How can we use this service in detecting malicious domains?

See: http://xml.ssdsandbox.net/dnslookup-dnsdb/
http://centralops.net/co/NsLookup.aspx
http://www.kloth.net/services/nslookup.php
This is part of the passive cold reconnaisance method…
http://www.subnetonline.com/pages/network-tools/online-nslookup.php
For instance this DNS server handling your query: localhost
DNS server’s address: 127.0.0.1#53

** server can’t find http:cstracking1.com: NXDOMAIN (no resource record found for a query - DNS hacking involved?)
trying to find data on htxp://cstracking1.com/cgi-bin/CScash.cgi/etc.
personal site with sites dot google dot com (found as
a second header location redirect…
IDS alert for ET RBN Known Russian Business Network IP (139) severity 3

also see: http://www.webstatschecker.com/stats/domain/xml.ssdsandbox.net

polonus

Of course we have to establish id the server is a dedicated server or not: http://www.robtex.com/ip/
Simply see if there is one site or how many more sites show up.
What is also important is domain registration info and server migrational patterns.
If these data have been collected over a period of time we can do our extrapolations,

polonus

Here I checked this unknown_html_RFI_eval malware on: htxp://js.tongji.linezing.com/2259080/tongji.js
HTTP Status 404 - /domain/%20htxp://js.tongji.linezing.com/2259080/tongji.js

type Status report

message /domain/%20htxp://js.tongji.linezing.com/2259080/tongji.js

description The requested resource (/domain/%20http://js.tongji.linezing.com/2259080/tongji.js) is not available.
Flagged by WOT http://www.mywot.com/en/scorecard/js.tongji.linezing.com?utm_source=addon&utm_content=warn-viewsc
exploit site and four red flags …dangerous site…

header re-direct via Via: htxp/1.1 cn11 (ApacheTrafficServer/3.0.2 [cMsSfW]) (the former Yahoo commercial web-cache server)
DNS server handling your query: localhost
DNS server’s address: 127.0.0.1#53 11004 [11004] Valid name, no data record (check DNS setup)

** server can’t find http1.1cn11: NXDOMAIN
Now this seems a dedicated server http://11-1.cn.dedicatedornot.com/
The requested resource is not available…
There was a trojan downloader from there that avast did not detect:
https://www.virustotal.com/file/9d8052c0e347ad351ae93c61acb5ba7f9bbc89a500c9e66b4b90292a935af7a2/analysis/1258816943/

polonus

Here we have a Zeus CC server, located at 178.168.4.10
See: http://urlquery.net/report.php?id=135648
According to zeus tracker it is bullet proof hosted level 1
Valuable info also lited here: http://www.spamhaus.org/sbl/query/SBL151137
also isted on the Spamhaus Botnet C&C List (BGPCC)
see: http://www.peeringdb.com/view.php?asn=31252
dedicated server: http://178.168.4.10.dedicatedornot.com/

polonus

Next step here is that I will introduce a couple of other resources to combine in our IP investigations. All this data can be combined with data that come from particular malware analysis (wepawet, anubis, comodo site-inspector, non-commercial ones like scumware dot org, safersite.de etc. etc.) Then there are special resources security researchers use and these can be used additionally. First we introduce sitevet at http://sitevet.com/ that can also be used as a researchtool.
Then we have http://hosts-file.net/?s= followed by a particular IP, a resource that is being used by a lot of other resources (e.g. badmalweb).
First we should start out with the data we get from robtex, then we could compare what they have on http://www.ipillion.com/
For attack patterns we could also visit bizimbal’s Offensive IP Database Query Page at http://www.bizimbal.com/
Of-course we google up on the data we stumble upon in combination with other information (logs, IDS alerts, etc. etc.)
Let us start with a suspicious example like: 613843 2012-08-18 goooooooglee dot com 202.59.152.107 38186 htxp://goooooooglee.com/delltvn/

