What problem does Malware Discoverer address?

URL redirection is a salient feature for phishing and malware sites. Abusers use redirection to control the information flow and to evade detection. Collecting the redirection trace and discovering final URLs that host malicious artifacts is thus not an easy task. One challenge is how to discover entry points, or domains that initiate redirections. Another challenge is how to counteract cloaking techniques including IP-ban, javascript execution and fast flux. Malware Discoverer is designed to handle those challenges.

Example of one discovered malware campaigns. The entry-level domains (leftmost) use fake news as bait to lure users to click.

How does Malware Discoverer work?

Malware Discoverer is powered by an unsupervised discovery system that is able to trace coordinated redirection campaigns. The algorithm includes three components:

A crawler to collect redirection paths
A cluster to identify suspicious domains that share common redirection paths
A search expander to discover more domains co-hosted with suspicious domains

Malware Discoverer is a fully automated system. Currently it is tracking five IP addresses everyday. After the data collection, a python script loads the data, calculates summary statistics, and generates a png of the redirection network (see image above as an example). A daily threat intelligence report is published on this website and sent to subscribers via email.

What do we analyze in the threat intelligence report?

Our reports focus on the coordinated redirection behavior of those malware campaigns. We breakdown domains and IPs into three categories: tier one are entry-level domains/IPs, tier two are intermediate redirection hops, and ther three are final landing domains/IPs. For each tier, the report covers:

Top 10 domains (registrar, name server, and organization from WHOIS record)
Top 10 IPs (hostname, city, country, andorganization from ipinfo)
Visualization of redirection network, providing full context about the information flow
Google Safe Browsing result, Virustotal result

