If you’ve listened to my podcast, Healthy Paranoia (insert shameless plug here), I’m more builder than breaker or even analyst. Not that I don’t respect the heck out of anyone who does incident response, malware analysis or pentesting on a daily basis, but my interest isn’t normally in that direction. So inspired by a recent re-post by grecs, “Determining Safe Websites in 3 Easy Steps,” I thought I’d share my own cheat sheet of online tools I use to quickly check links, attachments, IPs and domains. There’s definitely some duplication and some tools are more useful than others. I’m sure it might be remedial for some, but I tend to be a bit obsessive when collecting resources. If anyone has additions, I’d love to hear about them.
First, some online network tools.
As much as I would prefer to use dig, whois, etc., many organizations block or restrict the use of these tools.
Network-Tools.com offers several online services, including domain lookup, IP lookup, whois, traceroute, URL decode/encode, HTTP headers and SPAM blocking list.
CentralOps Online Network tools offers domain and other advanced Internet utilities from a web interface.
Shadowserver Whois and DNS lookups check ASN and BGP information. To utilize this service, you need to run whois against the shadowserver whois system or DNS queries against their DNS system.
The remaining online services below is a collection of tools for checking URLs, files, IP address lists for the appearance on a malware, or reputation/block list of some kind.
Malware Analysis and Malicious IP search are two custom Google searches created by Alexander Hanel. Malware Analysis searches over 155 URLS related to malware analysis, AV reports, and reverse engineering. Malicious IP searches CBL, projecthoneypot, team-cymru, shadowserver, scumware, and centralops.
Vulnerability Search is another custom Google search created by Corey Harrell (of Journey into Incident Response Blog). It searches specific websites related to software vulnerabilities and exploits, such as 1337 day, Packetstorm Security, Full Disclosure, and others.
Scumware.org searches for malware hashes, IP reputation, domain and URL searches. You’ll have to deal with a captcha though.
Malware Domain List checks domains and IPs for malware.
ZeuS Tracker provides a domain and IP block list related to ZeuS.
Unmask Parasites checks for websites that are hacked and infected.
adopstools scans Flash files, local or remote.
Malware Patrol provides block lists of malicious URLs, which can be used for anti-spam, anti-virus and web proxy systems.
Malware Domains offers block lists for DNS sinkholes.
Anubis checks Windows executables, Android APKs, and URLs and generates a report for identification of possible malware.
Malware URL checks websites/URLs against known malware list.
VirusTotal analyzes URLs or files as well as allows MD5 searches.
Composite Block List can check an IP to see if it’s on multiple block lists and it will tell you if blocked, then who blocked it or why.
IPVoid is another aggregate of blocking lists. You can check an IP to see if it’s on any block lists.
URLVoid is a website reputation and blacklist check tool.
ESET is an online virus scanner.
ISC Tools checks domain and IP information. It also aggregates blackhole/bogon/malware feeds and has links to many other tools as well.
ISC Hash Database allows searching of the NIST National Software reference Library for files matching your hash.
Clean MX Realtime Database performs spam URI and domain checks.
Malc0de performs IP checks and offers other information.
Bit9 File Advisor provides metadata (origin, size, publisher, source, etc.) on software files. You can look up metadata on up to 10 files a day.
Team Cymru Malware Hash Registry offers a lookup service on malware via Whois, DNS, HTTP, HTTPS, Firefox add-on or WinMHR application
Other Team Cymru Community Services include Bogon reference, Darknet Project, IP to ASN Mapping, and Totalhash Malware Analysis.
viCheck.CA provides tools for searching their malware hash registry, decoding various file formats, parsing email headers, performing IP/Domain Whois lookups, and analyzing files for potential malware.
Jotti allows searches for potential malware via hashes.
AlienVault Reputation Monitoring is a free service that allows users to receive alerts of when domains or IPs become compromised.
ThreatExpert provides online file and memory scanning.
Eureka! is an automated malware analysis service that uses a novel binary unpacking strategy based on statistical bigram analysis and coarse-grained execution tracing.
Document Analyzer checks PDF, DOC, PPT, XLS, DOCX, PPTX, XLSX, RTF files for malware. It’s based on Joe Sandbox Desktop.
File Analyzer checks behavior of potentially malicious executables. It’s also built on top of Joe Sandbox.
Malwr is a malware analysis service based on the Cuckoo sandbox.
ThreatTrack Security performs behavioral analysis on potential malware in a public sandbox.
XecScan Rapid APT Identification Service provides analysis of unknown files or suspicious documents.
(Note: As part of a campaign to bring forward some of our older posts that we feel still benefit the community, we’ve added this article to our Best Of category that will periodically get tweeted out. Please mention it to me on Twitter or contact us if there are any other posts you feel we should include in this category. This post was previously categorized under Resources. [email protected]grecs)
Today’s post pic is from InfosecInstitute.com.