http://hosts-file.net/?s=222.122.193.75 (and we find 1 additional match there: which is a PHISH domain, see: http://hosts-file.net/?s=222.122.193.75&view=matches (details given here: http://hosts-file.net/?s=me2.do)
AS info: http://cidr-report.org/cgi-bin/as-report?as=AS4766
Now we visit sitevet: http://sitevet.com/db/asn/AS4766 (this could be one of the Blacklisted URLs: 1521, consisting of malicious URLs,
.badware, exploit servers, Current Events & spam bots. We find no match for the IP at Offensive IP Database and no complaints about this IP
here: http://www.ipillion.com/ip/222.122.193.75 We do a blacklist check here: http://www.dnsbls.com/me2.do
DNS Cook won’t help us further: http://www.dnscook.net/hostip.php/222.122.193.75 (we are entering at the border of forensics)
Nothing so look at the GET requests information here: http://urlquery.net/report.php?id=136806
static.naver.com will turn up this exploit been used: https://bitbucket.org/jrossi/metasploit/src/tip/data/exploits/capture/http/forms/naver.com.txt
What about GET /u%7Bhttp://me2do.naver dot com/unknownUrl.nhn%7D we get a location.replace(“/customer/index.nhn”);

So here we are stuck and it appears that our IP should be 199.188.110.29 (see: http://urlquery.net/report.php?id=129588)
here we see it given as a PHISH http://www.mywot.com/en/scorecard/goooooooglee.com?utm_source=addon&utm_content=popup-donuts
NINCtMouserOverScript directs to htxp://ct2.shinobi.jp/im/1621704?64909 going to a malcious PNG see attached image

Here we see the URL resolve again to IP 202.59.152.107
http://sitecheck.sucuri.net/results/goooooooglee.com/
So now we check here: http://www.robtex.com/dns/goooooooglee.com.html#result we get a non-reverse and proxy-registered route object
Very strange looking non-anounced http://www.robtex.com/ip/202.59.152.107.html
This turns up nothing: http://www.robtex.com/ip/199.188.110.29.htm
and we land at a private customer in China? http://iplocationtools.com/199.188.110.29.html (listed with IP.v4BL.org
Same here: http://percise-ip-search.info/lookup.jsp?ip=199.188.110.29 So we do not have to do a round-robin on this one
See: http://www.phishtank.com/asn_search.php?asn=AS54600&valid=All&active=All&Search=Search

Conclusion shady PHISH,

polonus

So one thing leads to another…
As an extra something additional about the code in the image attached to my previous posting. There we stumbled on this tool: axad.shinobi.jp
忍者TOOLS and then we land here at this analysis : http://www.threatexpert.com/report.aspx?md5=69114c2bbf4a31701f83b2a1e36632c5
Malware and another interesting resource for us we have here: http://www.projecthoneypot.org/ip_222.88.95.11
And here we get the reward for our searching excavations, we delve up a bad host appearance also for our IP from the previous investigation: http://www.projecthoneypot.org/ip_202.59.152.107 e.g. 1 appearance(s) in spam e-mail or spam post urls and that was 2 weeks ago approx.
So folks, remember this projecthoneypot.org query in your quests and hunts!

polonus

Let us proceed with our investigation links, for instance see: http://www.servertrackr.com/ip/202.59.152.107
This is also a nice set http://www.dnsstuff.com/ http://www.dnsstuff.com/tools#ipInformation/type=domain&&value=202.59.152.107&&
And we cannot do without the SuperTool of course: http://www.mxtoolbox.com/SuperTool.aspx?action=arin%3A202.59.152.107
Then we do a monitoring website service: http://host-tracker.com/check_res_ajx/11046073-0/ for our round 41 fail

polonus

Hi folks,

The ThreatExpert link went. Here is the cached result (thanks Google for their cache): http://webcache.googleusercontent.com/search?q=cache:36Q8VqChq3YJ:www.threatexpert.com/report.aspx%3Fmd5%3D69114c2bbf4a31701f83b2a1e36632c5+http://www.threatexpert.com/report.aspx%3Fmd5%3D69114c2bbf4a31701f83b2a1e36632c5&cd=1&hl=nl&ct=clnk&gl=nl

polonus