Current data collections and job status

Date	IP	Andrioid	Chrome	Iphone
2020-09-27	64.32.8.68	result	result	result
2020-09-27	37.48.65.149	result	result	result
2020-09-27	64.32.8.67	result	result	result
2020-09-27	64.32.8.69	result	result	result
2020-09-27	207.244.67.215	result	result	result
2020-09-27	103.224.182.207	result	result	result
2020-09-27	64.32.8.70	result	result	result
2020-09-27	207.244.67.218		result
2020-09-27	37.48.65.151	result	result	result
2020-09-26	64.32.8.68	result	result	result
2020-09-26	37.48.65.149	result	result	result
2020-09-26	64.32.8.67	result	result	result
2020-09-26	64.32.8.69	result	result	result
2020-09-26	207.244.67.215	result	result	result
2020-09-26	103.224.182.207	result	result	result
2020-09-26	64.32.8.70	result	result	result
2020-09-26	207.244.67.218	result	result	result
2020-09-26	37.48.65.151	result	result	result
2020-09-25	64.32.8.68	result	result	result
2020-09-25	37.48.65.149	result	result	result
2020-09-25	64.32.8.67	result	result	result
2020-09-25	64.32.8.69	result	result	result
2020-09-25	207.244.67.215	result	result	result
2020-09-25	103.224.182.207	result	result	result
2020-09-25	64.32.8.70	result	result	result
2020-09-25	207.244.67.218	result	result	result
2020-09-25	37.48.65.151	result	result	result
2020-09-24	64.32.8.68	result	result	result
2020-09-24	37.48.65.149	result	result	result
2020-09-24	64.32.8.67	result	result	result
2020-09-24	64.32.8.69	result	result	result
2020-09-24	207.244.67.215	result	result	result
2020-09-24	103.224.182.207	result	result	result
2020-09-24	64.32.8.70	result	result	result
2020-09-24	207.244.67.218	result	result	result
2020-09-24	37.48.65.151	result	result	result
2020-09-23	64.32.8.68	result	result	result
2020-09-23	37.48.65.149	result	result	result
2020-09-23	64.32.8.67	result	result	result
2020-09-23	64.32.8.69	result	result	result
2020-09-23	207.244.67.215	result	result	result
2020-09-23	103.224.182.207	result	result	result
2020-09-23	64.32.8.70	result	result	result
2020-09-23	207.244.67.218	result	result	result
2020-09-23	37.48.65.151	result	result	result
2020-09-22	64.32.8.68	result	result	result
2020-09-22	37.48.65.149	result	result	result
2020-09-22	64.32.8.67	result	result	result
2020-09-22	64.32.8.69	result	result	result
2020-09-22	207.244.67.215	result	result	result
2020-09-22	103.224.182.207	result	result	result
2020-09-22	64.32.8.70	result	result	result
2020-09-22	207.244.67.218	result	result	result
2020-09-22	37.48.65.151	result	result	result
2020-09-20	64.32.8.68	result	result	result
2020-09-20	37.48.65.149	result	result	result
2020-09-20	64.32.8.67	result	result	result
2020-09-20	64.32.8.69		result	result
2020-09-20	207.244.67.215	result	result	result
2020-09-20	103.224.182.207	result	result	result
2020-09-20	64.32.8.70	result	result	result
2020-09-20	207.244.67.218	result	result	result
2020-09-20	37.48.65.151	result	result	result
2020-09-18	64.32.8.68	result	result	result
2020-09-18	37.48.65.149	result	result	result
2020-09-18	64.32.8.67	result	result	result
2020-09-18	64.32.8.69	result	result	result
2020-09-18	207.244.67.215	result	result	result
2020-09-18	103.224.182.207	result	result	result
2020-09-18	64.32.8.70	result	result	result
2020-09-18	207.244.67.218	result	result	result
2020-09-18	37.48.65.151	result	result	result
2020-09-17	64.32.8.68	result	result	result
2020-09-17	37.48.65.149	result	result	result
2020-09-17	64.32.8.67	result	result	result
2020-09-17	64.32.8.69	result	result
2020-09-17	207.244.67.215	result	result	result
2020-09-17	103.224.182.207	result	result	result
2020-09-17	64.32.8.70	result	result	result
2020-09-17	207.244.67.218	result	result	result
2020-09-17	37.48.65.151	result	result	result
2020-09-16	64.32.8.68	result	result	result
2020-09-16	37.48.65.149	result	result	result
2020-09-16	64.32.8.67	result	result
2020-09-16	64.32.8.69	result	result	result
2020-09-16	207.244.67.215	result	result	result
2020-09-16	103.224.182.207	result	result	result
2020-09-16	64.32.8.70	result	result	result
2020-09-16	207.244.67.218	result	result	result
2020-09-16	37.48.65.151	result	result	result
2020-09-15	64.32.8.68	result	result	result
2020-09-15	37.48.65.149	result	result	result
2020-09-15	64.32.8.67	result	result
2020-09-15	64.32.8.69	result	result	result
2020-09-15	207.244.67.215	result	result	result
2020-09-15	103.224.182.207	result	result	result
2020-09-15	64.32.8.70	result	result	result
2020-09-15	207.244.67.218	result	result	result
