Security Online Malware Research Tools


Here is a collection of various online tools I use to research security related to specific URLs.  Order is not related to usefulness as each has their own usage.  WOT (Web of Trust) is one of my favorites but they all have their uses when researching malware sites.

Virus Total

File Scanner:
https://www.virustotal.com/en/

URL Scanner:
https://www.virustotal.com/en/#url

Description: VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and malware.

Use Case(s): Virus Total is a very easy tool to use and can give immediate returns for better known exploits, viruses, malware, etc. This site can also analyze either a single file or full URL. Just because a check comes back clean DOES NOT mean the file or URL are clean. If one or more of the results identify the file as MALWARE beware as there is a high potential for infection.

  1. Evaluate a potential malicious file by uploading it.
    Selection_003
  2. Evaluate a potential malicious URL scanning it.
    Selection_004

Here is a URL sample report of an infected site. It does not show the full list of all engines that check, however what should be of interest and concern to you is that at least two of the sites registered the URL as MALWARE.

Selection_005a

URLVoid

Link to URLVoid:
http://www.urlvoid.com/

Description: URLVoid.com is a free service developed by NoVirusThanks Company Srl that allows users to scan a website address with multiple website reputation engines and domain blacklists to facilitate the detection of possible dangerous websites, used to distribute malware and spyware or related to fraudulent activities. This site can simply be thought of as a website blacklist database.

Use Case(s): This site has much the same use case(s) as Virus Total, however there are a few unique features that URLVoid has that Virus Total does not have.

  1. Evaluate a potential malicious URL
    Selection_007a
  2. Shows Website Blacklist Report with clickable links to each of the blacklist sites. Some will pull up reports like MyWOT, others will take you to the search page where you can search again for the questionable site directly.
    Selection_016a
  3. Test if the site is still up and responding.
    Selection_013a
  4. Shows IP Address Details, server geolocation and “website neighbors”.
    Selection_014a
    Selection_015a
  5. This site also provides informational traffic graphs.
    Selection_017a

WOT – Web of Trust

Link to WOT:
http://www.mywot.com

Description: Web of Trust (WOT) is a powerful user reporting tool. It can be added to your browser to provide “warnings” for links provided by search engines (such as Bing and Google). It also provides a method of allowing users to provide direct ratings and comments to any given site. This tool can be added directly

“WOT displays a colored traffic light next to website links to show you which sites people trust for safe searching, surfing and shopping online: green for good, red for bad, and yellow as a warning to be cautious. The icons are shown in popular search engine results, social media, online email, shortened URLs, and lots of other sites.”

Use Case(s): This site has much the same use case(s) as Virus Total and the base function of URLVoid, however it also has a unique feature of its own – a large self-reporting user community base. The largest value I find from this site is self-reporting comments and user ratings. User ratings are broken down by Trustworthiness, Vendor Reliability, Privacy and Child Safety.

  1. Evaluate potential malicious URLs broken down by Trustworthiness, Vendor Reliability, Privacy and Child Safety. Additional information regarding blacklisting’s (such as from SURBL) is provided.
    Selection_019a
    Selection_020a
  2. User comments are provided for some sites. When these exist I find they can be particularly useful, especially when users report sites contain malware and have overall poor ratings.

Google Safe Browsing

Link to Google Safe Browsing:
http://www.google.com/safebrowsing/diagnostic?site=http://domain.com

Description: Good easy online check, however it is not very good at catching transient sites. I very often will use this (or MyWOT) first as a quick check.  There is no search “box” that I have found and to use this you will need to change site=http://domain.com to the site you want to check, such as site=http://checkthisbadboyout.com

Use Case(s): Provides information if a site has been listed with Google as having suspicious activity over the past 90 days. Some items which can be of use:

  • What happened when Google visited the site: This section will list the number of Trojan(s) and Exploit(s) hosted (not type) and can also provide details such as “infection resulted in an average of 1 new process(es) on the target machine”.
  • Has this site hosted malware: This section can contain other domains which are either associated or were infected by this domain.
    Selection_021a

vURL Online

Link to vURL Online:
http://vurl.mysteryfcm.co.uk

Description: vURL is a webpage dissection service that was developed due to limitations that were found in alternate services of similar function. This is probably one of the most complex online tools and certainly the most complex listed on this page. Most of the other tools available will usually provide you enough information to determine if a site is hosting malicious content, however in some cases it may not be clear or there is a need to see what the output of the code is when visiting the site without risking infection to your own machine. When this is needed it is time to utilize the power of vURL Online.

