Analyzing a suspicious website address, where to start...

Hi malware fighters,

You are looking up a URL or web address against specific detection lists and also visit robtex.
At the robtex site (link also available via URLVoid!) you can give in for example:
http://www.robtex.com/ext/wot/wXw.inetgiant.com.html
You are then taken to the wot scorecard for mentioned domain…and see it is DETECTED

A good source for your queries to start is here: http://www.urlvoid.com/
Insert site to check:
Scanning site with: BrowserDefender CLEAN
Scanning site with: Google Diagnostic CLEAN
Scanning site with: hpHosts CLEAN
Scanning site with: Malware Center CLEAN
Scanning site with: Malware Patrol CLEAN
Scanning site with: MalwareDomainList CLEAN
Scanning site with: McAfee SiteAdvisor CLEAN
Scanning site with: McAfee Trusted Source CLEAN
Scanning site with: MyWOT DETECTED
Scanning site with: Norton SafeWeb CLEAN
Scanning site with: ParetoLogic URL Clearing House CLEAN
Scanning site with: PhishTank CLEAN
Scanning site with: Project Honey Pot CLEAN
Scanning site with: SpamCop CLEAN
Scanning site with: Spamhaus CLEAN
Scanning site with: SURBL CLEAN
Scanning site with: TrendMicro Web Reputation CLEAN
Scanning site with: URIBL CLEAN
Scanning site with: Web Security Guard CLEAN
Scanning site with: ZeuS Tracker CLEAN

There are links there for further information, always keep NoScript and RequestPoliciy in the browser active,
for people that know what they do you can look up a link with malzilla or go to jsunpack,(only for experts!)
I sometimes perform a scan with a specific iFrame scanner
there is also one at NoVirusThanks.org
here: /images/spacer.gif

/images/spacer.gif

/TwitterCallBack.aspx?t=Free advertising! Free classifieds Free classified Ads Free Ads Free Internet advertising Free online advertising Email Advertising Online classifieds&u=htxp://www.inetgiant.com&i=-1

specific queries for specific malware sites, example:
htxp://www.malwaredomainlist.com/mdl.php?search=Eleonore&colsearch=Description&quantity=50
Do not click on anything inside that particular list to avoid a click on a live infection vector!!!

Remember to use Google search to you advance, and stay sandboxed…
example of a specific search: hxtp://testasp.acunetix.com/Search.asp?tfSearch=function+verify_passwords(password1%2C+password2)+{+%2F%2F+do+various+checks

Always give websites as htxp and/or wxw to prevent the unaware to click through and risk getting infested,
give . as [dot] or * malcreant*com malicious[dot]eu
Always give scripts as a cropped GIF image, attached to your posting, else avast shield may flag it,
and this could scare the ***** out of the unaware, even when it is just a script going nowhere…

There is more to it folks, there is obfuscation to de-obfuscate, there are specific aspects of code that give malicious intent away right away like var document.write, inline script being outside HTML (there is no reason for that)
iFrames, SQL injection, vulnerable PHP, WP, exploitable buffer overflows, second links hacked to re-direct to
silent malware downloads, malicious scripts look-alikes with just slightly changed spelling, like -googleanalylics etc.
So good hunt, stay protected!

polonus


Thanks for posting the above information, Polonus, and I hope it helps those who read it. :slight_smile:


it definitely does help, I don’t think many forums have someone like Polonus, great job as usual, thanks :wink:

All that shows is how unreliable MyWOT is. :wink:

+1

nmb

Hi friends,

“And how many friends he has here to inspire and assist him,”

pol

Hi malware fighters,

Interesting link what to do on “robtex”: http://www.mywot.com/en/forum/6547-robtex-more-about

and searching link details inside google unmasked parasites:
example of such a link search:
http://www.unmaskparasites.com/web-page-options/?url=http%3A//www.surveymonkey.com/s.aspx%3Fsm%3DmL50QPPLzq6c02DueSAd6Q_3d_3d (all benign)

polonus

Some more online malware site analyzing tools:

