Malware Domain Lists

If you analyse pcaps often and are looking for a way to quickly see if any of the domains are on a Domain Blacklist, this script may help.

The Python script will do the following:

  • Download a current malware domain Blacklist and parse out the domains.
  • Run a tshark command on your pcap and pull all the domains.
  • Compare the two lists and print to the screen the malicious domain on you have on your network.

Python Script

       print(“Please change your pcap filename to new.pcap”)
       import urllib2

       # file to be written to
       file = “domains.txt”

       # download a current domain blacklist
       url = “http://malwaredomains.lehigh.edu/files/domains.txt”
       response = urllib2.urlopen(url)

       # You can also use the with statement:
       with open(file, ‘w’) as f: f.write(response.read())

       # Clean the file and remove all the extra stuff
       import subprocess
       COMMAND = “cat domains.txt | awk ‘{print $1}’ | sort |uniq >         BLdomains.txt”
       subprocess.call(COMMAND, shell=True)

       # Grab all domains from the pcap
       #pcapfile = raw_input(“What is the pcap file name?”)
       COMMAND = “tshark -N n -r new.pcap | awk ‘{print $3}’ | sort |uniq > localdomains.txt”
       subprocess.call(COMMAND, shell=True)

       # print to screen any domains from pcap that are listed in domain blacklist.
       COMMAND = “grep -F -f BLdomains.txt localdomains.txt”
       subprocess.call(COMMAND, shell=True)

 

python2

 

Recommendation

  • Change the pcap filename to new.pcap
  • Change the attached file extension to .py as shown in screenshot.

Reference

BLDomainsFoundinPcap_py

 

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.