abuse.ch has recently launched a new project called “URLhaus”. URLhaus is a project with the goal of sharing malicious URLs that are being used for malware distribution.
Anybody can register with a Twitter account and share malicious URLs they have detected. The system will download and analyse the payload (trying to identify it) and then submit it to various Anti-Virus vendors as well as blacklist providers (the site mentions Google Safe Browsing, Spamhaus DBL and SURBL).
I have had the chance to play with an early version of the application and share malicious URLs as well as creating a little Python script to allow submitting URLs from the command line. The code for that script (urlhaus.py) has been published and can be used by anyone with an API key.
Further does URLhaus provide various feeds you can freely use in your defence tools or for malware collection.
Using urlhaus.py
First, you need to set your personal api_key
in the file.
After that, you can used -h
to display a help manual:
usage: urlhaus.py [-h] -u URL [-t [Tags [Tags ...]]] [-a Anonymous]
[-d Threat]
Submit a new malicious URL to URLhaus on abuse.ch
optional arguments:
-h, --help show this help message and exit
-u URL, --url URL URL you want to submit (required)
-t [Tags [Tags ...]], --tags [Tags [Tags ...]]
Tag. Allowed characters: [A-Za-z0-9.-]
-a Anonymous, --anon Anonymous
If set to 1, your submission will be anonymous
-d Threat, --threat Threat
Threat type of the URL (must be "malware_download")
Adding a new URL is simply calling the script and appending the malicious URL:
urlhaus.py -u https://check-your-files.tk/blur.doc
You can also add tags with the -t
option
urlhaus.py -u https://check-your-files.tk/blur.doc -t doc
As a result you will see that the URL was inserted. After a little while your submission will be shared on the website.