1

I would like to obtain a list of malicious URLs for testing purposes and, if possible, would like to collect URLs of sites that exploit zero-day vulnerabilities.

I want to collect malicious URLs to investigate zero-day attacks.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Nine
  • 13
  • 3
  • 2
    This will be difficult to accomplish, as the people using these URLs have interest in them not being identified as malicious. Once identified, they quickly go defunct. Some malicious URLs from spam/scam emails are defunct within hours. – The one who tests Sep 29 '22 at 23:48
  • Here's a list of malicious IP aggregators (can't vouch for its utility but it's a starting point: https://lifars.com/wp-content/uploads/2016/11/Sites-with-blocklist-of-malicious-IPs-and-URLs.pdf – belkarx Sep 30 '22 at 00:47
  • Why, exactly, do you want the URLs? What are you testing? And what URLs do exploiting? I think you need to explain more about what you are trying to do because there might be a misunderstanding and what you want to do might not be possible. – schroeder Sep 30 '22 at 07:17
  • URLs won't help you investigate zero day attacks. And that has nothing to do with honeypots. How are you seeing that URLs relate to zero day attacks? Again, I'm concerned that you are asking for something that won't help you accomplish your goal. Can you get way more detailed about what it is you want to do and how URLs help you get there? – schroeder Sep 30 '22 at 13:24
  • What I would really like to do is investigate zero-day attacks, especially zero-day attacks against web applications. I was thinking that I could investigate zero-day attacks by analyzing traffic from malicious URLs. – Nine Sep 30 '22 at 13:35
  • So, do you think that established sites with a registered domain launch zero-day attacks? Why not simply look at the zero-day attacks and research them? – schroeder Sep 30 '22 at 13:37

1 Answers1

2

This is not an answer to "How to collect malicious URLs?" but rather "How to investigate zero-day exploits?" - which is the question that is actually being asked.

First of all, the typical garden variety scammer does not actually use any exploits at all. Instead, they try to get access to your accounts, either by faking a login page (so you submit your login credentials to them) or by asking you to connect an "app" to your account (particularly social media accounts), which in turn demands complete access to your account.

Another very common vector is to offer files to download, which pose as "legitimate", but actually contain malware. P2P platforms used to be very popular for this (and probably still are), but Search Engine Optimization and "malwaretising" has become popular in recent times too. For example, if you searched for "VLC" in Germany, your first Google result would be "vlc.de", a website which is available to this day, which distributes VLC together with its own ad-ware.

Of course, there are more venues to distribute malware, but the important takeaway is that these attacks target low-hanging fruit. Attackers don't care about who installs their malware, just that they get to run their adware, ransomware, etc...

Zero-Day Exploits (Zero-Days for short) on the other hand are highly sought-after and fetch very high prices, depending on who the target is (Windows, iOS, Android, etc.), how reliable it is, how detectable it is, what capabilities you get, etc...

These Zero-Days must be used sparingly, because every use could be found, investigated and ultimately lead to a patch, which makes the Zero-Day unusable (or at least, way less impactful) and thus leading to a loss of value. This also means that attackers, who just send malicious URLs to random people, will likely not use a Zero-Day Exploit there. Why would they? They risk wasting an exploit that could be worth hundreds of thousands of dollar, just to install even more ad-ware on some grandma's laptop?

Then, how do I investigate Zero-Days?

  • Google's Project Zero is a great resource, talking about zero-day exploits, explaining in detail how they work, what vulnerabilities they abuse and how they evade modern mitigation.

  • Seclist's Full Disclosure mailing list is a good mailing list, where people disclose vulnerabilities. While these typically contain very little explanation other than "This is what happened", they are a good resource to look through.

  • Security Companies own advisory lists. Many security companies perform vulnerability research or happen across zero-day vulnerabilities from time to time. Many will ask vendors whether or not they can publish the findings publicly after a patch has been published, and some vendors agree to that. Since I myself work for such a company, I don't want to link to it directly as not to seem like this is advertising/recruiting.

  • Vendor advisory lists. Many vendors list which vulnerability any given software patches. For example, nginx has a page titled Security Advisories, which lists all security relevant findings that have been published. Often, these contain patches to source code to mitigate this vulnerability, so with some elbow grease, you can reverse engineer what the issue was and possibly how to exploit it. Furthermore, many of the advisories state who discovered the vulnerability, so contacting them may be worth a shot.

Note that this states how you can investigate already found zero-day exploits to better understand them. How to find zero-days is explained in the question How are zero days found?

Horvath Zeldjinovic
  • 314
  • 4
  • Thank you. It seems I was trying to take the wrong approach to my goal of investigating a zero-day attack. – Nine Sep 30 '22 at 13:46
  • @Nine You're most welcome. I also forgot to mention [liveOverflow](https://www.youtube.com/c/LiveOverflow), who makes great videos on security in general and also has some deep-dives into some zero-days. – Horvath Zeldjinovic Sep 30 '22 at 13:55