As most of us know, investigation and verification of data plays a critical role in protecting our assets. Blind faith in what others say or do may of course lead to a call from a C level asking why his VP of sales cant get to his favorite vacation blog. Todays diary (and the updates that will follow) will share some of the process and findings of my investigation into the wonderful list of domains that was produced by F-secure that we have previously mentioned.
Process used (this will change with time):
1. Get the list.
2. Code horrible code to do my bidding for me.
3. Code first does a whois against a domain in the list.
4. Capture the results and parse out looking for details we want (registrar)
5. Print domain/registrar to a text file.
What is left to do:
Add DNS resolution
Begin poking at the IP's and the infrastructure surrounding them.
Try and discern between the different categories of actors we are looking for (researchers, "bad guys", domainers)
Share results (and possibly code if it isn't to embarrassing)
Things to note:
If you are blocking any of these domains based on resolution you may want to know that some ccTLD's use wildcard's. I found out while writing some python to perform DNS resolution that the .ws ccTLD does just this. So please do be aware that .ws uses such a setup, and it will always resolve any .ws domain.
Jan 17th 2009
1 decade ago