Using urlQuery

urlQuery.net is a service for detecting and analyzing web-based malware. It provides detailed information about the actions a browser takes while visiting an site presenting this information in an report giving analysts valuable information about a site making it easier to determind if a site is hostile or not. urlQuery has support for signatures which provides the analysts a quick way of detecting commonly known exploits in malicious sites. Making the job easier to be able to determind the state of a site.

All the default settings should be sufficient for most pages, but in some cases it is necessary to change these values get the expected result. When changing these values there are several things one should be aware of and how they might affect the result. This page is provided to give a quick overview of how these work.

After reading through the settings and getting an overview of how they affect the result it might be tempting to submit an URL several times with different settings, but be aware that many maliciouse sites track incoming IP's and block further interaction after the first access of the site for an extended period of time. This is a countermeasure to prevent reversing of their site. So getting it right the first time is important.



Advanced settings

To use the advanced settings properly it is important to know a little about maliciouse sites and how these values can affect the result.


UserAgent

This setting will customize the user agent setting in the browser, making it appear to be a different kind. Exploit kits and maliciouse pages often use this value to deliver code based on the browser in use. Because of the differences between browsers some code might only run in a particular browser and will not function correctly in others. This will only spoof the UserAgent string of the browser used by urlQuery so it seems like it is using a different one, it will still be running Mozilla Firefox.

It is important to be aware that results may be different and incomplete when using a non default UserAgent string.

Default: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13


Referer

This is probably the most important to use correctly. This manipulates the referer field in the HTTP header which tells a webserver where a user originated from. This is automaticly set by the browser to contain the URL of the site/page a user came from when clicking a link or getting redirected. Many maliciouse sites use this to filter out direct traffic to their maliciouse site and only accept traffic which gets redirected from one of their infected sites. This is to prevent security researchers from accessing their maliciouse code to reverse it. Do note not all maliciouse site use the referer field to filter traffic, but missing this value can drasticly change the result.

The difference between supplying a referer and not can be the difference of a blank page and the actual maliciouse page being sent back.

When using this field it is important to note that it requires a full URL. Example: http://google.com/ or http://google.com/somepage.htm

Using only google.com would be an invalied entry based on the HTTP standard.

Default: None


Adobe Reader

Spoofs the Adobe Reader version reported by Firefox. Some sites load different PDF exploits based on version installed on the system.

Default: 8.0


Java

Spoofs the Java Runtime Environment version reported by Firefox. Some sites load different Java exploits based on version installed on the system. Currently hardcoded and not possible to change.

Default: 1.6_10