The current classification scheme for malware events in shadowserver/parser/config.py is:
'constant_fields': { 'classification.taxonomy': 'malicious code', 'classification.type': 'botnet drone', 'classification.identifier': 'botnet', },
The modify expert (if used) overwrites the classification.identifier with a malware name (either a "harmonized" name or the value of malware.name as default).
Last year, we discussed dropping the term "botnet (drone)" and replace it by "infected system" (as not all malware infected systems are necessarily part of a botnet).
The config.py in branch develop currently looks like:
'classification.taxonomy': 'malicious code', 'classification.type': 'botnet drone', 'classification.identifier': 'infected system',
However, my intention was to set the *type* to 'infected system' and not the *identifier* (which will be overwritten by the modify expert).
So I'd like to propose to change the classification scheme as follows:
'classification.taxonomy': 'malicious code', 'classification.type': 'infected system', 'classification.identifier': 'malware', # default name, will be overwritten by modify expert
So the final classification of an event will look like:
'classification.taxonomy': 'malicious code', 'classification.type': 'infected system', 'classification.identifier': 'ramnit',
Thoughts? Objections?
- Thomas
CERT-Bund Incident Response & Malware Analysis Team
I've created PR #1197 for this.
On 01.03.2018 15:41, Thomas Hungenberg wrote:
The current classification scheme for malware events in shadowserver/parser/config.py is:
'constant_fields': { 'classification.taxonomy': 'malicious code', 'classification.type': 'botnet drone', 'classification.identifier': 'botnet', },The modify expert (if used) overwrites the classification.identifier with a malware name (either a "harmonized" name or the value of malware.name as default).
Last year, we discussed dropping the term "botnet (drone)" and replace it by "infected system" (as not all malware infected systems are necessarily part of a botnet).
The config.py in branch develop currently looks like:
'classification.taxonomy': 'malicious code', 'classification.type': 'botnet drone', 'classification.identifier': 'infected system',However, my intention was to set the *type* to 'infected system' and not the *identifier* (which will be overwritten by the modify expert).
So I'd like to propose to change the classification scheme as follows:
'classification.taxonomy': 'malicious code', 'classification.type': 'infected system', 'classification.identifier': 'malware', # default name, will be overwritten by modify expertSo the final classification of an event will look like:
'classification.taxonomy': 'malicious code', 'classification.type': 'infected system', 'classification.identifier': 'ramnit',Thoughts? Objections?
- ThomasCERT-Bund Incident Response & Malware Analysis Team
Intelmq-dev mailing list Intelmq-dev@lists.cert.at https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
Hi,
On 2018-03-01 15:41, Thomas Hungenberg wrote:
However, my intention was to set the *type* to 'infected system' and not the *identifier*
Makes sense. But couldn't a c&c server also be an infected system? An infected system could also be a hacked website which sends spam. The term is very generic.
(which will be overwritten by the modify expert).
BTW: I will soon publish a PR which adds a download&convert script for the newly create malware family mappings, to use them for the modify bot: http://github.com/certtools/malware_name_mapping
So I'd like to propose to change the classification scheme as follows:
'classification.taxonomy': 'malicious code', 'classification.type': 'infected system', 'classification.identifier': 'malware', # default name, will be overwritten by modify expert
Sounds reasonable, because at this point we do not know for sure if we do not know the malware or not. If the former would be so, I'd prefer something like 'malware-generic' which indicates that it is some kind of generic value.
Sebastian
On 06.03.2018 16:57, Sebastian Wagner wrote:
On 2018-03-01 15:41, Thomas Hungenberg wrote:
However, my intention was to set the *type* to 'infected system' and not the *identifier*
Makes sense. But couldn't a c&c server also be an infected system?
I wouldn't call a C2 server 'infected' as there is usually not malware running those systems doing the bad stuff but they are dedicated or compromised systems set up (manually/scripted) to act as a C2.
An infected system could also be a hacked website which sends spam.
If there is malware running on the compromised webserver sending spam - yes, I'd call this an 'infected system' as well. If the website has been defaced, the event should be classified as taxonomy: compromised, type: defacement instead (for example).
The term is very generic.
The term 'botnet drone' is very specific to sinkholing - but not all malware reaches out to C2 servers (and thus is a 'botnet drone'). The infection could also have been identified by other means. So my intention is to use the term 'infected system' to cover both 'botnet drones' identified by sinkholing as well as malware infections identified by other means.
(which will be overwritten by the modify expert).