Here are presented some freely available online tools that may assist with the reverse engineering process. One category of such tools performs automated behavioral analysis of the executables you supply. These applications look similar at first glance, but use different technologies on the back end. Consider submitting your malware specimen to several of these sites; depending on the specimen, some sites will be more effective than others. Such tools are:
http://anubis.iseclab.org/
http://www.cwsandbox.org/?page=submit now: http://www.mwanalysis.org/?site=1&page=submit
http://www.joebox.org/submit.php
http://www.norman.com/security_center/security_tools/submit_file/en
http://www.threatexpert.com/submit.aspx

Real time assessment provide:
http://www.finjan.com/content.aspx?id=574
http://www.avg.com.au/resources/web-page-scanner/
http://wepawet.iseclab.org/

For those into this a longer list is given here: http://zeltser.com/combating-malicious-software/lookup-malicious-websites.html

Then run under it process explorer, process monitor, process hacker, Wireshark, SmartSniff and in my case the latest version of Fiddler,

Automated analysis: http://zeltser.com/reverse-malware/automated-malware-analysis.html

enjoy,

polonus

Hi malware fighters,

An automated threat that is making a lot of victims recently comes from the exploits packed and abused
in the so-called Phoenix tool kit:
Example of detected on site: http://safeweb.norton.com/report/show?url=foch-newnew.com%2Fimg%2F&x=8&y=8
The Phoenix Toolkit is a hacker kit that exploits several vulnerabilities to execute arbitrary code.
Category: Advanced Severity: Critical Reference: None Application: Generic
Vendor: None Date: 05/10/2010 Severity of this attack vector is high.
This attack could pose a serious security threat.
One should take immediate action to stop any damage or prevent further damage from happening.
This signature detect attempts to download exploits from a malicious toolkit which may compromise a computer through various vendor vulnerabilities. This signature detect attempts to download exploits from a malicious toolkit which may compromise a computer through various vendor vulnerabilities.
Affected * Various systems and browsers, so update all vendor patches to the latest versions,
using Secunia PSI online check…/ ** http//secunia.com/vulnerability_scanning/personal/

Below one could see a blocklist of recent findings and the accompanying malicious software that comes with it,
first one listed is des.jar see: htxp://forums.malwarebytes.org/index.php?s=7a54bbc1df31b937f84dcd1ba6034764&showtopic=51143&pid=253840&st=0&#entry253840 & https://www.virustotal.com/analisis/8e830691f67c49c99d18887ce39f59235d6203d9c5a55a327252f385ae89a2a5-1274477282

Also read this: http://www.malwaredomainlist.com/forums/index.php?topic=3806.0

polonus

Hi malware fighters,

Another scanmode at URLVoid yo use for ye detecting malware links for a specific site:
http://www.urlvoid.com/find-parasites/

So as an example I give in the link:
htXp://drawmohammed.com
(a defaced hacked site because of blasphemous content, also with malicious redirecting links there)

Scan is performed and then polonus will get the following links to check:

  1. A HREF htxp://www.sonpeygamber.info/index/index.php… SCAN
  2. A HREF htxp://www.Cyber-Warrior.Org/domain.asp SCAN
  3. A HREF htxp://www.turk-h.org/defacement/view/4135/d… SCAN
  4. A HREF htxp://www.google.com.tr/search?hl=tr&q=… SCAN

Which can be scanned further there, as an example I give the scan results from the first link found:

  1. giving as a result the message: “Domain does not exist or is inaccessible”,
    that is not true and should feed our suspicion because instead landing there,
    in the mean time we are redirected to a site with malcode…

as we can read and is explained in the forum posting here:
http://forum.avast.com/index.php?topic=60274.0

Analyze your malsites well, malware fighters, polonus wishes you a good hunt, and keep those
NoScript and RequestPolicy visors up inside your fx or flock browser,
and have the avast shields in the background for your protection!

polonus

Very informative thread. Thanks polonus!