|
Update: Some readers told about testing with a referer, which is quite used by malwares. In this case I only checked it through the original webpage, capturing the traffic. Update2: Some readers pointed that this domain is registered by ESTDOMAINS, which is very known to be a register of lots of websites serving malwares. Last weekend, I was playing around with some urls/websites... On one of those websites, I found an iframe, that at first glance, looked suspicious. It was highly obfuscated. With a help from a nice tool, called Malzilla I was able to get the that it was actually pointing to hxxp://google-stat.net/stat/stat.php . At the time I was checking it wasnt really doing anything nasty, just a redirection to google.com website...maybe a counter...maybe a step to another infected site... But what if my job was to classify that URL? What would be the right thing to do? Let go to the facts: - First of all, it is abviously a kind of typosquatting on Google brand... -Google (through stopbadware) and McAfee SiteAdvisor shows warnings on that link, so it may be really not a nice site. - A whois shows interesting information: Smart LTD So, fake phone number, Country is TJ, which is the country code of Tajikistan(!), and probably a fake address... Besides all these facts, it was not really doing anything nasty (at the time of my research). Would be fair to add this URL as "Bad" ? My answer is yes, because putting all these together, you will notice that the dog is not barking, but it is deffinitely there...just wating for the right time to bite you! --------------------------------------------------------------------------------------- Pedro Bueno ( pbueno //&&// isc. sans. org)
|
Pedro 155 Posts ISC Handler Jul 8th 2008 |
| Thread locked Subscribe |
Jul 8th 2008 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
