On 06.03.2018 16:57, Sebastian Wagner wrote:
On 2018-03-01 15:41, Thomas Hungenberg wrote:
However, my intention was to set the *type* to 'infected system' and not the *identifier*
Makes sense. But couldn't a c&c server also be an infected system?
I wouldn't call a C2 server 'infected' as there is usually not malware running those systems doing the bad stuff but they are dedicated or compromised systems set up (manually/scripted) to act as a C2.
An infected system could also be a hacked website which sends spam.
If there is malware running on the compromised webserver sending spam - yes, I'd call this an 'infected system' as well. If the website has been defaced, the event should be classified as taxonomy: compromised, type: defacement instead (for example).
The term is very generic.
The term 'botnet drone' is very specific to sinkholing - but not all malware reaches out to C2 servers (and thus is a 'botnet drone'). The infection could also have been identified by other means. So my intention is to use the term 'infected system' to cover both 'botnet drones' identified by sinkholing as well as malware infections identified by other means.
(which will be overwritten by the modify expert).
BTW: I will soon publish a PR which adds a download&convert script for the newly create malware family mappings, to use them for the modify bot: http://github.com/certtools/malware_name_mapping
Great!
So I'd like to propose to change the classification scheme as follows:
'classification.taxonomy': 'malicious code', 'classification.type': 'infected system', 'classification.identifier': 'malware', # default name, will be overwritten by modify expertSounds reasonable, because at this point we do not know for sure if we do not know the malware or not. If the former would be so, I'd prefer something like 'malware-generic' which indicates that it is some kind of generic value.
I'm fine with 'malware-generic'.
- Thomas
CERT-Bund Incident Response & Malware Analysis Team