Graphing Suspicious URL Relationships

10,000 websites have been compromised to redirect users to a new exploit toolkit called Nice Pack, discovered Wednesday, attempts to take advantage of flaws in users’ third-party apps, such as Java and Adobe, to install the “Zero Access Trojan,”. Malicious URL are not always related to a single domain, attackers mostly try to place redirect on many different domains to make as much as possible malware source unknown for legitimate user, for example you can check all users history to identify the malicious domain that infected victims computer but you will not find in all the previous navigation the malicious website,  techniques used by malware writer may include a redirection with malicious JavaScript, embedded iframe, or other factor.

Now you can display all previous activity using HTTP requests and a simple sniffer and find out what really the computer downloaded while browsing certain websites. For this you can use one of the previously mentioned utility such as wireshark, tshark or TCPDump.

Next and for fast and clear result you can also consider Junpack-n to graph URL relationships in packet captures and determine the steps that led to a compromise. jsunpack-n emulates browser functionality when visiting a URL. It’s purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input:

  • PDF files – samples/sample-pdf.file
  • Packet Captures – samples/sample-http-exploit.pcap
  • HTML files
  • JavaScript files
  • SWF files

This project contains the source code which runs at the website Users can upload files, or enter script contents and URLs to decode. If you choose to install jsunpack-n on your own system, you can run it with the following command to fetch and decode a URL:

$ ./ -u URL

Optionally, you can specify the -a option, which fetches further decoded URLs or paths. If you wish to decode a local file instead, you can simply run:

$ ./ samples/sample-pdf.file

As a result you can have a graph that describes the real URL relationships as follows:

You can use the tool for a quick and clear graphing domain report.


Malware Analyst’s Cookbook: