How to evaluate a suspicious web site without visiting it

June 27, 2010

This will show how you can evaluate a suspicious web site without having to visit it. Once you are familiar with the process, you can follow it in the order that your prefer.

You may wish to begin by bookmarking the following resources:

Information about the website:
URLVoid
McAfee SiteAdvisor
Google Safe Browsing
TrustedSource
Malware Domain List
Google

Information about the domain name registration and IP ownership:
Robtex
DomainTools

Remote viewing of the web site:
Web Sniffer

Analysis of files downloaded from the web site:
VirusTotal
Comodo Instant Malware Analysis
Wepawet

The quickest way to start is to take a look at the web site's reputation on McAfee SiteAdvisor, Google Safe Browsing, TrustedSource, and Malware Domain List (you can also search these all through a single web site by using URLVoid). One thing that must be mentioned is to take the user feedback on McAfee SiteAdvisor with a grain of salt. Some people will classify a good web site as bad for completely invalid reasons (you can test out this theory by entering the name of various antivirus vendor's web sites in SiteAdvisor), and others, perhaps those implicated with the web site, sometimes classify known malicious sites as good. Obviously those who back up their claims with a citation or reference have more weight to their argument than those who simply say the site is bad without justifying why.

For Google Safe Browsing, you will need to specify the domain name of the web site within the URL listed above. The bookmark above uses "example.com" so simply swap this value with the domain name of the web site you are examining.

If the site in question is fairly new and none of the links above yield conclusive results, simply try entering the web site name in Google to find any references of people reporting malicious activity related to that site.

Now that you have seen what others say about the site, if you still have reasons to be suspicious you can proceed with your own investigation as described below.

Use Web Sniffer to view the HTTP responses from the web site remotely. In essence Web Sniffer will contact the site on your behalf and return the results to you as text (try it with www.cnn.com to get the idea). This however will require that you have some knowledge HTML and JavaScript, that you understand the HTTP protocol and how web servers should normally operate, and to be able to recognize various obfuscation techniques as most malware authors try to make their code difficult to analyze in order to give antivirus vendors (and security researchers) a hard time. Given that certain sites will use the User Agent information of a web browser making the request and only push exploits to those who meet a certain criteria (ex: those running Internet Explorer 6), make sure to specify the proper user agent information when using Web Sniffer. Also note that certain malicious sites are designed to only try to infect a user once per visit to make it harder for security researchers to analyze the site. So if with Web Sniffer you get a suspicious response on the first request and a benign response (using the same URL) on the second or third request, treat this as suspect.

If through Web Sniffer you spotted some suspicious JavaScript, go to Wepawet and enter the same URL for analysis specifying "JavaScript" as the resource. This will analyze the JavaScript for malicious code. If through Web Sniffer you notice any redirects to different site, make sure to analyze those sites as well, as although redirects have legitimate uses they are also commonly used for malicious purposes.

In Google, do a search for site:sitename (for example, site:example.com) to see all the pages that Google found on that specific site, assuming that Google was able to index the site. Based on the type of content that is found, you should be able to see whether the site appears to have a legitimate purpose or not.

Also use Robtex or DomainTools (or use the default whois client if you are using Linux) and look at the registration information for the web site. Things to look for which raise suspicion are web sites that have been recently registered, or web sites with contact information in countries with high frequency of being sources of cybercrime (not to create bias but after you have done this for some time you will notice a pattern of the same offending countries repeating). You can also try a simple Google search with the web site registrant contact e-mail address and seeing if it associates with other known malicious sites, as it frequently happens that the same contact information will be used by the same person to register multiple bad sites.

Although not as reliable, get the IP address of the web site (you can use Robtex or the nslookup and ping commands on your computer) and do a reverse lookup to see whether other sites are hosted on the same IP address. If you notice that there are multiple malicious sites hosted on the same IP, this can be a sign that the web site which you are investigating may also be bad. You can also lookup the ownership of the IP address and seeing whether it is registered to an organization with a history of hosting questionable sites.

If at this point you still do not know whether the site is malicious or not, you should at least know whether the site appears to have a legitimate purpose. The next step if you wanted to continue investigating the site would be to access it using either VMware or a Live CD. If you wished to capture specific files on the web site so that you can upload them to VirusTotal or Comodo Instant Malware Analysis for malware analysis, you should use wget to download the files into a temporary folder so that you are still not accessing the web site with your default web browser. However, repeating the earlier point that certain web sites respond differently based on the user agent string of the web browser making the requests (and some malicious sites respond unfavorably to wget as it is often used by a security researchers and not a prospective victim using Internet Explorer 5.5 on Windows ME), you should forge the user agent field so that the web site believes that the request is coming from a Windows computer running Internet Explorer. For example to download a file "http://example.com/filename.pdf" in wget while spoofing the user agent of Internet Explorer 7 on Windows XP SP2, the command would be: wget --user-agent="Mozilla/4.0 (Windows; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" http://example.com/filename.pdf (see our wget usage examples page for more information on wget).

Finally, if you deemed the site trustworthy but you still wanted to take additional precautions while visiting the site with your regular browser, at the very least confirm that your operating system, web browser and plugins (especially Adobe Flash) are up to date, disable JavaScript in your browser (although this may prevent normal functionality on the site) and run your web browser from a user account with minimal privileges. Certain antivirus software have options to further lock down your computer or browser, such as preventing programs or scripts from running in the temporary folder (again this may "break" normal functionality). If you notice a suspicious pop-up message while visiting the site, in Windows use Task Manager to kill your current browser process.


Originally posted October 19, 2009