NFTF: Useful urls for malware investigations

Figured I’d keep a copy of this on here for the next time I need to do malware investigation. http://www.urlvoid.com – checks URL’s against lots of blacklists, emergingthreats, malwaredomainlist and zeustracker/etc… http://www.ipvoid.com – Same …

Figured I’d keep a copy of this on here for the next time I need to do malware investigation. 

 

http://www.urlvoid.com – checks URL’s against lots of blacklists, emergingthreats, malwaredomainlist and zeustracker/etc…

http://www.ipvoid.com – Same as above but for IP addresses

http://support.clean-mx.de – Searches above databases and records logs of abuse claims. Useful as it can sometime give you extra URI’s for a host to comb your logs for. Also usefully gives you the date that its crawler last was able to pull down the malicious binary.

http://hosts-file.net/ – Provides an assessment according to the type of nastiness a domain or IP is associated with.

http://www.malwaredomains.com – Provides a blacklist DNS entry head to the downloads page, open the text file version and CTRL-F to search. Will give reason for blocking (i.e. listed in emergingthreats.net) along with the date.

http://www.malwaredomainlist.com – Provides a listing of hosts and ip’s known to be associated with malware.

http://www.emergingthreats.net – Provides snort rules configured to detect malicious traffic/hosts.

http://www.robtex.com – Advanced DNS lookups, links hosts to nameservers, can give aliases and associated subdomains as well as any shared hosts.

http://www.network-tools.com – Basic network tools, whois, dns, traceroute, etc… useful for performing checks NOT from your own ip :)

http://www.zeustracker.com – lists zeus C&C nodes

http://www.spyeyetracker.com – lists spyeye C&C nodes

 

Be careful if you use any of these tools on the affected network as often it will contain the hostname or IP you’re looking for in the request parameters which means they’ll flag you up as an infected laptop without looking at the actual URL you’re browsing to (happened to me previously).

*10/06/12 – Correction courtesy of Steven B: I originally had “hp-hosts.com” listed instead of hosts-file.net, thanks for the heads up.

Leave a Reply