Use Case(s): This tool provides some basic information regarding the site but its primary use is website dissection. In its current incarnation, vURL dissects webpages you provide it, and extracts the following for you:

  • Webpage title
  • Webpage source code (with line numbers)
  • Webpage links
  • Webpage images (coming back soon)
  • Server headers (Only if the server returns this information – not all servers do)
  • Server IP address
  • Server IP PTR (IP to hostname resolution)
  • Server type (Only if the server returns this information – not all servers do)
  • hpHosts inclusion status
  • Malware Domain List (MDL) inclusion status
  • PhishTank inclusion status
  • WhoIs and net-block information (Provided via hpHosts Online)
  1. Need to dissect a URL.
    Selection_008a
  2. Provides basic server information, status from hpHosts, MDL, Phish Tank, Sudo secure and Known Security. It also provides the header breakdown
    .
    Selection_010a
  3. And this is where the real fun begins. A line by line breakdown of the entire webpage response. This can be useful for identifying re-directions  obfuscation, etc. It has a lot of power, way more than is appropriate to provide detailed information within this document.
    Selection_011a
Advertisement

How to Easily Analyze a Malicious Javascript Attachment


This tutorial is very much like my prior one, has the same JavaScript attachment however in my prior video I did a deep dive on dissecting the JavaScript and in this one I let the browser do the work for me. This makes it quick and easy to determine where any JavaScript is directing you. Do not try this unless you know what you are doing and if you do you accept full responsibility for infecting your system if you do. The safest way to protect you is to use a browser you do not use (empty cookies, history, cache, everything), use it in incognito mode and DISCONNECT your internet connection.

YOUTUBE VIDEO LINK
http://www.youtube.com/watch?v=4r3k2PE8Xzc

Malicious Email Attachment – Javascript Obfuscation (How to Decode)


This video is a demonstration on how to “decode” malicious email attachments that contain obfuscated javascript, or javascript that contains malicious code that is not in an easily readable human format. The purpose of this demonstration is to show you my methodology for decoding the contents of the malicious attachment and help understand what the threat or risk is. This is very useful to do to know what URLs to block or understand what damage has likely been done in the event someone who has received this email has become compromised.

YOUTUBE VIDEO LINK
http://www.youtube.com/watch?v=Oh-3pEe20OU

How to hide a Truecrypt volume within an image – Ubuntu


This video shows how to add a Truecrypt volume to an image (join the two files) so that it still looks like an image to the untrained eye. I then post it on the internet, download it and run a script (included below) to access the Truecrypt volume.

The work has been completed for you, the password is included below as well as the mounttc script I wrote and the address to access the file. This should be everything you need to access the file within the Truecrypt container attached to the image. Once you have access to the file follow the instructions and let me know you have completed the challenge.

Password for the Truecrypt container:
Jk7&d-3#s.1rEx*s2@wWzY

Location where you can download the image that contains the truecrypt container:
http://netcladsecurity.webs.com/photo…

This is MY sample mounttc file (just to make it easy), it will need to be adjusted to fit your system and file directories specific to your setup. You can consider this a working example that you can modify to create your own instance.

—————————————-­—————————————-­—————-
split -b393487 image.jpg
sudo truecrypt -t -k xaa –protect-hidden=no xab /media/truecrypt1
wipe -f xaa
wipe -f xab
—————————————-­—————————————-­—————-

I DO NOT ADVOCATE PUTTING SENSITIVE FILES ON THE INTERNET IN THIS FASHION. If you do store your password in a plain text file on something like dropbox.com, google drive, etc for backing it up then this method is MUCH better and safer. There are NEVER any guarantees that encryption cannot be broken and sensitive data accessed. This is for learning purposes and if you choose to use this method you do so at your own risk.

YOUTUBE VIDEO LINK
http://www.youtube.com/watch?v=mlviTmnsQpk

Test Your Password Strength Against John the Ripper


This is a demonstration video on how to test the strength of your passwords on an Ubuntu system against the John the Ripper password cracker. It is important to know how fast these tools can actually work to crack passwords and how to protect yourself against them finding your password. In my example password, password1 and elephant were all found in under 20 seconds and I don’t have a fast machine. Btw… these were test accounts I removed immediately after making the video 🙂

YOUTUBE VIDEO LINK
http://www.youtube.com/watch?v=8oNYJyNF-WI

Truecrypt Tutorial – Ubuntu 11.04


This is a tutorial on how to install and use truecrypt on an Ubuntu 64 bit 11.04 system. The method should work for most distributions of Linux. I will show the simple installation process, how to create a truecrypt container and protect is using a password and keyfile. I also demonstrate how changing the keyfile will make the truecrypt container inaccessible.

