Malware URLs

2013, Jan 26    

It’s been a while since I started writing a first prototype to try to catch as much malware (URLs and samples) as possible. Today I can say my project is all grown up as it’s generating, daily, a feed with around 9.000 malware URLs and with a low rate of false positives (although there may be some).

The process of finding malware URLs  in my tool used to be only a matter of finding suspicious URLs in social networks (Twitter and Identi.ca), checking mail accounts receiving loads of bad stuff and nothing else. At first. Today I’m using crawlers, honeypots, sandboxes, thirdy party public URL feeds, private URL feeds (provided under consent), executable unpackers, heuristic engines for Flash movies, PDFs, OLE2 documents, etc… It changed a lot and became a big project that, I hope, can give useful information for malware researchers.

 

As of today, the final result the general public can see, is just a single plain text file, that can be used with AdBlock, with all the URLs of the last week (you can grab the latest version of the feed in this link). However, in some weeks (perhaps months) we plan (a friend of mine and I) to add a web page and publish an API to let users do, at least, the following actions:

  1. Check URLs
  2. Find URLs or domains
  3. Find how a malware appeared/spread
  4. Find similar malwares during a given time frame
  5. Setup notifications for known malwares reappearing
  6. Setup notifications for similare malwares
  7. Setup notifications for similar URL patterns
  8. etc…

It will take a while to finish the web page and the API service, but it should be finished in a couple of weeks (if our works permits, as it’s a side project we work on our spare time).

Meanwhile, while my friend and I continue working on this project, we want to show you some fancy graphs of the statistics of this project:

daily_urls

 

Heuristics

 

full_av_names

 

NOTE: The Antivirus information is obtained thanks to VirusTotal.