On 2018-03-06 18:55, Thomas Hungenberg wrote:
The term 'botnet drone' is very specific to sinkholing - but not all malware reaches out to C2 servers (and thus is a 'botnet drone'). The infection could also have been identified by other means. So my intention is to use the term 'infected system' to cover both 'botnet drones' identified by sinkholing as well as malware infections identified by other means.
In intelmq we currently have 3 types for malicious code infections: malware botnet drone ransomware
The term 'infected system' covers them all. 'malware' covers the other two. So we would then have this "hierarchy" (thinking of mathematical set theory): infected system
malware
botnet drone ransomware
but all of them are classification types and are on the same level of classification.
And in practice, which of the terms is used for classification (in the parser bots) is kind of random. But ransomware is not used at all (but it can be and should be, as some data actually covers ransomware).
(The three others types are: dga domain, malware configuration, c&c)
Sebastian