2020-09-15	37.48.65.151	result	result	result
2020-09-14	64.32.8.68	result	result
2020-09-14	37.48.65.149	result	result	result
2020-09-14	64.32.8.67	result	result	result
2020-09-14	64.32.8.69	result	result	result
2020-09-14	207.244.67.215	result	result	result
2020-09-14	103.224.182.207	result	result	result
2020-09-14	64.32.8.70	result	result	result
2020-09-14	207.244.67.218	result	result	result
2020-09-14	37.48.65.151	result	result	result
2020-09-13	64.32.8.68
2020-09-13	37.48.65.149
2020-09-13	64.32.8.67
2020-09-13	64.32.8.69
2020-09-13	207.244.67.215
2020-09-13	103.224.182.207
2020-09-13	64.32.8.70
2020-09-13	207.244.67.218
2020-09-13	37.48.65.151
2020-09-12	64.32.8.68	result	result	result
2020-09-12	37.48.65.149	result		result
2020-09-12	64.32.8.67	result	result	result
2020-09-12	64.32.8.69	result	result	result
2020-09-12	207.244.67.215	result	result	result
2020-09-12	103.224.182.207	result	result	result
2020-09-12	64.32.8.70	result	result	result
2020-09-12	207.244.67.218	result	result	result
2020-09-12	37.48.65.151	result	result	result
2020-09-11	64.32.8.68	result	result	result
2020-09-11	37.48.65.149	result	result	result
2020-09-11	64.32.8.67	result	result	result
2020-09-11	64.32.8.69	result	result	result
2020-09-11	207.244.67.215	result	result	result
2020-09-11	103.224.182.207	result	result	result
2020-09-11	64.32.8.70	result	result	result
2020-09-11	207.244.67.218	result	result	result
2020-09-11	37.48.65.151	result	result	result
2020-09-10	64.32.8.68	result	result	result
2020-09-10	37.48.65.149	result	result	result
2020-09-10	64.32.8.67	result	result	result
2020-09-10	64.32.8.69	result	result	result
2020-09-10	207.244.67.215	result	result	result
2020-09-10	103.224.182.207	result	result	result
2020-09-10	64.32.8.70	result	result	result
2020-09-10	207.244.67.218	result	result	result
2020-09-10	37.48.65.151	result	result	result
2020-09-09	64.32.8.68	result	result
2020-09-09	37.48.65.149	result	result	result
2020-09-09	64.32.8.67	result	result	result
2020-09-09	64.32.8.69	result	result	result
2020-09-09	207.244.67.215	result	result	result
2020-09-09	103.224.182.207	result	result	result
2020-09-09	64.32.8.70	result	result	result
2020-09-09	207.244.67.218	result	result	result
2020-09-09	37.48.65.151	result	result	result
2020-09-08	64.32.8.68		result	result
2020-09-08	37.48.65.149	result	result	result
2020-09-08	64.32.8.67	result	result	result
2020-09-08	64.32.8.69	result	result	result
2020-09-08	207.244.67.215	result	result	result
2020-09-08	103.224.182.207	result	result	result
2020-09-08	64.32.8.70	result	result	result
2020-09-08	207.244.67.218	result	result	result
2020-09-08	37.48.65.151	result	result	result
2020-09-07	64.32.8.68
2020-09-07	37.48.65.149
2020-09-07	64.32.8.67
2020-09-07	64.32.8.69
2020-09-07	207.244.67.215
2020-09-07	103.224.182.207
2020-09-07	64.32.8.70
2020-09-07	207.244.67.218
2020-09-07	37.48.65.151
2020-09-06	64.32.8.68	result	result
2020-09-06	37.48.65.149	result	result	result
2020-09-06	64.32.8.67	result	result	result
2020-09-06	64.32.8.69
2020-09-06	207.244.67.215
2020-09-06	103.224.182.207	result	result	result
2020-09-06	64.32.8.70	result	result	result
2020-09-06	207.244.67.218
2020-09-06	37.48.65.151
2020-09-05	64.32.8.68
2020-09-05	37.48.65.149
2020-09-05	64.32.8.67
2020-09-05	64.32.8.69
2020-09-05	207.244.67.215
2020-09-05	103.224.182.207
2020-09-05	64.32.8.70
2020-09-05	207.244.67.218
2020-09-05	37.48.65.151
2020-09-04	64.32.8.68
2020-09-04	37.48.65.149
2020-09-04	64.32.8.67
2020-09-04	64.32.8.69
2020-09-04	207.244.67.215
2020-09-04	103.224.182.207
2020-09-04	64.32.8.70
2020-09-04	207.244.67.218
2020-09-04	37.48.65.151
2020-09-03	64.32.8.68	result	result	result
2020-09-03	37.48.65.149	result	result	result
2020-09-03	64.32.8.67	result	result	result
2020-09-03	64.32.8.69	result	result	result
2020-09-03	207.244.67.215	result	result	result
2020-09-03	103.224.182.207	result	result	result
2020-09-03	64.32.8.70	result	result	result
2020-09-03	207.244.67.218		result	result
2020-09-03	37.48.65.151
2020-09-02	64.32.8.68	result	result	result
2020-09-02	37.48.65.149	result	result	result
2020-09-02	64.32.8.67	result	result	result
2020-09-02	64.32.8.69	result	result	result
2020-09-02	207.244.67.215	result	result	result
2020-09-02	103.224.182.207	result	result	result
2020-09-02	64.32.8.70	result	result	result
2020-09-02	207.244.67.218	result	result	result
2020-09-02	37.48.65.151	result	result	result
