malspider: detects characteristics of web compromises
Malspider is a web spidering framework that inspects websites for characteristics of compromise. It has three purposes:
- Website Integrity Monitoring: monitor your organization’s website (or your personal website) for potentially malicious changes.
- Generate Threat Intelligence: keep an eye on previously compromised sites, currently compromised sites, or sites that may be targeted by various threat actors.
- Validate Web Compromises: Is this website still compromised?
What can Malspider detect?
Malspider has built-in detection for characteristics of compromise like hidden iframes, reconnaissance frameworks, vbscript injection, email address disclosure, etc. As we find stuff we will continue to add classifications to this tool and we hope you will do the same. Malspider will be a much better tool if CIRT teams and security practitioners around the world contribute to the project.
What’s next? How can I help?
As mentioned above, it is very important to get help from other security practitioners. Outside of adding classifications/signatures to the tool, here is a list of enhancements that would benefit the project and the broader infosec community. Don’t feel constrained to this list, though.
- Monitor website for historical changes (ie. a script tag was added today)
- Develop a better mechanism for adding signatures/classifications
- Attempt to download and store malware hosted on compromised sites
Copyright (c) 2016, Cisco Systems, Inc. All rights reserved.