I am curious and would like to know how you guys find those malicious sites full with malware?
* Now talking in #
malwaredomainlist* Topic is "
*World Domination*"
* Set by
JohnC on Tue Nov 15 05:15:26
*
drone-infected-767 (rbn@81.95.144.182) has joined #
malwaredomainlist<
sowhat-x> Two more hosts pwned,to be added to the list...
Lol,I really need to stop drinking that many coffees some of these days...
as it doesn't only hurt nerves and health,but my sense of humour also!
====================================================
...Ok,beyond stupid jokes from someone who hasn't slept since yesterday...
quite a few ways to do so...usually though,
it's a matter of combining info gathered from different places...
and well,how can I say it...by no means the following is the 'best' method,
it's just my own way of doing things...
the important thing,is that you just go with the "flow" after a certain point...
A lot of people prefer digging into irc,as mentioned already,lol...
you can find all kinds of newer bots from there...
I don't really make much use of this method personally for a variety of reasons,
but I have to admit that it REALLY pays back once you get into it's flow...
Thereby,most of the time,instead of irc,I prefer the...http googling method,lol...
Checking block lists,either found on the net,or alternatively,
ripped from anti-spyware programs,lol...
is one of the easier things to start with...for example,
just yesterday I came across this excellent site which is daily updated...
http://malware.hiperlinks.com.br/You can bet you'll come up with tons of exploits hosted in sites from the above example...
just move on to a machine in a Deep Freeze state or say VMWare,
and then fire-up your browser,Malzilla,lynx/wget with simple perl scripts,you name it...
Second thing that I check is descriptions for newer malware from AV products:
more than often,they post parts of the ip address,say like 209.134.123.xxx...
quite trivial to find the actual address.Most of the times though they avoid doing so...
but they'll have at least the original name,for example, data1.exe or zzz.scr etc.
You really won't believe the power of playing around with Google's operators,he-he...
Not to mention that most of the times,one of the sample names in question,
will have been already mentioned in some security related-forum...
If the specific sample in question is not found...oh well,ok,
we'll find this one also at some moment later if that much interested...
what really matters is that you can be rest assured,
that you will at least come across malware using a similar naming convention:
they're spread everywhere...both malware,and luckily for us,bad ideas also...
eg.how many times malware authors use crappy names like 1.exe,test.exe,wmplayer.exe etc...
Third way,is exactly a list of these security-related forums...
if links are not directly listed say in order to protect not so technical users,
just by following threads/avatars and the like,
usually ends up in more than interesting blogs of individual researchers and the like.
Most of the time,people complain for the tons of malware coming from Russia and China...
but to speak the truth of it,most advanced reversers/coders out there,
come exactly from these countries...and in response to the aformentioned fact,
lots of them do a really excellent job in analysing shit like that...
There are more than a few "forces of good" out there,
"problem" is we haven't found yet a more effective way of being interconnected...
Things are changing though...
The exact opposite of the above,
is actually one of the more important resources:script kiddie forums.
Having a knowledge of the newer tools they use/prefer,really helps a lot...
Especially spanish/russian speaking ones...
they seem to have developed a whole "culture",
related to sharing modded codes and distributing infected binaries...
chinese also,but you get all kinds of problems sorting out what's going on there,
as Google translate/Altavista aren't of any help...
And if you later decide "joining" them on irc/icq,
assuming they can speak english also...oh,that's where the fun begins...
One of the easiest ways to be mentioned also...
if really bored,well,porn sites are also a good solution...
Besides enjoying the view of sexy naked women in the spare time,
it usually takes no more than half an hour to find yourself in the..."ms-exploit-land"...
Last,but certainly not least,and actually the most interesting part...
the malware executables themselves...what more to say,
unpacking,string searching,and there you are...more crap to download and unpack...
===================================
I'm really curious as to what other people have to say about honeypots though,
only very basic experience with them,haven't played much...
eg.which they've chosen to use and why,special configurations etc...
Topic: How to detect malicious sites? (Read 17017 times)
