Malware Domain List

Malware Related => Tools of the trade / Internet News => Topic started by: Secured Sector on November 14, 2007, 08:49:02 pm

Title: How to detect malicious sites?
Post by: Secured Sector on November 14, 2007, 08:49:02 pm
I am curious and would like to know how you guys find those malicious sites full with malware? A while ago I set up a malware honeypot with honeytrap on my vserver, however I was unable to catch even one piece of malware.
Title: Re: How to detect malicious sites?
Post by: sowhat-x on November 15, 2007, 01:23:50 am
Quote
I am curious and would like to know how you guys find those malicious sites full with malware?

* Now talking in #malwaredomainlist
* Topic is "*World Domination*"
* Set by JohnC on Tue Nov 15 05:15:26
* drone-infected-767 (rbn@81.95.144.182) has joined #malwaredomainlist
<sowhat-x> Two more hosts pwned,to be added to the list...

Lol,I really need to stop drinking that many coffees some of these days...
as it doesn't only hurt nerves and health,but my sense of humour also! ;D
====================================================
...Ok,beyond stupid jokes from someone who hasn't slept since yesterday...
quite a few ways to do so...usually though,
it's a matter of combining info gathered from different places...
and well,how can I say it...by no means the following is the 'best' method,
it's just my own way of doing things...
the important thing,is that you just go with the "flow" after a certain point...
A lot of people prefer digging into irc,as mentioned already,lol...
you can find all kinds of newer bots from there...
I don't really make much use of this method personally for a variety of reasons,
but I have to admit that it REALLY pays back once you get into it's flow...
Thereby,most of the time,instead of irc,I prefer the...http googling method,lol...

Checking block lists,either found on the net,or alternatively,
ripped from anti-spyware programs,lol...  ;)
is one of the easier things to start with...for example,
just yesterday I came across this excellent site which is daily updated...
http://malware.hiperlinks.com.br/
You can bet you'll come up with tons of exploits hosted in sites from the above example...
just move on to a machine in a Deep Freeze state or say VMWare,
and then fire-up your browser,Malzilla,lynx/wget with simple perl scripts,you name it...

Second thing that I check is descriptions for newer malware from AV products:
more than often,they post parts of the ip address,say like 209.134.123.xxx...
quite trivial to find the actual address.Most of the times though they avoid doing so...
but they'll have at least the original name,for example, data1.exe or zzz.scr etc.
You really won't believe the power of playing around with Google's operators,he-he...  :)
Not to mention that most of the times,one of the sample names in question,
will have been already mentioned in some security related-forum...
If the specific sample in question is not found...oh well,ok,
we'll find this one also at some moment later if that much interested...
what really matters is that you can be rest assured,
that you will at least come across malware using a similar naming convention:
they're spread everywhere...both malware,and luckily for us,bad ideas also...
eg.how many times malware authors use crappy names like 1.exe,test.exe,wmplayer.exe etc...

Third way,is exactly a list of these security-related forums...
if links are not directly listed say in order to protect not so technical users,
just by following threads/avatars and the like,
usually ends up in more than interesting blogs of individual researchers and the like.
Most of the time,people complain for the tons of malware coming from Russia and China...
but to speak the truth of it,most advanced reversers/coders out there,
come exactly from these countries...and in response to the aformentioned fact,
lots of them do a really excellent job in analysing shit like that...
There are more than a few "forces of good" out there,
"problem" is we haven't found yet a more effective way of being interconnected...
Things are changing though... 8)

The exact opposite of the above,
is actually one of the more important resources:script kiddie forums.
Having a knowledge of the newer tools they use/prefer,really helps a lot...
Especially spanish/russian speaking ones...
they seem to have developed a whole "culture",
related to sharing modded codes and distributing infected binaries...
chinese also,but you get all kinds of problems sorting out what's going on there,
as Google translate/Altavista aren't of any help...
And if you later decide "joining" them on irc/icq,
assuming they can speak english also...oh,that's where the fun begins... ;D

One of the easiest ways to be mentioned also...
if really bored,well,porn sites are also a good solution...
Besides enjoying the view of sexy naked women in the spare time, :D
it usually takes no more than half an hour to find yourself in the..."ms-exploit-land"...