BTW: I will soon publish a PR which adds a download&convert script for the newly create malware family mappings, to use them for the modify bot: http://github.com/certtools/malware_name_mapping
Great!
So I'd like to propose to change the classification scheme as follows:
'classification.taxonomy': 'malicious code', 'classification.type': 'infected system', 'classification.identifier': 'malware', # default name, will be overwritten by modify expertSounds reasonable, because at this point we do not know for sure if we do not know the malware or not. If the former would be so, I'd prefer something like 'malware-generic' which indicates that it is some kind of generic value.
I'm fine with 'malware-generic'.
- Thomas
CERT-Bund Incident Response & Malware Analysis Team
On 2018-03-06 18:55, Thomas Hungenberg wrote:
The term 'botnet drone' is very specific to sinkholing - but not all malware reaches out to C2 servers (and thus is a 'botnet drone'). The infection could also have been identified by other means. So my intention is to use the term 'infected system' to cover both 'botnet drones' identified by sinkholing as well as malware infections identified by other means.
In intelmq we currently have 3 types for malicious code infections: malware botnet drone ransomware
The term 'infected system' covers them all. 'malware' covers the other two. So we would then have this "hierarchy" (thinking of mathematical set theory): infected system
malware
botnet drone ransomware
but all of them are classification types and are on the same level of classification.
And in practice, which of the terms is used for classification (in the parser bots) is kind of random. But ransomware is not used at all (but it can be and should be, as some data actually covers ransomware).
(The three others types are: dga domain, malware configuration, c&c)
Sebastian
On 12.03.2018 15:49, Sebastian Wagner wrote:
In intelmq we currently have 3 types for malicious code infections: malware botnet drone ransomware
According to the description, 'malware' does not refer to an infection but to malware _distribution_. So maybe we should better rename this to "malware distribution"?
The term 'infected system' covers them all. 'malware' covers the other two. So we would then have this "hierarchy" (thinking of mathematical set theory): infected system
malware
botnet drone ransomware
'malware' does _not_ cover 'botnet drone' and 'ransomware'.
And in practice, which of the terms is used for classification (in the parser bots) is kind of random. But ransomware is not used at all (but it can be and should be, as some data actually covers ransomware).
I'd suggest dropping 'ransomware'. Why use a specific classification type only for this kind of malware but not for 'spambot', 'banking trojan', 'rootkit' and others?
I'd prefer using "infected system" as the classification type for malware infections as this fits with the classification level of other malicious code events.
Then we would have:
taxonomy type identifier malicious code infected system <malware-name> malicious code c&c <malware-name> malicious code dga domain <malware-name> malicious code malware distribution <malware-name> malicious code malware configuration <malware-name>
- Thomas
CERT-Bund Incident Response & Malware Analysis Team
On 2018-03-12 16:32, Thomas Hungenberg wrote:
On 12.03.2018 15:49, Sebastian Wagner wrote:
In intelmq we currently have 3 types for malicious code infections: malware botnet drone ransomware
According to the description, 'malware' does not refer to an infection but to malware _distribution_. So maybe we should better rename this to "malware distribution"?
+1 But needs to be fixed in various places. I think it has been used as synonym for 'infected device'.
And in practice, which of the terms is used for classification (in the parser bots) is kind of random. But ransomware is not used at all (but it can be and should be, as some data actually covers ransomware).
I'd suggest dropping 'ransomware'. Why use a specific classification type only for this kind of malware but not for 'spambot', 'banking trojan', 'rootkit' and others?
It has been added 18 Jun 2015 by Dognaedis: https://github.com/certtools/intelmq/commit/b53809b8c I don't see a reasoning for this.
I'd prefer using "infected system" as the classification type for malware infections as this fits with the classification level of other malicious code events.
Then we would have:
taxonomy type identifier malicious code infected system <malware-name> malicious code c&c <malware-name> malicious code dga domain <malware-name> malicious code malware distribution <malware-name> malicious code malware configuration <malware-name>
+1 Time to clean this chaos.
Sebastian
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/03/18 16:43, Sebastian Wagner wrote:
On 2018-03-12 16:32, Thomas Hungenberg wrote:
On 12.03.2018 15:49, Sebastian Wagner wrote:
In intelmq we currently have 3 types for malicious code infections: malware botnet drone ransomware
According to the description, 'malware' does not refer to an infection but to malware _distribution_. So maybe we should better rename this to "malware distribution"?
+1 But needs to be fixed in various places. I think it has been used as synonym for 'infected device'.
