical analysis is developed in this essay with an aim to distinguishing malicious domains from normal ones and to establishing a database of lexical features based on the whitelist. Among every combination of those lexical features, the most suitable one for training is filtered out to create a decision tree model, and its effectiveness of identification is evaluated later. The result shows that both the false positive rate and false negative rate are below five percent, indicating the new lexical analysis can effectively detect malicious domain names without vowels.