Sophos Cloud OptixWhen investigating a domain hosting malware one of the first things we normally do is look at the domain’s ‘whois’ information. The first thing I look at is the creation date since you can usually distinguish an infected site from a malware repository based on that information alone. If a site was registered a long time ago, it’s more likely to be a legit site that’s been compromised in some way. Another thing to look out for is the registrants name and address since that information is usually made public unless the person chose to hide it using a few options available to them.
This morning I was looking at a domain that had the root page detected as Mal/VidHtml-G. It was registered in early 2009 which makes it suspicious but not guaranteed to be malicious. I then looked at the address and saw the following.
#### (blanked on purpose) East Shady Lane Way
Fruit Heights, Utah 84037
United States
At this point I was thinking to myself if you’re going to come up with a fake address, at least come up with something believable. What kind of fool do they take me for? For some reason though I decided to plug the address into Google Maps and was surprised to see that the address did in fact exist. Google Street View had even passed by the specific home, and it actually looked nice!
I wonder who’s put in charge of naming streets? In any case, lesson learned. Don’t judge a domain by its address.