And in practice, which of the terms is used for classification (in the parser bots) is kind of random. But ransomware is not used at all (but it can be and should be, as some data actually covers ransomware).
I'd suggest dropping 'ransomware'. Why use a specific classification type only for this kind of malware but not for 'spambot', 'banking trojan', 'rootkit' and others?
It has been added 18 Jun 2015 by Dognaedis: https://github.com/certtools/intelmq/commit/b53809b8c I don't see a reasoning for this.
I'd prefer using "infected system" as the classification type for malware infections as this fits with the classification level of other malicious code events.
Then we would have:
taxonomy type identifier malicious code infected system <malware-name> malicious code c&c <malware-name> malicious code dga domain <malware-name> malicious code malware distribution <malware-name> malicious code malware configuration <malware-name>
+1 Time to clean this chaos.
The type seems quite similar to the adversary classification and especially the predicate 'infrastructure-type':
https://github.com/MISP/misp-taxonomies/blob/master/adversary/machinetag.jso...
adversary:infrastructure-status="unknown" adversary:infrastructure-status="compromised" adversary:infrastructure-status="own-and-operated" adversary:infrastructure-action="passive-only" adversary:infrastructure-action="take-down" adversary:infrastructure-action="monitoring-active" adversary:infrastructure-action="pending-law-enforcement-request" adversary:infrastructure-state="unknown" adversary:infrastructure-state="active" adversary:infrastructure-state="down" adversary:infrastructure-type="unknown" adversary:infrastructure-type="proxy" adversary:infrastructure-type="drop-zone" adversary:infrastructure-type="exploit-distribution-point" adversary:infrastructure-type="vpn" adversary:infrastructure-type="panel" adversary:infrastructure-type="tds"
If you want, we can extend the infrastructure-type to match the ones you have or plan to have. Then we can create a complete new taxonomy for IntelMQ in MISP taxonomy.
Cheers
- -- Alexandre Dulaunoy CIRCL - Computer Incident Response Center Luxembourg 16, bd d'Avranches L-1160 Luxembourg info@circl.lu - www.circl.lu - (+352) 247 88444
Hi,
Thanks for chiming in. I added my assumptions for a mapping below between the quotes:
On 2018-03-12 16:56, Alexandre Dulaunoy wrote:
adversary:infrastructure-status="unknown" adversary:infrastructure-status="compromised" adversary:infrastructure-status="own-and-operated"
We do not have equivalent fields for this kind of information.
adversary:infrastructure-action="passive-only" adversary:infrastructure-action="take-down" adversary:infrastructure-action="monitoring-active" adversary:infrastructure-action="pending-law-enforcement-request"
Same here.
adversary:infrastructure-state="unknown" adversary:infrastructure-state="active" adversary:infrastructure-state="down"
The state would match the field 'status'. We haven't specified values for it yet.
adversary:infrastructure-type="unknown" adversary:infrastructure-type="proxy"
In the ENISA taxonomies, proxies does not exist, so in intelmq that would be other/proxy (in taxonomy/type notation)
adversary:infrastructure-type="drop-zone"
'information content security'/dropzone
adversary:infrastructure-type="exploit-distribution-point"
Taxonomy is 'malicious code', but not sure about the type, probably 'malware configuration' or 'c&c'
adversary:infrastructure-type="vpn"
Not seen yet in intelmq, but that would be other/vpn
adversary:infrastructure-type="panel" adversary:infrastructure-type="tds"
Also not seen in intelmq yet, but these are probably types below 'malicious code'.
Sebastian
On 12.03.2018 16:43, Sebastian Wagner wrote:
On 2018-03-12 16:32, Thomas Hungenberg wrote:
I'd prefer using "infected system" as the classification type for malware infections as this fits with the classification level of other malicious code events.
Then we would have:
taxonomy type identifier malicious code infected system <malware-name> malicious code c&c <malware-name> malicious code dga domain <malware-name> malicious code malware distribution <malware-name> malicious code malware configuration <malware-name>
+1 Time to clean this chaos.
We could also use "malware infection" instead of "infected system" and probably add a "malware" prefix to "c&c" and "dga domain" as well to make these types more precise:
taxonomy type identifier malicious code malware infection <malware-name> malicious code malware c&c <malware-name> malicious code malware dga domain <malware-name> malicious code malware distribution <malware-name> malicious code malware configuration <malware-name>
What do you think?
- Thomas
CERT-Bund Incident Response & Malware Analysis Team