Web reputation checking in incident handling

Sometimes when we have an incident, it involves too many domains to check them by hand. In order to deal with them and discriminate as a first instance, I’ve developed a small script that checks the reputation of each domain using the API of Web of Trust.

Web of Trust is a service used to mark websites depending on their reputation. Reputation is based in different factors. One of them depends on malware presence, but there are some others, such as a rating based in the users’ votes.

One thing that I really like about the WoT API is that it returns different codes according to the reason why a website’s reputation is bad, i.e. if the reason of the bad reputation is that the website contains adult material, WoT API will return the code 401, and if it contains malware, WoT API will return 101. This is very good to handle some incidents because, in most cases, if a domain has a bad reputation because it is an adult website, and for that reason only, in a first examination, we would leave it as a legit domain.

In order to use this script you just need to register in the WoT, get an API key, and introduce it in the line:

WOT_API_KEY = "YOUR_OWN_API_KEY!!!"

You can find the script in my github repo.

Finally, let’s try the script. First, we’ll need a file with the list of domains we want to check. In the example we will use a file that I called domains.txt and that contains the following domains:

4chan.org
silurian.cn
securityartwork.es
mtgmadness.com

In order to run the script, we just need to feed it with a file containing the domain list to be checked:

xgusix@ender:~$ python repcrawler.py domains.txt 
[*] mtgmadness.com
	Target: mtgmadness.com
[*] 4chan.org
	Target: 4chan.org
	Trustworthiness: Excellent [59]
	Child safety: Very Poor [53]
	[*] Categories:
		[403] Questionable Gruesome or shocking [14]
		[401] Negative Adult content [73]
		[501] Positive Good site [59]
[*] securityartwork.es
	Trustworthiness: Good [7]
	Target: securityartwork.es
	[*] Categories:
		[501] Positive Good site [7]
[*] silurian.cn
	Target: silurian.cn
	Trustworthiness: Very Poor [12]
	[*] Categories:
		[101] Negative Malware or viruses [30]

As you can see, in the beginning of the investigation, we can discard 4chan.org and securityartwork.es, as they are labeled as “Good site”, and its trustworthiness is at least Good. Mtgmadness.com is not labeled, so we should have to go further on the investigation. In the last case, silurian.cn, it’s already labeled as a malicious domain, “Malware or viruses”, so it would be a good starting point for the investigation.

Right now, the script shows all the results, but with a very simple modification you can add some logic into it and automate the process a bit more. I am also planning to add more reputation engines to the script. With more sources, the initial discrimination will be more accurate and save time in the incident handling process.

Any feedback or comments are welcome.

Comments

  1. Howdy! Do you know if they make any plugins to protect against hackers?
    I’m kinda paranoid about losing everything I’ve worked hard on.
    Any recommendations?