Malware Analysis and Incident Response for the Lazy

Malware Analysisby Michele “MrsY” Chubirka

If you’ve listened to my podcast, Healthy Paranoia (insert shameless plug here), I’m more builder than breaker or even analyst. Not that I don’t respect the heck out of anyone who does incident response, malware analysis or pentesting on a daily basis, but my interest isn’t normally in that direction. So inspired by a recent re-post by grecs, “Determining Safe Websites in 3 Easy Steps,” I thought I’d share my own cheat sheet of online tools I use to quickly check links, attachments, IPs and domains. There’s definitely some duplication and some tools are more useful than others. I’m sure it might be remedial for some, but I tend to be a bit obsessive when collecting resources. If anyone has additions, I’d love to hear about them.

First, some online network tools.

As much as I would prefer to use dig, whois, etc., many organizations block or restrict the use of these tools. offers several online services, including domain lookup, IP lookup, whois, traceroute, URL decode/encode, HTTP headers and SPAM blocking list.

CentralOps Online Network tools offers domain and other advanced Internet utilities from a web interface.

Shadowserver Whois and DNS lookups check ASN and BGP information. To utilize this service, you need to run whois against the shadowserver whois system or DNS queries against their DNS system.

The remaining online services below is a collection of tools for checking URLs, files, IP address lists for the appearance on a malware, or reputation/block list of some kind.

Malware Analysis and Malicious IP search are two custom Google searches created by Alexander Hanel. Malware Analysis searches over 155 URLS related to malware analysis, AV reports, and reverse engineering. Malicious IP searches CBL, projecthoneypot, team-cymru, shadowserver, scumware, and centralops.

Vulnerability Search is another custom Google search created by Corey Harrell (of Journey into Incident Response Blog). It searches specific websites related to software vulnerabilities and exploits, such as 1337 day, Packetstorm Security, Full Disclosure, and others. searches for malware hashes, IP reputation, domain and URL searches. You’ll have to deal with a captcha though.

Malware Domain List checks domains and IPs for malware.

ZeuS Tracker provides a domain and IP block list related to ZeuS.

Wepawet is a free service, for non-commercial organizations, to detect and analyze web-based threats. It currently handles Flash, JavaScript, and PDF files.

Unmask Parasites checks for websites that are hacked and infected.

adopstools scans Flash files, local or remote.

Malware Patrol provides block lists of malicious URLs, which can be used for anti-spam, anti-virus and web proxy systems.

Malware Domains offers block lists for DNS sinkholes.

Anubis checks Windows executables, Android APKs, and URLs and generates a report for identification of possible malware.

Malware URL  checks websites/URLs against known malware list.

VirusTotal analyzes URLs or files as well as allows MD5 searches.

Composite Block List can check an IP to see if it’s on multiple block lists and it will tell you if blocked, then who blocked it or why.

IPVoid is another aggregate of blocking lists. You can check an IP to see if it’s on any block lists.

URLVoid is a website reputation and blacklist check tool.

ESET is an online virus scanner.

ISC Tools checks domain and IP information. It also aggregates blackhole/bogon/malware feeds and has links to many other tools as well.

ISC Hash Database allows searching of the NIST National Software reference Library for files matching your hash.

Clean MX Realtime Database performs spam URI and domain checks.

Malc0de performs IP checks and offers other information.

Bit9 File Advisor provides metadata (origin, size, publisher, source, etc.) on software files. You can look up metadata on up to 10 files a day.

Team Cymru Malware Hash Registry offers a lookup service on malware via Whois, DNS, HTTP, HTTPS, Firefox add-on or WinMHR application

Other Team Cymru Community Services include Bogon reference, Darknet Project, IP to ASN Mapping, and Totalhash Malware Analysis.

viCheck.CA provides tools for searching their malware hash registry, decoding various file formats, parsing email headers, performing IP/Domain Whois lookups, and analyzing files for potential malware.

Jotti allows searches for potential malware via hashes.

AlienVault Reputation Monitoring is a free service that allows users to receive alerts of when domains or IPs become compromised.

ThreatExpert provides online file and memory scanning.

Comodo Instant Malware Analysis and file analysis with report.

Eureka! is an automated malware analysis service that uses a novel binary unpacking strategy based on statistical  bigram analysis and coarse-grained execution tracing.

Document Analyzer checks PDF, DOC, PPT, XLS, DOCX, PPTX, XLSX, RTF files for malware. It’s based on Joe Sandbox Desktop.

File Analyzer checks behavior of potentially malicious executables. It’s also built on top of Joe Sandbox.

Malwr is a malware analysis service based on the Cuckoo sandbox.

ThreatTrack Security performs behavioral analysis on potential malware in a public sandbox.

XecScan Rapid APT Identification Service provides analysis of unknown files or suspicious documents.

(Note: As part of a campaign to bring forward some of our older posts that we feel still benefit the community, we’ve added this article to our Best Of category that will periodically get tweeted out. Please mention it to me on Twitter or contact us if there are any other posts you feel we should include in this category. This post was previously categorized under Resources. [email protected]grecs)


Today’s post pic is from

18 comments for “Malware Analysis and Incident Response for the Lazy

  1. December 23, 2013 at 10:15 pm

    BLOGGED: Malware Analysis and Incident Response for the Lazy

  2. December 23, 2013 at 10:57 pm

    #Malware Analysis and Incident Response for the Lazy

  3. December 23, 2013 at 11:31 pm

    Check that suspicious IP/link/file/hash/etc online. Tools for the lazy but #paranoid. #malware

  4. December 24, 2013 at 2:23 am

    “#Malware Analysis and Incident Response for the Lazy” #pentest

  5. December 24, 2013 at 6:01 am

    Malware Analysis and Incident Response for the Lazy

  6. December 24, 2013 at 8:08 am

    Malware Analysis and Incident Response for the Lazy

  7. December 24, 2013 at 9:19 am

    Malware Analysis and Incident Response for the Lazy –

  8. December 24, 2013 at 10:24 am

    Malware Analysis and Incident Response for the Lazy

  9. December 25, 2013 at 11:56 am

    #Malware Analysis and Incident Response for the Lazy
    #infosec #cybersecurity #security

  10. December 26, 2013 at 5:35 am

    Malware Analysis and Incident Response tools.

  11. December 27, 2013 at 11:01 am

    Malware Analysis and Incident Response for the Lazy – find out more here #infosec

  12. December 27, 2013 at 5:02 pm

    Malware Analysis and Incident Response for the Lazy – find out more here #infosec

  13. February 9, 2014 at 12:54 pm

    Check out Bromium’s LAVA(Live Attack Visualization Analysis) This is a Malware Analyst dream!

  14. February 9, 2014 at 8:35 pm

    Jim: Thanks for the input. Will need to check this out!

  15. February 10, 2016 at 8:51 am RT Csirtcv: Malware Analysis and Incident Response for the Lazy

  16. February 11, 2016 at 11:52 am

    A fantastic list of malware and incident response for, as the author puts it, the lazy. #infosec #CIO

  17. March 6, 2016 at 1:52 pm

    #Malware #Analysis and Incident Response for the Lazy #infosec #security

  18. James
    February 8, 2018 at 10:30 am

    Check out It’s a minimal and simple Threat Intelligence Anti-Abuse API.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.