Top 5 #InfoSec Reads: May 19-26
Top 5 #InfoSec Reads: May 27-June 4

Use Goohackle as a quick and dirty deconfliction tool

Investigating and mitigating abuse involves processes where you gather sufficient information about domain names and identifiers (IP addresses and Autonomous Systems) to conclude with some certainty that these identifiers are associated with a malicious or criminal activity. With that certainty, you may seek to suspend or delete a domain name or cause the DNS to cease resolving the name to an IP address.  But while you may be certain that you’ve found a wretched hive of scum and villainy, are you sure someone else hasn’t found the same den?

I find that if there’s one absolute in DNS abuse investigations it’s this:

If you’re looking at a domain, IP or ASN, someone else is looking, too.

You may hear investigators refer to this as deconfliction, commonly known as avoiding collateral harm. To understand the kinds of disruptive or embarrassing things can happen when you forge ahead without at least some regard for avoiding collateral damage, read my previous posts on the Jotform and Operation b71 incidents. In my article on avoiding collateral harm, I suggest questions you should ask before taking an action or serving a court order on a domain name (or address identifier):

  • Will your action disrupt name service for other (reputable) domains? Hosting services for parties other than those named in your order?
  • What services other than web are affected by your action on the domain name?
  • What do you expect as the “long term disposition” of the domain name?  Could your actions interfere with other active investigations, monitoring, or surveillance…?

There’s no simple recipe for answering these questions. One way to learn if anyone else is looking at your target is to submit these to reputation or analysis sites; for example, you can submit a suspicious file or hyperlink to VirusTotal. VirusTotal will reveal whether someone’s already identified a malicious executable at the link you’ve submitted and you’ll learn about the malware and who’s inspected it. If the link hasn’t been seen before, VirusTotal will analyze it, and others will benefit.  VirusTotal is one of a number of cloud-based analysis sites, including Anubis, Comodo, Malwr, URLQuery, ViCheck, and ThreatExpert. Reputation sites for domains (Spamhaus DBL, SURBL), IP addresses (Project Honeynet), ASN (SiteVet), and mail exchanges (SenderScore) are similarly useful. 

A quick and dirty way to check whether someone’s looking is to use Goohackle, a site that parses Google search results. In my example screenshot, I’ve found a hyperlink with what domain name that’s a visually deceptive variant of Facebook: Faceeeibbook.

Goohackle

I submit the URL to Googhackle and discover that someone’s already checked the link at VirusTotal, PhishTank, and SiteCheck: all sites that investigators commonly use to assess URLs. I’ll grab the intel from the linked results here, add them to my dossier on this likely phish domain, and look further at the neighborhood (i.e., and IP, name server, mail exchange, or ASN information I can obtain.

Goohackle isn’t a perfect deconfliction tool but it doubles duty by giving you links to already performed analyses. At least for now, the demo is free. The service offers more detailed results and reports. Give it a try.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)