Determine Whether An IP Is Malicious With VirusTotal Graph

Using VirusTotal Graph to Characterize an Unknown IP Address: 

by Craig Smith, Security Analyst

1. Let's use the IP as an example. Search for it in VirusTotal:

2. Click the blue VT Graph box in the top right corner. 

When the graph loads you'll see the IP address you're investigating in its center.
Several other icons will branch off from this one. They are described in the next
steps with how to check them.

3. Resolutions (Other domains which have at some point resolved to this IP)

If several of these domains are malicious you should start to suspect that the IP
is either malicious or at least may have been compromised and began serving
malicious content at some point.

*Here it is important to note that for verifying whether the domains are 
related to your investigation, you will want to see how long ago those domains
resolved to the IP you are investigating. If it was many months ago, the malicious
characterization might no longer be relevant because domains change hands often. 
If you would like to know more, you can even double click one of the domains and 
trace more of its history which will help you build more confidence. 

4. URLs (URLs which have at some point resolved to the IP beings studied)

If several of these URLs show malicious detections, it is more likely that the
IP being studied is also malicious. However, remember the point above about how
"fresh" DNS resolutions to this IP should be. You shouldn't be as confident about
old lookups of a domain which resolve to this IP.

5. DOWNLOADED FILES (Files which were downloaded from that IP address)

If a file that you are confident is malicious was downloaded from this IP address,
that should increase your confidence in the IP address as a malicious source.
However, keep in mind that VirusTotal does not show when the file was downloaded
from this IP. Therefore you should consider this as AN indication but not the ONLY
indication that the IP is malicious.


Popular Posts