I hope you find this tutorial useful.
YOUTUBE VIDEO LINK
http://www.youtube.com/watch?v=-rr6djyohwk

How to determine where an email was sent from (tutorial)


This video explains how to trace an email back to where it originated (or was sent from). This does not mean that the location the email came from is where the person who sent it is, but it does help to determine in most cases where an email was sent from. Information which you can use to determine the legitimacy of any email, spam or otherwise.

YOUTUBE VIDEO LINK
http://www.youtube.com/watch?v=LU649WNhFeE

Google Authenticator for SSH access on Ubuntu 11.04 – OTP


This video describes at a high level what it takes to configure Ubuntu 11.04 ssh access to require a verification code from Google Authenticator. Here are some useful links:

WebbyNotes Guide:
http://guides.webbynode.com/articles/…

Guide by Jean-Francois Theroux (Installation / Configuration):
http://blog.theroux.ca/security/ubunt…

Download the Ubuntu Google Authenticator package for Ubuntu:
https://launchpad.net/ubuntu/+source/…

Background can be found here:
http://gnome-look.org/content/show.ph…

YOUTUBE VIDEO LINK
http://www.youtube.com/watch?v=UTjdW3F6GOc

Security Online Malware Research Tools


Here is a collection of various online tools I use to research security related to specific URLs.  Order is not related to usefulness as each has their own usage.  WOT (Web of Trust) is one of my favorites but they all have their uses when researching malware sites.

Virus Total

File Scanner:
https://www.virustotal.com/en/

URL Scanner:
https://www.virustotal.com/en/#url

Description: VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and malware.

Use Case(s): Virus Total is a very easy tool to use and can give immediate returns for better known exploits, viruses, malware, etc. This site can also analyze either a single file or full URL. Just because a check comes back clean DOES NOT mean the file or URL are clean. If one or more of the results identify the file as MALWARE beware as there is a high potential for infection.

  1. Evaluate a potential malicious file by uploading it.
    Selection_003
  2. Evaluate a potential malicious URL scanning it.
    Selection_004

Here is a URL sample report of an infected site. It does not show the full list of all engines that check, however what should be of interest and concern to you is that at least two of the sites registered the URL as MALWARE.

Selection_005a

URLVoid

Link to URLVoid:
http://www.urlvoid.com/

Description: URLVoid.com is a free service developed by NoVirusThanks Company Srl that allows users to scan a website address with multiple website reputation engines and domain blacklists to facilitate the detection of possible dangerous websites, used to distribute malware and spyware or related to fraudulent activities. This site can simply be thought of as a website blacklist database.

Use Case(s): This site has much the same use case(s) as Virus Total, however there are a few unique features that URLVoid has that Virus Total does not have.

  1. Evaluate a potential malicious URL
    Selection_007a
  2. Shows Website Blacklist Report with clickable links to each of the blacklist sites. Some will pull up reports like MyWOT, others will take you to the search page where you can search again for the questionable site directly.
    Selection_016a
  3. Test if the site is still up and responding.
    Selection_013a
  4. Shows IP Address Details, server geolocation and “website neighbors”.
    Selection_014a
    Selection_015a
  5. This site also provides informational traffic graphs.
    Selection_017a

WOT – Web of Trust

Link to WOT:
http://www.mywot.com

Description: Web of Trust (WOT) is a powerful user reporting tool. It can be added to your browser to provide “warnings” for links provided by search engines (such as Bing and Google). It also provides a method of allowing users to provide direct ratings and comments to any given site. This tool can be added directly

“WOT displays a colored traffic light next to website links to show you which sites people trust for safe searching, surfing and shopping online: green for good, red for bad, and yellow as a warning to be cautious. The icons are shown in popular search engine results, social media, online email, shortened URLs, and lots of other sites.”

Use Case(s): This site has much the same use case(s) as Virus Total and the base function of URLVoid, however it also has a unique feature of its own – a large self-reporting user community base. The largest value I find from this site is self-reporting comments and user ratings. User ratings are broken down by Trustworthiness, Vendor Reliability, Privacy and Child Safety.

