On 12.03.2018 15:49, Sebastian Wagner wrote:
In intelmq we currently have 3 types for malicious code infections: malware botnet drone ransomware
According to the description, 'malware' does not refer to an infection but to malware _distribution_. So maybe we should better rename this to "malware distribution"?
The term 'infected system' covers them all. 'malware' covers the other two. So we would then have this "hierarchy" (thinking of mathematical set theory): infected system
malware
botnet drone ransomware
'malware' does _not_ cover 'botnet drone' and 'ransomware'.
And in practice, which of the terms is used for classification (in the parser bots) is kind of random. But ransomware is not used at all (but it can be and should be, as some data actually covers ransomware).
I'd suggest dropping 'ransomware'. Why use a specific classification type only for this kind of malware but not for 'spambot', 'banking trojan', 'rootkit' and others?
I'd prefer using "infected system" as the classification type for malware infections as this fits with the classification level of other malicious code events.
Then we would have:
taxonomy type identifier malicious code infected system <malware-name> malicious code c&c <malware-name> malicious code dga domain <malware-name> malicious code malware distribution <malware-name> malicious code malware configuration <malware-name>
- Thomas
CERT-Bund Incident Response & Malware Analysis Team