Last,but certainly not least,and actually the most interesting part...
the malware executables themselves...what more to say,
unpacking,string searching,and there you are...more crap to download and unpack...
===================================
I'm really curious as to what other people have to say about honeypots though,
only very basic experience with them,haven't played much...
eg.which they've chosen to use and why,special configurations etc...
Title: Re: How to detect malicious sites?
Post by: JohnC on November 15, 2007, 10:08:02 am
What services was the honeypot running? Maybe you just had bad luck being on an IP range that isn't probed very often.

As for finding malware. People like to infect screensavers and cracks/keygens, so if you go looking for them you are normally sure to find some malware. Also as sowhat-x stated, porn sites are good for finding malware, a lot of TGPs have exploits, or direct to other sites with exploits. Once you have some malware you can investigate it further to look for any call home addresses. Often a group or individual will have multiple sites. So if you try to do some research on a malicious website you find, you will often find more like it.
Title: Re: How to detect malicious sites?
Post by: bobby on November 15, 2007, 05:13:21 pm
I'm running 24/7 Nepenthes honeypot.
You get some 1-10 new bots/worm per day (under new it is meant new MD5) if you set the honeypot properly.
Running honeypot in Virtual Machine (e.g. VMWare) won't catch anything unless you redirect all the incoming requests to the VM.
I use dedicated box as honeypot, and set up DMZ on router to point to this box.
Title: Re: How to detect malicious sites?
Post by: tjs on November 15, 2007, 06:20:25 pm
What IRC server is #malwaredomainlist on? :)
Title: Re: How to detect malicious sites?
Post by: CM_MWR on November 16, 2007, 12:33:48 am
Do tell which country you are from and how your ISP is set up.

If in a U.S. region and major ISP...nep is a waste of time without a buisness account.

I suspect bobby is from a country with much less restrictions and on an ISP that does a total of 0 port filtering.

As for how to find malicous sites,I wouldnt know anything about that.  ;)
Title: Re: How to detect malicious sites?
Post by: sowhat-x on November 16, 2007, 01:42:58 am
Quote
What IRC server is #malwaredomainlist on?  :)
Lol,it doesn't exist yet,it's a fictionary example...
(but not our plans for world domination,he-he...) ;)
At some moment though in the future,say when more people get involved,
it would be nice to set up a channel or so...
Title: Re: How to detect malicious sites?
Post by: Secured Sector on November 16, 2007, 09:52:05 am
@sowhat-x: Thanks for your detailed reply. I found another interesting site with malware block lists which might be of interest for you:

http://www.bleedingsnort.com/blackhole-dns/files/

This site offers a lot of files which are intended to block spyware and malware domains in various proxy and dns servers. 
Title: Re: How to detect malicious sites?
Post by: Secured Sector on November 16, 2007, 09:57:02 am
What services was the honeypot running? Maybe you just had bad luck being on an IP range that isn't probed very often.
I am using honeytrap with its default settings. Maybe you are right with your ip range assumption because I noticed that 90% of all connections made to my honeypot are dial-in or broadband users from a large German ISP.

Quote
As for finding malware. People like to infect screensavers and cracks/keygens, so if you go looking for them you are normally sure to find some malware. Also as sowhat-x stated, porn sites are good for finding malware, a lot of TGPs have exploits, or direct to other sites with exploits. Once you have some malware you can investigate it further to look for any call home addresses. Often a group or individual will have multiple sites. So if you try to do some research on a malicious website you find, you will often find more like it.
Thanks for the hint. I am also playing around with Google´s advanced search operators which often lead to interesting results.
Title: Re: How to detect malicious sites?
Post by: sowhat-x on November 16, 2007, 10:00:28 am
Quote
I found another interesting site with malware block lists which might be of interest for you...
Excellent! :)
p.s:...oh god...I'll never manage to get a normal sleep... :D

