Investigating and mitigating abuse involves processes where you gather sufficient information about domain names and identifiers (IP addresses and Autonomous Systems) to conclude with some certainty that these identifiers are associated with a malicious or criminal activity. With that certainty, you may seek to suspend or delete a domain name or cause the DNS to cease resolving the name to an IP address. But while you may be certain that you’ve found a wretched hive of scum and villainy, are you sure someone else hasn’t found the same den?
I find that if there’s one absolute in DNS abuse investigations it’s this:
If you’re looking at a domain, IP or ASN, someone else is looking, too.
You may hear investigators refer to this as deconfliction, commonly known as avoiding collateral harm. To understand the kinds of disruptive or embarrassing things can happen when you forge ahead without at least some regard for avoiding collateral damage, read my previous posts on the Jotform and Operation b71 incidents. In my article on avoiding collateral harm, I suggest questions you should ask before taking an action or serving a court order on a domain name (or address identifier):
- Will your action disrupt name service for other (reputable) domains? Hosting services for parties other than those named in your order?
- What services other than web are affected by your action on the domain name?
- What do you expect as the “long term disposition” of the domain name? Could your actions interfere with other active investigations, monitoring, or surveillance…?
There’s no simple recipe for answering these questions. One way to learn if anyone else is looking at your target is to submit these to reputation or analysis sites; for example, you can submit a suspicious file or hyperlink to VirusTotal. VirusTotal will reveal whether someone’s already identified a malicious executable at the link you’ve submitted and you’ll learn about the malware and who’s inspected it. If the link hasn’t been seen before, VirusTotal will analyze it, and others will benefit. VirusTotal is one of a number of cloud-based analysis sites, including Anubis, Comodo, Malwr, URLQuery, ViCheck, and ThreatExpert. Reputation sites for domains (Spamhaus DBL, SURBL), IP addresses (Project Honeynet), ASN (SiteVet), and mail exchanges (SenderScore) are similarly useful.
A quick and dirty way to check whether someone’s looking is to use Goohackle, a site that parses Google search results. In my example screenshot, I’ve found a hyperlink with what domain name that’s a visually deceptive variant of Facebook: Faceeeibbook.
I submit the URL to Googhackle and discover that someone’s already checked the link at VirusTotal, PhishTank, and SiteCheck: all sites that investigators commonly use to assess URLs. I’ll grab the intel from the linked results here, add them to my dossier on this likely phish domain, and look further at the neighborhood (i.e., and IP, name server, mail exchange, or ASN information I can obtain.
Goohackle isn’t a perfect deconfliction tool but it doubles duty by giving you links to already performed analyses. At least for now, the demo is free. The service offers more detailed results and reports. Give it a try.
You can follow this conversation by subscribing to the comment feed for this post.