Threat Level: green Handler on Duty: Adrien de Beaupre

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Bad url classification

Published: 2008-07-07
Last Updated: 2008-07-08 13:54:57 UTC
by Pedro Bueno (Version: 1)
0 comment(s)

Update: Some readers told about testing with a referer, which is quite used by malwares. In this case I only checked it through the original webpage, capturing the traffic.

Update2: Some readers pointed that this domain is registered by ESTDOMAINS, which is very known to be a register of lots of websites serving malwares.

Last weekend, I was playing around with some urls/websites...

On one of those websites, I found an iframe, that at first glance, looked suspicious. It was highly obfuscated.

With a help from a nice tool, called Malzilla I was able to get the that it was actually pointing to hxxp://google-stat.net/stat/stat.php . At the time I was checking it wasnt really doing anything nasty, just a redirection to google.com website...maybe a counter...maybe a step to another infected site...

But what if my job was to classify that URL? What would be the right thing to do?

Let go to the facts:

- First of all, it is abviously a kind of typosquatting on Google brand...

-Google (through stopbadware) and McAfee SiteAdvisor shows warnings on that link, so it may be really not a nice site.

- A whois shows interesting information:

Smart LTD
    Valeriy        (orensmm@gmail.com)
    ul. tulpanov 11
    Karategin
    Karategin,555555
    TJ
    Tel. +555.5555555
 

So, fake phone number,  Country is TJ, which is the country code of Tajikistan(!), and probably a fake address...

Besides all these facts, it was not really doing anything nasty (at the time of my research). Would be fair to add this URL as "Bad" ?

My answer is yes, because putting all these together, you will notice that the dog is not barking, but it is deffinitely there...just wating for the right time to bite you!

---------------------------------------------------------------------------------------

Pedro Bueno ( pbueno //&&// isc. sans. org)

 

0 comment(s)
Diary Archives