How to scan a Website or IP address for Virus, Malware and Phishing using Automater in Kali Linux

Many people ask themselves, is there a safe way to check out a suspicious URL? The answer, is pretty simple, yes you can. There are many tools that you can use on the internet to check wheter a URL is safe to explorer or not. As a developer (or Intrusion Analyst) you don't need to waste time by providing the URL you want to scan on every available web tool to scan, instead you could use the Automater Tool. Automater is available from the command line in Kali Linux.

What is Automater

Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. Given a target (URL, IP, or HASH) or a file full of targets Automater will return relevant results from sources like the following: IPvoid.com, Robtex.com, Fortiguard.com, unshorten.me, Urlvoid.com, Labs.alienvault.com, ThreatExpert, VxVault, and VirusTotal. With this tool you can verify if a domain is flagged as malicious, and if files are flagged as malware.

Visit the official Github repository of the project here for more information.

Test examples

The usage of automater is very simple and straightforward, so you can understand how it works through examples:

Scan website

The structure of the automater command line tool is very simple:

automater [-h] [-o OUTPUT] [-w WEB] [-c CSV] [-d DELAY] [-s SOURCE][--p] target
  • -h or --help: show the help message and exit.
  • -o or --output: output the results to a file.
  • -w or --web: output the results to a html file.
  • -c or --csv: output the results to a CSV file.
  • -d or --delay: This will change the delay to the inputted seconds.
  • -s or --source: This option will only run the target against aspecific source engine to pull associated domains. Options are defined in the name attribute of the siteelement in the XML configuration file.

To start the scan on a URL (in this case diablo3keygen.net), you can simply execute:

automater diablo3keygen.net

Scan multiple websites

To scan multiple websites simultaneously with automater, you can save all the addresses you want to scan in a new text file (.txt). Every line in the file represent an address to scan (list.txt):

facebook.com
ourcodeworld.com
diablo3keygen.net

And then start the scan with:

automater list.txt

Through a hash

We are going to use the hash identifier of a Virus in order to test Automater. The file is a malware known as "CRDF.Trojan.Virus.Win32.Zbot3182957456", the test can be executed with the following commands:

# With the MD5 hash
automater 44A6A7D4A039F7CC2DB6E85601F6D8C1

# Or with the sha256 hash
automater 9b8cdbd216044d13413efee6c20c5da080da30a9aacabeeeb5cea66e96104645

The execution of any of the previous command in the terminal should generate the following output:

