Graphing Suspicious URL Relationships

10,000 websites have been compromised to redirect users to a new exploit toolkit called Nice Pack, discovered Wednesday, attempts to take advantage of flaws in users’ third-party apps, such as Java and Adobe, to install the “Zero Access Trojan,”. Malicious URL are not always related to a single domain, attackers mostly try to place redirect on many different domains to make as much as possible malware source unknown for legitimate user, for example you can check all users history to identify the malicious domain that infected victims computer but you will not find in all the previous navigation the malicious website,  techniques used by malware writer may include a redirection with malicious JavaScript, embedded iframe, or other factor.

Now you can display all previous activity using HTTP requests and a simple sniffer and find out what really the computer downloaded while browsing certain websites. For this you can use one of the previously mentioned utility such as wireshark, tshark or TCPDump.

Next and for fast and clear result you can also consider Junpack-n to graph URL relationships in packet captures and determine the steps that led to a compromise. jsunpack-n emulates browser functionality when visiting a URL. It’s purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input:

  • PDF files – samples/sample-pdf.file
  • Packet Captures – samples/sample-http-exploit.pcap
  • HTML files
  • JavaScript files
  • SWF files

This project contains the source code which runs at the website Users can upload files, or enter script contents and URLs to decode. If you choose to install jsunpack-n on your own system, you can run it with the following command to fetch and decode a URL:

$ ./ -u URL

Optionally, you can specify the -a option, which fetches further decoded URLs or paths. If you wish to decode a local file instead, you can simply run:

$ ./ samples/sample-pdf.file

As a result you can have a graph that describes the real URL relationships as follows:

You can use the tool for a quick and clear graphing domain report.


Malware Analyst’s Cookbook:

Notify of
Newest Most Voted
Inline Feedbacks
View all comments

This is copied straight out of malware analyst’s cookbook. You even used the sample pcap to generate the same image used in the book. 


Hello Sir,

I already posted about your book several time on my blog for the graph I used from the official blog on this link , it may also belong to your book but it is just in this link:

if there is any problem I can remove it.  please to tell me so I remove it if there is any poblem.


I feel like you deserve the benefit of the doubt for this post, since it is published elsewhere (like the jsunpack website as you said). However, when combined with your other post ( which there is *no doubt in my mind* that you copied…I have to believe that the book also influenced this current post. Why do I have no doubts? One reason is the “oinkmaster5”  ( You can’t say that’s a coincidence. No way. The other reasons is you left “” in the commands: # sudo apt-get install snort # sudo wget –P /etc/snort/rules # sudo echo ‘include… Read more »


Hi Robble,

I always respect copyright and will add your link to the article while I believe
that they are totally different just tell me if this will be ok.