[Intelmq-dev] Classification of malware events

Thomas Hungenberg th at cert-bund.de
Tue Mar 6 18:55:33 CET 2018 

On 06.03.2018 16:57, Sebastian Wagner wrote:
> On 2018-03-01 15:41, Thomas Hungenberg wrote:
>> However, my intention was to set the *type* to 'infected system'
>> and not the *identifier*
> Makes sense. But couldn't a c&c server also be an infected system?

I wouldn't call a C2 server 'infected' as there is usually not malware
running those systems doing the bad stuff but they are dedicated or
compromised systems set up (manually/scripted) to act as a C2.


> An infected system could also be a hacked website which sends spam.

If there is malware running on the compromised webserver sending spam -
yes, I'd call this an 'infected system' as well.
If the website has been defaced, the event should be classified as
taxonomy: compromised, type: defacement instead (for example).


> The term is very generic.

The term 'botnet drone' is very specific to sinkholing - but not all
malware reaches out to C2 servers (and thus is a 'botnet drone').
The infection could also have been identified by other means.
So my intention is to use the term 'infected system' to cover both
'botnet drones' identified by sinkholing as well as malware infections
identified by other means.


>> (which will be overwritten by the modify expert).
> BTW: I will soon publish a PR which adds a download&convert script for
> the newly create malware family mappings, to use them for the modify
> bot: http://github.com/certtools/malware_name_mapping

Great!


>> So I'd like to propose to change the classification scheme as follows:
>>
>>         'classification.taxonomy': 'malicious code',
>>         'classification.type': 'infected system',
>>         'classification.identifier': 'malware',	      # default name, will be overwritten by modify expert
> Sounds reasonable, because at this point we do not know for sure if we
> do not know the malware or not. If the former would be so, I'd prefer
> something like 'malware-generic' which indicates that it is some kind of
> generic value.

I'm fine with 'malware-generic'.


     - Thomas

CERT-Bund Incident Response & Malware Analysis Team

More information about the Intelmq-dev mailing list