Expanded malware reporting at the
Cybercrime Information Center
Contributed by Dave Piscitello, Interisle Consulting Group
We are now ingesting additional malware reports from our contributors. These additions represent a significant increase in the numbers of reports we will process moving forward, which reflect the rise in traffic attributed to malicious use of “robot” software that perform repetitive tasks. The additions also represent new malware types and sub-families that we have not previously included in our malware classification.
We are now processing reports of IP addresses that host scripts or executables that are used to inject malicious content, disrupt services, or to expose and exploit vulnerabilities. These reports are different from our existing sub-families, IoT Malware and Endpoint Malware, so we have decided to add a new sub-family in our classification taxonomy, Malicious IP Address.
The malicious IP address sub-family will identify scripts or executables that are used maliciously and hence are malicious software emanating from a malicious IP address. These reports identify the origins of these attacks.
The malicious IP address sub-family will include two new malware types: Traffic Injectors and Attack Ware.
The first, Traffic Injectors, includes:
Forum Spammers. These reports identify infected devices, typically PCs, that inject unwanted advertisements or malicious URLs or pollute PHP, HTTP, or Web forums with posts containing inappropriate malicious content. Here, we will base reporting on the malicious IP address of the source of malicious traffic, for example, the chat bot that’s attempting to submit a comment to a forum that contains a malicious URL.
Web Bots. These reports identify infected devices that host credential-stuffing bots or captcha bypass bots, or bots that disrupt merchant services (bidding snipers, download stat boosters). Again, we will base reporting on the IP address of the source of malicious traffic.
Bots (no qualifier). We will also include reports that identify malicious IP addresses but provide no further metadata or “no qualifier”. The malicious IP address malware type will thus include IP addresses reported for hosting a bot that is directing suspicious traffic at remote systems for seemingly malicious purposes, but the reporter did not provide any additional intelligence regarding the nature of the bot.
The second, Attack Ware, will include malicious executables that have been reported for targeting systems with traffic that scan for ways to disrupt or break into targeted systems or services. Here, we will include reports of attacker IP addresses that target services – e.g., Apache, IMPA, FTP, Postfix, SSH – and reports of IPs that are participating in DDOS attacks, scraping attacks, or click fraud.
If you have a novel use for Cybercrime Information Center Data and are interested in sharing with
our community, contact us at
criminaldomainabuse@interisle.net