Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 2 June 2009

Research: KoobFace -

I was asked by a friend if I could sniff out all of the IP addresses that the domain was redirecting to, and after spending over 30 mins trying to do it manually, decided to ask a few fellow researchers if they were aware of a way of doing it automatically - sadly they weren't.

I decided therefor, to throw something together myself to see if I could get the results I required, and the results were interesting.

I told the program to send 1000 requests to (spaced out of course), and had it list all of the IP's that it redirected to, including of course, the URL's themselves - out of the 1000 requests, there were only 296 unique IP addresses. Something I was not expecting.

The entire list is below for your blacklisting and/or researching pleasure.

And the list of IP's themselves;

I've not yet ran the list through hpObserver to get the PTR's for the IP's, but will do that later (absolutely knackered at the moment, and busy processing over 2000 other phishing domains).


hpObserver results (includes PTR) for the IP's;


Gate7Wizard said...

Nice work.
Thanks for the help.
296 may not be what was expected, but as long as they're all listed... they can be applied to both hpHosts and WOT. :-)

- G7W

Matt said...

Isn't KoobFace a worm?