Quote
Maybe you are right with your ip range assumption...
...try also searching in the support pages/whatever similar of your ISP to see what's going...
keep in my mind a little extra digging might also be needed,at least it was in my case,
say by stepping through posts in dsl/broadband related discussion forums of your country...
Reason I'm saying this is,for example,by default,and supposedly for "security reasons",
my provider blocks incoming connections to quite a few ports,
eg.80,mysql,some p2p-related also...
Actual reason though is not that much that of security,but bandwidth...
they want to make it more difficult to run your own webserver with dyndns or so,
or utilize tons of traffic via eDonkey and the like...
they prefer having people paying them for "extra services" like that.
I have disabled these settings obviously,but it took me a while to find how to do so...
they avoided as hell giving info for this...more specifically,in the beginning,
they wouldn't even admit such a "protection" even existed...
Title: Re: How to detect malicious sites?
Post by: Secured Sector on November 16, 2007, 10:01:49 am
I'm running 24/7 Nepenthes honeypot.
I tried Nepenthes also but got nothing but hex dumps, so I moved over to Honeytrap.

Quote
You get some 1-10 new bots/worm per day (under new it is meant new MD5) if you set the honeypot properly.
Running honeypot in Virtual Machine (e.g. VMWare) won't catch anything unless you redirect all the incoming requests to the VM.
I use dedicated box as honeypot, and set up DMZ on router to point to this box.
I followed the Nepenthes setup instructions and installed it on my virtual server hosted by an ISP. My vserver is not secured by a firewall and is wide open to the internet so I guess I should have catched at least a few suspicious binaries.

Which ports did you forward on your router to your box? I will give it another try on my home Linux box which is located behind a firewall.

Title: Re: How to detect malicious sites?
Post by: JohnC on November 16, 2007, 01:24:05 pm
Do tell which country you are from and how your ISP is set up.

If in a U.S. region and major ISP...nep is a waste of time without a buisness account.

I suspect bobby is from a country with much less restrictions and on an ISP that does a total of 0 port filtering.

As for how to find malicous sites,I wouldnt know anything about that.  ;)

I experienced the port filtering on a home internet account in the UK. Didn't get much action sadly, but it is good that ISPs are taking steps to help prevent users becoming infected.
Title: Re: How to detect malicious sites?
Post by: bobby on November 16, 2007, 11:05:03 pm
I tried Nepenthes also but got nothing but hex dumps, so I moved over to Honeytrap.
Most of the shellcodes are using FTP protocol to download executables to you PC.
FTP Client needs to know your WAN IP in order to function properly.
You need to edit download-ftp.conf, and type your external IP (WAN IP).

Quote
I followed the Nepenthes setup instructions and installed it on my virtual server hosted by an ISP. My vserver is not secured by a firewall and is wide open to the internet so I guess I should have catched at least a few suspicious binaries.

Which ports did you forward on your router to your box? I will give it another try on my home Linux box which is located behind a firewall.
I did not forward any particular port. My router can setup a DMZ (Demilitarized Zone) for any of the PCs behind the router. Thats the simplest and 'just working' setup.
I have some cheap router, so I guess every router have that DMZ option.

As for Honeytrap - in my case from dozen of downloaded binaries just a couple was complete, the rest was corrupted. Thats from testing it for 24 hours. I got back to Nepenthes.
Title: Re: How to detect malicious sites?
Post by: Drusepth on November 17, 2007, 07:11:13 pm
Quote
What IRC server is #malwaredomainlist on?  :)
Lol,it doesn't exist yet,it's a fictionary example...
(but not our plans for world domination,he-he...) ;)
At some moment though in the future,say when more people get involved,
it would be nice to set up a channel or so...


Ah, I saw this and was like, "Whoa, there's an IRC channel now?"
A channel would be a sweet idea though, when there are more people.  :)
Title: Re: How to detect malicious sites?
Post by: Atribune on March 14, 2008, 03:38:36 am
Hate to drudge up an old thread but if you are interested John you could start a channel on the wyldryde irc network irc.wyldryde.org lots of the free anti-malware forums have channels there.
Title: Re: How to detect malicious sites?
Post by: MysteryFCM on March 14, 2008, 04:45:14 am
Good to see you over here dude :)
Title: Re: How to detect malicious sites?
Post by: JohnC on March 14, 2008, 01:53:56 pm
Hate to drudge up an old thread but if you are interested John you could start a channel on the wyldryde irc network irc.wyldryde.org lots of the free anti-malware forums have channels there.

Thanks for the suggestion  :)