{"id":678,"date":"2012-05-16T17:21:45","date_gmt":"2012-05-16T16:21:45","guid":{"rendered":"http:\/\/www.phillips321.co.uk\/?p=678"},"modified":"2012-05-17T11:28:36","modified_gmt":"2012-05-17T10:28:36","slug":"nftf-useful-urls-for-malware-investigations","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2012\/05\/16\/nftf-useful-urls-for-malware-investigations\/","title":{"rendered":"NFTF: Useful urls for malware investigations"},"content":{"rendered":"<p>Figured I\u2019d keep a copy of this on here for the next time I need to do malware investigation.<\/p>\n<ul>\n<li><a href=\"http:\/\/www.urlvoid.com\" target=\"_blank\">urlvoid.com<\/a> \u2013 checks URL\u2019s against lots of blacklists, emergingthreats, malwaredomainlist and zeustracker\/etc\u2026<\/li>\n<li><a href=\"http:\/\/www.ipvoid.com\" target=\"_blank\">ipvoid.com<\/a> \u2013 Same as above but for IP addresses<\/li>\n<li><a href=\"http:\/\/support.clean-mx.de\" target=\"_blank\">support.clean-mx.de<\/a> \u2013 Searches above databases and records logs of abuse claims. Useful as it can sometime give you extra URI\u2019s for a host to comb your logs for. Also usefully gives you the date that its crawler last was able to pull down the malicious binary.<\/li>\n<li><a href=\"http:\/\/www.hphosts.com\" target=\"_blank\">hphosts.com<\/a> \u2013 Provides an assessment according to the type of nastiness a domain or IP is associated with.<\/li>\n<li><a href=\"http:\/\/www.malwaredomains.com\" target=\"_blank\">malwaredomains.com<\/a> \u2013 Provides a blacklist DNS entry head to the downloads page, open the text file version and CTRL-F to search. Will give reason for blocking (i.e. listed in emergingthreats.net) along with the date.<\/li>\n<li><a href=\"http:\/\/www.malwaredomainlist.com\" target=\"_blank\">malwaredomainlist.com<\/a> \u2013 Provides a listing of hosts and ip\u2019s known to be associated with malware.<\/li>\n<li><a href=\"http:\/\/www.emergingthreats.net\" target=\"_blank\">emergingthreats.net<\/a> &#8211; Provides snort rules configured to detect malicious traffic\/hosts.<\/li>\n<li><a href=\"http:\/\/www.robtex.com\" target=\"_blank\">robtex.com<\/a> \u2013 Advanced DNS lookups, links hosts to nameservers, can give aliases and associated subdomains as well as any shared hosts.<\/li>\n<li><a href=\"http:\/\/www.network-tools.com\" target=\"_blank\">network-tools.com<\/a> \u2013 Basic network tools, whois, dns, traceroute, etc\u2026 useful for performing checks NOT from your own ip<\/li>\n<li><a href=\"http:\/\/www.zeustracker.com\" target=\"_blank\">zeustracker.com<\/a> \u2013 lists zeus C&#038;C nodes<\/li>\n<li><a href=\"http:\/\/www.spyeyetracker.com\" target=\"_blank\">spyeyetracker.com<\/a> \u2013 lists spyeye C&#038;C nodes<\/li>\n<p><\/il><\/p>\n<p>Be careful if you use any of these tools on the affected network as often it will contain the hostname or IP you\u2019re looking for in the request parameters which means they\u2019ll flag you up as an infected laptop without looking at the actual URL you\u2019re browsing to (happened to me previously).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Figured I\u2019d keep a copy of this on here for the next time I need to do malware investigation. urlvoid.com \u2013 checks URL\u2019s against lots of blacklists, emergingthreats, malwaredomainlist and zeustracker\/etc\u2026 ipvoid.com \u2013 Same as above but for IP addresses support.clean-mx.de \u2013 Searches above databases and records logs of abuse claims. Useful as it can [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[256,68,206,252,254,255,257,153,253],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/678"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=678"}],"version-history":[{"count":6,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/678\/revisions"}],"predecessor-version":[{"id":687,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/678\/revisions\/687"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=678"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=678"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=678"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}