Good Post at Internet Storm Center on Manually Checking for Malicious Websites

There is a growing post over at ISC about how an administrator might review a website before deciding whether to allow users access to it. All of the listed techniques are very useful (and I too use curl or wget when I want to look at the site "in the raw") but of course we would propose that you don't need to do some of them manually, just use a Honeyclient! While some of the suggestions, such as checking the whois information, are out of scope for us as they're more concerned about phishing sites, the parts about running the site in VMware with various things logging is exactly what we're meant to automate. I think especially if you are in a corporate environment and you have a standardized OS deployment (you do have a standardized OS deployment don't you? ;)) then if you're going to be frequently fielding requests to let users access a site, it would be in your best interest to have a Honeyclient set up with your standard environment. Then all you have to do is pop the URL into the StartManager.pl script and see what you shall see. Of course if you don't want to rely on the automatic detection it would be a simple thing to customize the VM to open up your favorite tools (such as Regmon, Filemon, Wireshark, etc) so that if it tells you nothing happened you can still take a look for yourself to be on the safe side.

I will be covering more of the tools and suggestions later in the week as I have an upcoming deadline, but there's some interesting things I haven't seen before mentioned there. These pending topics, combined with the upcoming talks at ShmooCon on Adobe Flash and JavaScript vulnerabilities should make for an interesting next couple of weeks.