CaptureHPC - detecting malicious websites
We are currently experimenting with the honeyclient solution CaptureHPC. We have written our own scheduler and client handler in Python and only use the Capture client application to monitor changes on the host. We still have some instability but things are getting better. We hope to release our code soon.
Our current setup consist of 3 CaptureHPC clients running in parallel. Our URL database is filled by extracting URLs from the Google search engine after searching for keywords retrieved from Google Trends.
We have detect the following URLs to be malicious during the last days (visit at own risk):
www.icelebz.com/ celebs/ gisele_bundchen/ videos/
MD5: f4de2c9f6e6b3ff2e6d2fcd77b9e41ee - Mal/FakeAV-BP
www.experiencefestival.com/ forum/ news-vitamins/ 263373-vitamin-d-benefits-wwlp-22news.html
MD5: 676399393b565ab1d4808600e337364a - TR/Dropper.Gen
www.gamesurge.com/ strategies/ Gameboy/ Walkthroughs-P/ Pokemon%20Missingno.shtml
MD5: 0f0d609ddad379a65f7ad08323446ddf - Trojan-Spy.Win32.Zbot.gen
www.submitrightnow.com/ mindy_lawton_tiger_woods
MD5: ab92cc8f7abeafffc9b588eda2f968cd- Trojan.Win32.Bredolab.Gen.1
izediotia.info/ cgi-bin/ ae
MD5: 7231cf09b088a8fc4375aed27638f1d9 - Trojan:Win32/Alureon.DA
These URLs were all detected within the last four days. The scary thing is the low detection rate of current antivirus software.
Comment |
0 Trackbacks