Results found for: 44A6A7D4A039F7CC2DB6E85601F6D8C1     ____________________
[+] MD5 found on VT: 1
[+] Scan date submitted: 2016-03-01 07:38:00
[+] Detected Engines: 42
[+] Total Engines: 56
[+] Vendor | Classification: ('MicroWorld-eScan', 'Trojan.Downloader.JQGE')
[+] Vendor | Classification: ('nProtect', 'Trojan/W32.Blocker.1429504')
[+] Vendor | Classification: ('CAT-QuickHeal', 'TrojanPWS.Zbot.Gen')
[+] Vendor | Classification: ('McAfee', 'PWSZbot-FKQ!44A6A7D4A039')
[+] Vendor | Classification: ('Malwarebytes', 'Trojan.Dropper.UPT')
[+] Vendor | Classification: ('Zillya', 'Trojan.Zbot.Win32.145968')
[+] Vendor | Classification: ('AegisLab', 'Troj.W32.Generic!c')
[+] Vendor | Classification: ('BitDefender', 'Trojan.Downloader.JQGE')
[+] Vendor | Classification: ('K7GW', 'Trojan ( 004904bd1 )')
[+] Vendor | Classification: ('K7AntiVirus', 'Trojan ( 004904bd1 )')
[+] Vendor | Classification: ('Agnitum', 'Trojan.Blocker!tq8JK8ba1bk')
[+] Vendor | Classification: ('Symantec', 'Trojan.Gen.2')
[+] Vendor | Classification: ('Avast', 'Win32:CeeInject-Y [Trj]')
[+] Vendor | Classification: ('Kaspersky', 'HEUR:Trojan.Win32.Generic')
[+] Vendor | Classification: ('NANO-Antivirus', 'Trojan.Win32.Zbot.cqnsrz')
[+] Vendor | Classification: ('Ad-Aware', 'Trojan.Downloader.JQGE')
[+] Vendor | Classification: ('Sophos', 'Troj/HkMain-DF')
[+] Vendor | Classification: ('Comodo', 'TrojWare.Win32.UMal.~A')
[+] Vendor | Classification: ('F-Secure', 'Trojan.Downloader.JQGE')
[+] Vendor | Classification: ('DrWeb', 'Trojan.DownLoader9.22851')
[+] Vendor | Classification: ('VIPRE', 'Trojan.Win32.Fareit.if (v)')
[+] Vendor | Classification: ('TrendMicro', 'TROJ_GEN.R047C0CBT16')
[+] Vendor | Classification: ('Emsisoft', 'Trojan.Downloader.JQGE (B)')
[+] Vendor | Classification: ('Jiangmin', 'Backdoor/Pushdo.ady')
[+] Vendor | Classification: ('Avira', 'TR/Rogue.1428744')
[+] Vendor | Classification: ('Microsoft', 'VirTool:Win32/CeeInject.gen!KK')
[+] Vendor | Classification: ('Arcabit', 'Trojan.Downloader.JQGE')
[+] Vendor | Classification: ('AhnLab-V3', 'Spyware/Win32.Zbot')
[+] Vendor | Classification: ('GData', 'Trojan.Downloader.JQGE')
[+] Vendor | Classification: ('ALYac', 'Trojan.Downloader.JQGE')
[+] Vendor | Classification: ('AVware', 'Trojan.Win32.Fareit.if (v)')
[+] Vendor | Classification: ('VBA32', 'Trojan.Zbot.2813')
[+] Vendor | Classification: ('Tencent', 'Win32.Trojan.Generic.Pdco')
[+] Vendor | Classification: ('Ikarus', 'Virus.Win32.CeeInject')
[+] Vendor | Classification: ('Fortinet', 'W32/Generic.AC.2250672')
[+] Vendor | Classification: ('Baidu-International', 'Trojan.Win32.Injector.ASFC')
[+] Vendor | Classification: ('Qihoo-360', 'Win32/Trojan.886')
[+] Hash found at ThreatExpert: No results found
[+] Malicious Indicators from ThreatExpert: No results found
[+] Date found at VXVault: No results found
[+] URL found at VXVault: No results found
[+] Malc0de Date: No results found
[+] Malc0de IP: No results found
[+] Malc0de Country: No results found
[+] Malc0de ASN: No results found
[+] Malc0de ASN Name: No results found
[+] Malc0de MD5: No results found
No results found in the THMD5

Scanning with specific tool

Instead of running an analysis with all the online tools, you can run only the tools that you want. For example, to run the scan on the hash only in Virus Total or Threat Expert you can specify it with the -s argument:

# Run with Virus Total
automater -s virustotal [URL to scan]

# Or with Threat Expert
automater -s threatexpert [URL to scan]

Creating your own analysis script

You can automatize this process and use it in your own tools. We have written an script that can be executed with Node.js, you only need to replace the urlOrHashToScan variable and run it:

var exec = require('child_process').exec;
var fs = require('fs');

var outputFile = "/root/hacking/report.csv";
var urlOrHashToScan = "44A6A7D4A039F7CC2DB6E85601F6D8C1";

exec(`automater ${urlOrHashToScan} --csv ${outputFile}`, (error, stdout, stderr) => {
    if (error) {
        console.error(`exec error: ${error}`);
        return;
    }

    if (fs.existsSync(outputFile)) {
        var CSV_DATA = fs.readFileSync(outputFile, "utf8");
        var ParsedCSV = parseCSV(CSV_DATA);

        // Print every item in the array
        ParsedCSV.forEach((item) => {
            console.log(item.join(" | "));
        });

    }else{
        console.log(`stderr: ${stderr}`);
    }
});

