Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Bad url classification - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Bad url classification

Update: Some readers told about testing with a referer, which is quite used by malwares. In this case I only checked it through the original webpage, capturing the traffic.

Update2: Some readers pointed that this domain is registered by ESTDOMAINS, which is very known to be a register of lots of websites serving malwares.

Last weekend, I was playing around with some urls/websites...

On one of those websites, I found an iframe, that at first glance, looked suspicious. It was highly obfuscated.

With a help from a nice tool, called Malzilla I was able to get the that it was actually pointing to hxxp:// . At the time I was checking it wasnt really doing anything nasty, just a redirection to website...maybe a counter...maybe a step to another infected site...

But what if my job was to classify that URL? What would be the right thing to do?

Let go to the facts:

- First of all, it is abviously a kind of typosquatting on Google brand...

-Google (through stopbadware) and McAfee SiteAdvisor shows warnings on that link, so it may be really not a nice site.

- A whois shows interesting information:

Smart LTD
    Valeriy        (
    ul. tulpanov 11
    Tel. +555.5555555

So, fake phone number,  Country is TJ, which is the country code of Tajikistan(!), and probably a fake address...

Besides all these facts, it was not really doing anything nasty (at the time of my research). Would be fair to add this URL as "Bad" ?

My answer is yes, because putting all these together, you will notice that the dog is not barking, but it is deffinitely there...just wating for the right time to bite you!


Pedro Bueno ( pbueno //&&// isc. sans. org)



155 Posts
ISC Handler
Jul 8th 2008

Sign Up for Free or Log In to start participating in the conversation!