Threat Level: green Handler on Duty: Richard Porter

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Bad url classification

Published: 2008-07-07
Last Updated: 2008-07-08 13:54:57 UTC
by Pedro Bueno (Version: 1)
0 comment(s)

Update: Some readers told about testing with a referer, which is quite used by malwares. In this case I only checked it through the original webpage, capturing the traffic.

Update2: Some readers pointed that this domain is registered by ESTDOMAINS, which is very known to be a register of lots of websites serving malwares.

Last weekend, I was playing around with some urls/websites...

On one of those websites, I found an iframe, that at first glance, looked suspicious. It was highly obfuscated.

With a help from a nice tool, called Malzilla I was able to get the that it was actually pointing to hxxp:// . At the time I was checking it wasnt really doing anything nasty, just a redirection to website...maybe a counter...maybe a step to another infected site...

But what if my job was to classify that URL? What would be the right thing to do?

Let go to the facts:

- First of all, it is abviously a kind of typosquatting on Google brand...

-Google (through stopbadware) and McAfee SiteAdvisor shows warnings on that link, so it may be really not a nice site.

- A whois shows interesting information:

Smart LTD
    Valeriy        (
    ul. tulpanov 11
    Tel. +555.5555555

So, fake phone number,  Country is TJ, which is the country code of Tajikistan(!), and probably a fake address...

Besides all these facts, it was not really doing anything nasty (at the time of my research). Would be fair to add this URL as "Bad" ?

My answer is yes, because putting all these together, you will notice that the dog is not barking, but it is deffinitely there...just wating for the right time to bite you!


Pedro Bueno ( pbueno //&&// isc. sans. org)


0 comment(s)
Diary Archives