  1. Evaluate potential malicious URLs broken down by Trustworthiness, Vendor Reliability, Privacy and Child Safety. Additional information regarding blacklisting’s (such as from SURBL) is provided.
    Selection_019a
    Selection_020a
  2. User comments are provided for some sites. When these exist I find they can be particularly useful, especially when users report sites contain malware and have overall poor ratings.

Google Safe Browsing

Link to Google Safe Browsing:
http://www.google.com/safebrowsing/diagnostic?site=http://domain.com

Description: Good easy online check, however it is not very good at catching transient sites. I very often will use this (or MyWOT) first as a quick check.  There is no search “box” that I have found and to use this you will need to change site=http://domain.com to the site you want to check, such as site=http://checkthisbadboyout.com

Use Case(s): Provides information if a site has been listed with Google as having suspicious activity over the past 90 days. Some items which can be of use:

  • What happened when Google visited the site: This section will list the number of Trojan(s) and Exploit(s) hosted (not type) and can also provide details such as “infection resulted in an average of 1 new process(es) on the target machine”.
  • Has this site hosted malware: This section can contain other domains which are either associated or were infected by this domain.
    Selection_021a

vURL Online

Link to vURL Online:
http://vurl.mysteryfcm.co.uk

Description: vURL is a webpage dissection service that was developed due to limitations that were found in alternate services of similar function. This is probably one of the most complex online tools and certainly the most complex listed on this page. Most of the other tools available will usually provide you enough information to determine if a site is hosting malicious content, however in some cases it may not be clear or there is a need to see what the output of the code is when visiting the site without risking infection to your own machine. When this is needed it is time to utilize the power of vURL Online.

Use Case(s): This tool provides some basic information regarding the site but its primary use is website dissection. In its current incarnation, vURL dissects webpages you provide it, and extracts the following for you:

  • Webpage title
  • Webpage source code (with line numbers)
  • Webpage links
  • Webpage images (coming back soon)
  • Server headers (Only if the server returns this information – not all servers do)
  • Server IP address
  • Server IP PTR (IP to hostname resolution)
  • Server type (Only if the server returns this information – not all servers do)
  • hpHosts inclusion status
  • Malware Domain List (MDL) inclusion status
  • PhishTank inclusion status
  • WhoIs and net-block information (Provided via hpHosts Online)
  1. Need to dissect a URL.
    Selection_008a
  2. Provides basic server information, status from hpHosts, MDL, Phish Tank, Sudo secure and Known Security. It also provides the header breakdown
    .
    Selection_010a
  3. And this is where the real fun begins. A line by line breakdown of the entire webpage response. This can be useful for identifying re-directions  obfuscation, etc. It has a lot of power, way more than is appropriate to provide detailed information within this document.
    Selection_011a

Creating a Strong Password 101


Most authentication is still based on username and password, personally I feel this is adequate for most of my personal accounts as long as I use a strong password. I do wish MY Bank offered two factor authentication, but alas it does not yet.

So, if a strong password is ALL you have to protect yourself how do you create one and more importantly how do you remember it? Let’s start with creating a strong password…

CREATING A STRONG PASSWORD

  • Pick two or three words that are 10 or more letters in length.
  • Use unrelated words
  • Substitute at least one letter for a number, such as 4 for A or 3 for E.  Do not substitute ALL possible letters for numbers.
  • Add a punctuation.
  • Capitalize at least one letter.

Sound doable?  Now, the real challenge is remembering it.  If you absolutely cannot remember passwords then I suggest using the Password Safe, just make sure your password to access the safe is VERY secure.  This allows you to remember only one password and have access to all your other passwords contained in the safe.  For those of you that  feel up to the challenge try running an installation of TeamPass.  It is what I personally use.  Just make sure to back it up and NEVER change the salt.  You should be able to but it is not supported yet and you will lose ALL of your passwords as well as all passwords for all others.  I suggest not putting this site on the internet.

EXAMPLE 1

  • picture leaf
  • pictur3 l3af
  • pictur3#l3af
  • Pictur3#l3aF

Now what you have to remember….

  • picture#leaf with e’s substituted for 3’s and the first and last letters capitalized. 

EXAMPLE 2

  • space manhole
  • sp4ce m4nhole
  • sp4ce.m4nhole
  • sp4cE.M4nhole

Now what you have to remember….

  • space.manhole with a’s substituted for 4’s and the last letter of the first word and first letter of the last word capitalized.