2020-09-01	64.32.8.68
2020-09-01	37.48.65.149
2020-09-01	64.32.8.67
2020-09-01	64.32.8.69
2020-09-01	207.244.67.215
2020-09-01	103.224.182.207
2020-09-01	64.32.8.70
2020-09-01	207.244.67.218
2020-09-01	37.48.65.151
2020-08-31	64.32.8.68	result	result	result
2020-08-31	37.48.65.149	result	result	result
2020-08-31	64.32.8.67	result	result	result
2020-08-31	64.32.8.69	result	result	result
2020-08-31	207.244.67.215	result	result	result
2020-08-31	103.224.182.207	result	result	result
2020-08-31	64.32.8.70	result	result	result
2020-08-31	207.244.67.218	result	result	result
2020-08-31	37.48.65.151	result	result	result
2020-08-30	64.32.8.68	result	result	result
2020-08-30	37.48.65.149	result	result	result
2020-08-30	64.32.8.67	result	result	result
2020-08-30	64.32.8.69	result	result	result
2020-08-30	207.244.67.215	result	result	result
2020-08-30	103.224.182.207	result	result	result
2020-08-30	64.32.8.70	result	result	result
2020-08-30	207.244.67.218	result	result	result
2020-08-30	37.48.65.151	result	result	result
2020-08-29	64.32.8.68	result	result	result
2020-08-29	37.48.65.149	result	result	result
2020-08-29	64.32.8.67	result	result	result
2020-08-29	64.32.8.69	result	result	result
2020-08-29	207.244.67.215	result	result	result
2020-08-29	103.224.182.207	result	result	result
2020-08-29	64.32.8.70	result	result	result
2020-08-29	207.244.67.218	result	result	result
2020-08-29	37.48.65.151	result	result	result
2020-08-28	64.32.8.68	result	result	result
2020-08-28	37.48.65.149		result	result
2020-08-28	64.32.8.67	result		result
2020-08-28	64.32.8.69	result	result	result
2020-08-28	207.244.67.215	result	result	result
2020-08-28	103.224.182.207	result	result	result
2020-08-28	64.32.8.70	result	result	result
2020-08-28	207.244.67.218	result	result	result
2020-08-28	37.48.65.151	result	result	result
2020-08-27	64.32.8.68	result	result	result
2020-08-27	37.48.65.149	result	result	result
2020-08-27	64.32.8.67	result	result	result
2020-08-27	64.32.8.69	result	result	result
2020-08-27	207.244.67.215	result	result	result
2020-08-27	103.224.182.207	result	result	result
2020-08-27	64.32.8.70	result	result	result
2020-08-27	207.244.67.218	result	result	result
2020-08-27	37.48.65.151	result	result	result
2020-08-26	64.32.8.68	result	result	result
2020-08-26	37.48.65.149	result	result	result
2020-08-26	64.32.8.67	result	result	result
2020-08-26	64.32.8.69	result	result	result
2020-08-26	207.244.67.215	result	result	result
2020-08-26	103.224.182.207	result	result	result
2020-08-26	64.32.8.70	result	result	result
2020-08-26	207.244.67.218	result	result	result
2020-08-26	37.48.65.151	result	result	result
2020-08-25	64.32.8.68
2020-08-25	37.48.65.149
2020-08-25	64.32.8.67
2020-08-25	64.32.8.69
2020-08-25	207.244.67.215
2020-08-25	103.224.182.207
2020-08-25	64.32.8.70
2020-08-25	207.244.67.218
2020-08-25	37.48.65.151
2020-08-24	64.32.8.68	result	result	result
2020-08-24	37.48.65.149	result	result	result
2020-08-24	64.32.8.67	result	result	result
2020-08-24	64.32.8.69	result	result	result
2020-08-24	207.244.67.215	result	result	result
2020-08-24	103.224.182.207	result	result	result
2020-08-24	64.32.8.70	result	result	result
2020-08-24	207.244.67.218	result	result	result
2020-08-24	37.48.65.151	result	result	result
2020-08-23	64.32.8.68	result	result	result
2020-08-23	37.48.65.149	result	result	result
2020-08-23	64.32.8.67	result	result	result
2020-08-23	64.32.8.69	result	result	result
2020-08-23	207.244.67.215	result	result	result
2020-08-23	103.224.182.207	result	result	result
2020-08-23	64.32.8.70	result	result	result
2020-08-23	207.244.67.218	result	result	result
2020-08-23	37.48.65.151	result	result	result
2020-08-22	64.32.8.68	result	result	result
2020-08-22	37.48.65.149	result	result	result
2020-08-22	64.32.8.67	result	result	result
2020-08-22	64.32.8.69	result	result	result
2020-08-22	207.244.67.215	result	result	result
2020-08-22	103.224.182.207	result	result	result
2020-08-22	64.32.8.70	result	result	result
2020-08-22	207.244.67.218	result	result	result
2020-08-22	37.48.65.151	result	result	result
2020-08-21	64.32.8.68
2020-08-21	37.48.65.149
2020-08-21	64.32.8.67
2020-08-21	64.32.8.69
2020-08-21	207.244.67.215
2020-08-21	103.224.182.207
2020-08-21	64.32.8.70
2020-08-21	207.244.67.218
2020-08-21	37.48.65.151
2020-08-20	64.32.8.68	result	result	result
2020-08-20	37.48.65.149	result	result	result
2020-08-20	64.32.8.67	result	result	result
