Bad url classification
Update: Some readers told about testing with a referer, which is quite used by malwares. In this case I only checked it through the original webpage, capturing the traffic.
Update2: Some readers pointed that this domain is registered by ESTDOMAINS, which is very known to be a register of lots of websites serving malwares.
Last weekend, I was playing around with some urls/websites...
On one of those websites, I found an iframe, that at first glance, looked suspicious. It was highly obfuscated.
With a help from a nice tool, called Malzilla I was able to get the that it was actually pointing to hxxp://google-stat.net/stat/stat.php . At the time I was checking it wasnt really doing anything nasty, just a redirection to google.com website...maybe a counter...maybe a step to another infected site...
But what if my job was to classify that URL? What would be the right thing to do?
Let go to the facts:
- First of all, it is abviously a kind of typosquatting on Google brand...
-Google (through stopbadware) and McAfee SiteAdvisor shows warnings on that link, so it may be really not a nice site.
- A whois shows interesting information:
Smart LTD
Valeriy (orensmm@gmail.com)
ul. tulpanov 11
Karategin
Karategin,555555
TJ
Tel. +555.5555555
So, fake phone number, Country is TJ, which is the country code of Tajikistan(!), and probably a fake address...
Besides all these facts, it was not really doing anything nasty (at the time of my research). Would be fair to add this URL as "Bad" ?
My answer is yes, because putting all these together, you will notice that the dog is not barking, but it is deffinitely there...just wating for the right time to bite you!
---------------------------------------------------------------------------------------
Pedro Bueno ( pbueno //&&// isc. sans. org)
Comments