Today, Barracuda released a new online tool for sharing, browsing and analyzing web-based malware—Threatglass, available at threatglass.com. Our Barracuda Labs team is the backstage director to foster this idea, design the large-scale backend system, and finally implement a nice GUI to show it to the world. We are very excited here to be able to offer this resource – free of charge – to both casual users and the security research community as a whole.
Welcome to threatglass.com!
The backend system of Threatglass has been working internally inside Barracuda for a few years, which has been used to automatically scan suspicious websites from Barracuda’s customer network and the Alexa top 25,000 websites, in order to better protect Barracuda’s customers. The system was designed in a large-scale and automated manner that utilizes thousands of virtual machines to visit URLs in web browsers to see what will happen to the browsers, their plugins, and the operation systems. Without prior knowledge of specific exploits served to the browser or its extensions, the resulting network-level actions are recorded and analyzed to reveal whether the visited URLs serve malicious content.
With millions of URLs being scanned every week, the system has accumulated nearly 10,000 live web-based malware infections to date. Meanwhile, new data resources are feeding in daily, including our recent social feeds from Facebook and Twitter. Two of our previous posts specifically demonstrated the power of the Threatglass backend system—summaries of maliciousness on top-ranked Alexa Domains in February 2012 and July 2012.
The frontend of Threatglass is a modern web portal that provides a unique visualization of malware-infected websites identified by the backend system with a Pinterest-like graphical feel. Threatglass allows users to casually browse website infections that date back to September 2011, and view the charting and trending graphs to retrospect historical malware trendings. Threatglass provides detailed information of what happened when visiting each of the infected websites on a given date, such as the screenshots of the browser, whether binary was downloaded or any emails were sent, and number of domains and objects requested. Meanwhile, the requested URLs and anomalous netflow information are presented on each of the infection incident reports. Most importantly, the network package captured during the whole visiting process is freely downloadable, which we’ve found to be well received by many security researchers in the community.
With various representations of network traffic including DNS, HTTP, and netflow in both graphical and textual formats displayed to users, we believe that this tool can greatly help casual users to know which websites had been infected, explore how infected websites could damage their browsers and computers, and understand the trending volumes and impacts of malicious websites on the Internet.
For more advanced users in the security community, the data packets provided on Threatglass are useful to perform deeper investigation, such as correlating the downloaded binary to recent CVEs to identify a botnet, and so forth. Additionally, researchers can search the infected IPs in Threatglass to cross-examine their own malicious data.
In the last few months, the Threatglass backend system identified quite a few top-ranked Alexa domains serving malicious content to their users. You can see that in action in a few of our past blog posts at Cracked.com, Php.net and Hasbro.com.
We also encourage users to discuss each incident and to submit any websites for inspection and analysis at threatglass.com.
We believe that compromised legitimate websites continues to be a significant threat to online trust and safety, and Threatglass provides an interesting and unique way to document and better understand this ongoing problem. We look forward to hearing your thoughts on Threatglass – and are always open to your questions and ideas.