Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Quickly Investigating Websites with Lookyloo

Published: 2018-11-17
Last Updated: 2018-11-17 11:13:31 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

While we are enjoying our weekend, it's always a good time to learn about new pieces of software that could be added to your toolbox. Security analysts have often to quickly investigate a website for malicious content and it's not always easy to keep a good balance between online or local services. When you submit information to a free online service, they're good chances that data you submitted are logged and probably analysed/re-used, remember nothing is "for free". Lookiloo is a tool developed by CIRCL (the Luxembourg CERT) that helps to have a quick overview of a website by scraping it and displaying a tree of domains calling each other. The name "Lookyloo" comes from the Urban Dictionary[1] and means "People who just come to look".  The tool provides a simple web interface to submit a new site to query or to review previous analysis:

And a few seconds later, you get a tree of domains used by this website. Here is an example of a website used to deliver spam:

For each domain, you get the following information (if detected):

  • Presence of Javascript 
  • Cookie received
  •  Cookie read
  • Redirect
  • Cookie in URL

Some website (particularly news websites) are nice to analyze. Here is the result of scraping cnn.com:

Lookyloo is available on the CIRCL git repository[2]. I recommend you to use the provided docker-compose.yml file to run your own Docker container.

[1] https://www.urbandictionary.com/define.php?term=lookyloo
[2] https://github.com/CIRCL/lookyloo

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Basic Obfuscation With Permissive Languages
Nov 16th 2018
1 day ago by Xme (0 comments)

Emotet infection with IcedID banking Trojan
Nov 15th 2018
3 days ago by Brad (0 comments)

Day in the life of a researcher: Finding a wave of Trickbot malspam
Nov 14th 2018
4 days ago by Brad (3 comments)

November 2018 Microsoft Patch Tuesday
Nov 13th 2018
4 days ago by Johannes (1 comment)

Using the Neutrino ip-blocklist API to test general badness of an IP
Nov 12th 2018
5 days ago by Rick (0 comments)

Community contribution: joining forces or multiply solutions?
Nov 11th 2018
6 days ago by Pasquale Stirparo (1 comment)

View All Diaries →

Latest Discussions

CVE Links Are Broken
created Nov 17th 2018
15 hours ago by George (1 reply)

Mobile Forensics tools - suggestions?
created Oct 8th 2018
1 month ago by Gary (0 replies)

issues with webpy service
created Oct 1st 2018
1 month ago by Alvaro (0 replies)

Pi Honeypot
created Oct 1st 2018
1 month ago by Alvaro (0 replies)

Attempting to report (msg body missing) -- Powershell malware in zip with jpg
created Sep 10th 2018
2 months ago by W60 (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
11 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)