Threatglass Tool Gives Deep Look Inside Compromised Sites

Trying to enumerate the compromised sites on the Internet is a Sisyphian task. Luckily, it’s not a task that anyone really needs to perform any longer, especially now that Barracuda Labs has released its new Threatglass tool, a Web-based frontend that allows users to query a massive database of compromised sites to get detailed information on the malicious activity and the threats to visitors to those sites.

Barracuda has been using its technology to scan millions of Web sites every week, looking for malicious activity on legitimate sites. Typically, the tools scan the Alexa top 25,000 sites, along with other suspicious sites. The system hits the sites using a normal browser and waits to see what kind of actions the sites may take, looking for malicious activity like sites serving exploits or trying to download files to visitors’ machines. Now, the company has built a GUI for this system and exposed to the Web so that users and researchers can search the database, dating back to 2011, looking for current or historic compromise data.

Threatglass is set up to give users a variety of information about a give compromised site, including the number of URLs requested and whether the site downloads a binary. The tool also enables researchers to download a packet capture for a given site.

“Threatglass provides detailed information of what happened when visiting each of the infected websites on a given date, such as the screenshots of the browser, whether binary was downloaded or any emails were sent, and number of domains and objects requested. Meanwhile, the requested URLs and anomalous netflow information are presented on each of the infection incident reports. Most importantly, the network package captured during the whole visiting process is freely downloadable, which we’ve found to be well received by many security researchers in the community,” Barracuda Labs said in a blog post.

“With various representations of network traffic including DNS, HTTP, and netflow in both graphical and textual formats displayed to users, we believe that this tool can greatly help casual users to know which websites had been infected, explore how infected websites could damage their browsers and computers, and understand the trending volumes and impacts of malicious websites on the Internet.”

The site’s format also allows users to browse through the most recent group of compromised sites on the home page in a tiled format. The screenshots on the site are obscured until users manually move the window shade, mainly because a good portion of compromised sites contain adult content.

Barracuda Labs often comes across well-known, highly trafficked sites that have been compromised, including the recent example of Cracked.com, the popular humor site. The site, which is ranked in the Alexa top 300, was found to be compromised last fall and was still serving malware earlier this year. The malicious component on the site was serving exploits to visitors via Javascript. Barracuda also discovered similar compromises of PHP.net and the Hasbro site.

Users of Threatglass also can submit suspicious URLs to Barracuda through the site.

 

Suggested articles