/**
 * Wrapped csv line parser
 * @param s string delimited csv string
 * @param sep separator override
 * @attribution : http://www.greywyvern.com/?post=258 (comments closed on blog :( )
 */
function parseCSV(s, sep) {
    // http://stackoverflow.com/questions/1155678/javascript-string-newline-character
    var universalNewline = /\r\n|\r|\n/g;
    var a = s.split(universalNewline);
    for (var i in a) {
        for (var f = a[i].split(sep = sep || ","), x = f.length - 1, tl; x >= 0; x--) {
            if (f[x].replace(/"\s+$/, '"').charAt(f[x].length - 1) == '"') {
                if ((tl = f[x].replace(/^\s+"/, '"')).length > 1 && tl.charAt(0) == '"') {
                    f[x] = f[x].replace(/^\s*"|"\s*$/g, '').replace(/""/g, '"');
                } else if (x) {
                    f.splice(x - 1, 2, [f[x - 1], f[x]].join(sep));
                } else f = f.shift().split(sep).concat(f);
            } else f[x].replace(/""/g, '"');
        } a[i] = f;
    }
    return a;
}

The output of the script with the given hash will look like this:

Target | Type | Source | Result
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Found | 1
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Date | 2016-03-01 07:38:00
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Detected | 42
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Engines | 56
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('MicroWorld-eScan', 'Trojan.Downloader.JQGE')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('nProtect', 'Trojan/W32.Blocker.1429504')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('CAT-QuickHeal', 'TrojanPWS.Zbot.Gen')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('McAfee', 'PWSZbot-FKQ!44A6A7D4A039')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Malwarebytes', 'Trojan.Dropper.UPT')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Zillya', 'Trojan.Zbot.Win32.145968')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('AegisLab', 'Troj.W32.Generic!c')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('BitDefender', 'Trojan.Downloader.JQGE')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('K7GW', 'Trojan ( 004904bd1 )')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('K7AntiVirus', 'Trojan ( 004904bd1 )')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Agnitum', 'Trojan.Blocker!tq8JK8ba1bk')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Symantec', 'Trojan.Gen.2')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Avast', 'Win32:CeeInject-Y [Trj]')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Kaspersky', 'HEUR:Trojan.Win32.Generic')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('NANO-Antivirus', 'Trojan.Win32.Zbot.cqnsrz')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Ad-Aware', 'Trojan.Downloader.JQGE')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Sophos', 'Troj/HkMain-DF')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Comodo', 'TrojWare.Win32.UMal.~A')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('F-Secure', 'Trojan.Downloader.JQGE')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('DrWeb', 'Trojan.DownLoader9.22851')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('VIPRE', 'Trojan.Win32.Fareit.if (v)')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('TrendMicro', 'TROJ_GEN.R047C0CBT16')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Emsisoft', 'Trojan.Downloader.JQGE (B)')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Jiangmin', 'Backdoor/Pushdo.ady')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Avira', 'TR/Rogue.1428744')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Microsoft', 'VirTool:Win32/CeeInject.gen!KK')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Arcabit', 'Trojan.Downloader.JQGE')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('AhnLab-V3', 'Spyware/Win32.Zbot')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('GData', 'Trojan.Downloader.JQGE')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('ALYac', 'Trojan.Downloader.JQGE')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('AVware', 'Trojan.Win32.Fareit.if (v)')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('VBA32', 'Trojan.Zbot.2813')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Tencent', 'Win32.Trojan.Generic.Pdco')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Ikarus', 'Virus.Win32.CeeInject')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Fortinet', 'W32/Generic.AC.2250672')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Baidu-International', 'Trojan.Win32.Injector.ASFC')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Qihoo-360', 'Win32/Trojan.886')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | TE Date | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | TE Indicators | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | Vx Date | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | Vx URL | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC Date | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC IP | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC Country | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC ASN | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC ASN Name | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC MD5 | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | THMD5 | No results found

You can see that automater is a very useful tool that you can use to investigate suspicious URLs that you think could be malware. It will save you a lot of time in research as you won't need to visit all these websites to scan the URL manually.

Happy analysis !

This could interest you
Become a more social person