How to evaluate a suspicious web site without visiting it
This will show how you can evaluate a suspicious web site without having to visit it. Once you are familiar with the process, you can follow it in the order that your prefer.
You may wish to begin by bookmarking the following resources:Information about the website:
Google Safe Browsing
Malware Domain List
Information about the domain name registration and IP ownership:
Remote viewing of the web site:
Analysis of files downloaded from the web site:
Comodo Instant Malware Analysis
The quickest way to start is to take a look at the web site's reputation on McAfee SiteAdvisor, Google Safe Browsing, TrustedSource, and Malware Domain List (you can also search these all through a single web site by using URLVoid). One thing that must be mentioned is to take the user feedback on McAfee SiteAdvisor with a grain of salt. Some people will classify a good web site as bad for completely invalid reasons (you can test out this theory by entering the name of various antivirus vendor's web sites in SiteAdvisor), and others, perhaps those implicated with the web site, sometimes classify known malicious sites as good. Obviously those who back up their claims with a citation or reference have more weight to their argument than those who simply say the site is bad without justifying why.
For Google Safe Browsing, you will need to specify the domain name of the web site within the URL listed above. The bookmark above uses "example.com" so simply swap this value with the domain name of the web site you are examining.
If the site in question is fairly new and none of the links above yield conclusive results, simply try entering the web site name in Google to find any references of people reporting malicious activity related to that site.
Now that you have seen what others say about the site, if you still have reasons to be suspicious you can proceed with your own investigation as described below.
In Google, do a search for site:sitename (for example, site:example.com) to see all the pages that Google found on that specific site, assuming that Google was able to index the site. Based on the type of content that is found, you should be able to see whether the site appears to have a legitimate purpose or not.
Also use Robtex or DomainTools (or use the default whois client if you are using Linux) and look at the registration information for the web site. Things to look for which raise suspicion are web sites that have been recently registered, or web sites with contact information in countries with high frequency of being sources of cybercrime (not to create bias but after you have done this for some time you will notice a pattern of the same offending countries repeating). You can also try a simple Google search with the web site registrant contact e-mail address and seeing if it associates with other known malicious sites, as it frequently happens that the same contact information will be used by the same person to register multiple bad sites.
Although not as reliable, get the IP address of the web site (you can use Robtex or the nslookup and ping commands on your computer) and do a reverse lookup to see whether other sites are hosted on the same IP address. If you notice that there are multiple malicious sites hosted on the same IP, this can be a sign that the web site which you are investigating may also be bad. You can also lookup the ownership of the IP address and seeing whether it is registered to an organization with a history of hosting questionable sites.
If at this point you still do not know whether the site is malicious or not, you should at least know whether the site appears to have a legitimate purpose. The next step if you wanted to continue investigating the site would be to access it using either VMware or a Live CD. If you wished to capture specific files on the web site so that you can upload them to VirusTotal or Comodo Instant Malware Analysis for malware analysis, you should use wget to download the files into a temporary folder so that you are still not accessing the web site with your default web browser. However, repeating the earlier point that certain web sites respond differently based on the user agent string of the web browser making the requests (and some malicious sites respond unfavorably to wget as it is often used by a security researchers and not a prospective victim using Internet Explorer 5.5 on Windows ME), you should forge the user agent field so that the web site believes that the request is coming from a Windows computer running Internet Explorer. For example to download a file "http://example.com/filename.pdf" in wget while spoofing the user agent of Internet Explorer 7 on Windows XP SP2, the command would be: wget --user-agent="Mozilla/4.0 (Windows; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" http://example.com/filename.pdf (see our wget usage examples page for more information on wget).