Graphing Suspicious URL Relationships

10,000 websites have been compromised to redirect users to a new exploit toolkit called Nice Pack, discovered Wednesday, attempts to take advantage of flaws in users’ third-party apps, such as Java and Adobe, to install the “Zero Access Trojan,”. Malicious URL are not always related to a single domain, attackers mostly try to place redirect on many different domains to make as much as possible malware source unknown for legitimate user, for example you can check all users history to identify the malicious domain that infected victims computer but you will not find in all the previous navigation the malicious website,  techniques used by malware writer may include a redirection with malicious JavaScript, embedded iframe, or other factor.

Now you can display all previous activity using HTTP requests and a simple sniffer and find out what really the computer downloaded while browsing certain websites. For this you can use one of the previously mentioned utility such as wireshark, tshark or TCPDump.

Next and for fast and clear result you can also consider Junpack-n to graph URL relationships in packet captures and determine the steps that led to a compromise. jsunpack-n emulates browser functionality when visiting a URL. It’s purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input:

  • PDF files – samples/sample-pdf.file
  • Packet Captures – samples/sample-http-exploit.pcap
  • HTML files
  • JavaScript files
  • SWF files

This project contains the source code which runs at the website http://jsunpack.jeek.org/. Users can upload files, or enter script contents and URLs to decode. If you choose to install jsunpack-n on your own system, you can run it with the following command to fetch and decode a URL:

$ ./jsunpackn.py -u URL

Optionally, you can specify the -a option, which fetches further decoded URLs or paths. If you wish to decode a local file instead, you can simply run:

$ ./jsunpackn.py samples/sample-pdf.file

As a result you can have a graph that describes the real URL relationships as follows:

You can use the tool for a quick and clear graphing domain report.

Reference:

Malware Analyst’s Cookbook: http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033

Share
You can leave a response, or trackback from your own site.
  • Malwarecookbook

    This is copied straight out of malware analyst’s cookbook. You even used the sample pcap to generate the same image used in the book. 

  • http://sectechno.com Mourad

    Hello Sir,

    I already posted about your book several time on my blog for the graph I used from the official blog on this link , it may also belong to your book but it is just in this link:

    http://jsunpack.blogspot.com/2009/09/new-version-of-jsunpack-n-is-available.html

    if there is any problem I can remove it.  please to tell me so I remove it if there is any poblem.

  • Malwarecookbook

    I feel like you deserve the benefit of the doubt for this post, since it is published elsewhere (like the jsunpack website as you said). However, when combined with your other post (http://www.sectechno.com/2011/05/28/capturing-and-analyzing-malicious-network-traffic/) which there is *no doubt in my mind* that you copied…I have to believe that the book also influenced this current post.

    Why do I have no doubts? One reason is the “oinkmaster5″  (http://t.co/Isou5aH2). You can’t say that’s a coincidence. No way. The other reasons is you left “” in the commands:

    # sudo apt-get install snort

    # sudo wget –P /etc/snort/rules http://www.emergingthreats.net/rules/emerging-all.rules

    # sudo echo ‘include $RULE_PATH/emerging-all.rules’ >> /etc/snort/snort.conf

    Those are the exact commands in the exact order as they appear in the book. Big evidence being the “” after “rules “. That is not part of a real command, it was used in the book to indicate a line break. If you had even tried using the commands before pasting them, you would have realized that “” is not part of the command itself.

    Regarding your statement “I already posted about your book several time on my blog”….that is perfectly fine. I appreciate you giving credit where credit is due. However, just because you’ve mentioned a source in the past, that doesn’t mean you’re exempt from mentioning it in the future (if you cite material from it). For example, If I write a blog post and say “here are my favorite books”…and then months later I write a paper, publish some other documents, present at a conference on material from those books…I still have to cite the books each and every time.

  • http://sectechno.com Mourad

    Hi Robble,

    I always respect copyright and will add your link to the article while I believe
    that they are totally different just tell me if this will be ok.