BelchSpeak

I can't believe that came from your mouth!

Cyber

Safe Browsing Tips- How Safe Is That Website?

I have spent lots of hours in the Analyst’s chair pouring over IDS/proxyserver/SEIM logs and alerts, and trying to piece together intrusions based on scant evidence available. So any utility or tool that helps me understand the likelihood of a successful compromise of a victim host is helpful. For instance, if you have an alert that someone visited a website and encountered a possible malicious shockwave flash file or unusual java script- how do you determine how likely the victim was to be compromised? Here are two great free tools that can help.

First up is SiteAdvisor, a site I have blogged about in the past.

SiteAdvisor was purchased by McAfee a few years ago, and is a great analytical tool to help determine how likely someone was to have been compromised by providing the ability to search for potentially malicious domains via its web interface. On the right hand side of the SiteAdvisor homepage is a search box. Simply type in the name of the site, such as Belch.Com or your own domain, or the potentially malicious site in question and click on the view report now link. The primary site will appear in the center along with any links to potentially malicious sites. If malware is known to exist on the website, it lists what type of malware it was. For example, check out the report to iask.com here.

You get a report that looks like this, that shows the banking trojan download and the other sites that link to this page to retrieve malware. You can simply click on one of the linking sites to view the report from that site as well. If the victim host you are investigating had visited a site such as this, chances are much higher that the host could be compromised compared to someone visiting a “green” site.

Next up is Google’s Safe Browsing Diagnostic Tool.

This is not a utility that is available for general use through a Google Homepage, but the tool is simple enough to use. Simply paste this url into your browser and save it:

http://www.google.com/safebrowsing/diagnostic?site=iask.com

Now only change the query behind the “site=” string to the site in question to see if the site is currently hosting malware or has hosted any in the past 90 days. You will notice in this example on this date that the iask site is not hosting any malware, and hasn’t for 90 days. But if you click on any of the AS links, you will see what that network has been known to host for 90 days, as well as sample known malicious sites. Give it a try for Belch.Com or for your own site.

Dr. Jones

Do not talk about fight club. Oops.

Leave a Reply

Your email address will not be published. Required fields are marked *