2020-08-20	64.32.8.69	result	result	result
2020-08-20	207.244.67.215	result	result	result
2020-08-20	103.224.182.207	result	result	result
2020-08-20	64.32.8.70	result	result	result
2020-08-20	207.244.67.218	result	result	result
2020-08-20	37.48.65.151	result	result	result
2020-08-19	64.32.8.68	result	result	result
2020-08-19	37.48.65.149	result	result	result
2020-08-19	64.32.8.67	result	result	result
2020-08-19	64.32.8.69		result	result
2020-08-19	207.244.67.215	result	result	result
2020-08-19	103.224.182.207	result	result	result
2020-08-19	64.32.8.70	result	result	result
2020-08-19	207.244.67.218	result	result	result
2020-08-19	37.48.65.151	result	result	result
2020-08-18	64.32.8.68	result	result	result
2020-08-18	37.48.65.149	result	result	result
2020-08-18	64.32.8.67	result	result	result
2020-08-18	64.32.8.69	result	result	result
2020-08-18	207.244.67.215	result	result	result
2020-08-18	103.224.182.207
2020-08-18	64.32.8.70	result	result	result
2020-08-18	207.244.67.218	result	result	result
2020-08-18	37.48.65.151			result
2020-08-17	64.32.8.68
2020-08-17	37.48.65.149
2020-08-17	64.32.8.67
2020-08-17	64.32.8.69
2020-08-17	207.244.67.215
2020-08-17	103.224.182.207
2020-08-17	64.32.8.70
2020-08-17	207.244.67.218
2020-08-17	37.48.65.151
2020-08-16	64.32.8.68	result	result	result
2020-08-16	37.48.65.149	result	result	result
2020-08-16	64.32.8.67	result	result	result
2020-08-16	64.32.8.69	result
2020-08-16	207.244.67.215
2020-08-16	103.224.182.207	result	result
2020-08-16	64.32.8.70	result	result
2020-08-16	207.244.67.218	result
2020-08-16	37.48.65.151	result	result	result
2020-08-15	64.32.8.68	result	result	result
2020-08-15	37.48.65.149	result	result	result
2020-08-15	64.32.8.67	result	result	result
2020-08-15	64.32.8.69	result	result	result
2020-08-15	207.244.67.215	result	result	result
2020-08-15	103.224.182.207
2020-08-15	64.32.8.70
2020-08-15	207.244.67.218
2020-08-15	37.48.65.151
2020-08-14	64.32.8.68	result	result	result
2020-08-14	37.48.65.149	result	result	result
2020-08-14	64.32.8.67	result	result	result
2020-08-14	64.32.8.69	result	result	result
2020-08-14	207.244.67.215	result	result	result
2020-08-14	103.224.182.207	result	result	result
2020-08-14	64.32.8.70	result	result	result
2020-08-14	207.244.67.218	result	result	result
2020-08-14	37.48.65.151	result	result	result
2020-08-13	64.32.8.68	result	result	result
2020-08-13	37.48.65.149	result		result
2020-08-13	64.32.8.67	result	result	result
2020-08-13	64.32.8.69	result	result	result
2020-08-13	207.244.67.215	result	result	result
2020-08-13	103.224.182.207	result	result	result
2020-08-13	64.32.8.70	result	result	result
2020-08-13	207.244.67.218	result	result	result
2020-08-13	37.48.65.151	result	result	result
2020-08-12	64.32.8.68	result	result	result
2020-08-12	37.48.65.149	result	result	result
2020-08-12	64.32.8.67	result	result	result
2020-08-12	64.32.8.69	result	result	result
2020-08-12	207.244.67.215	result	result	result
2020-08-12	103.224.182.207	result	result	result
2020-08-12	64.32.8.70	result	result	result
2020-08-12	207.244.67.218	result	result	result
2020-08-12	37.48.65.151	result	result	result
2020-08-11	64.32.8.68	result	result	result
2020-08-11	37.48.65.149	result	result	result
2020-08-11	64.32.8.67	result	result	result
2020-08-11	64.32.8.69	result	result	result
2020-08-11	207.244.67.215	result	result	result
2020-08-11	103.224.182.207	result	result	result
2020-08-11	64.32.8.70	result	result	result
2020-08-11	207.244.67.218	result	result	result
2020-08-11	37.48.65.151	result	result	result

How can those threat intelligence benefit me?

Our detection is not designed to be comprehensive. Because first, we are not tracking all IP addresses and domains, and second, even if we do, there are malicious domains that never redirect. Nevertheless, we still believe that Malware Discoverer is a valuable threat intelligence tool – we find that only less than 1% of domains we discovered are labelled by Google Safe Browsing to be malicious. We hope that by sharing our method and data, we can receive more constructive feedback from the community, and together make malware detection more efficient.

We encourage you to take a look at our reports and graphs. If you find them helpful, connect us and we will share you the daily threat intelligence report.

Zhouhan Chen, NYU Center for Data Science, zc1245@nyu.edu

Malware Discoverer

Proactive malware redirection campaign discovery system