[Intelmq-dev] Classification of malware events

Sebastian Wagner wagner at cert.at
Mon Mar 12 15:49:08 CET 2018


On 2018-03-06 18:55, Thomas Hungenberg wrote:
> The term 'botnet drone' is very specific to sinkholing - but not all
> malware reaches out to C2 servers (and thus is a 'botnet drone').
> The infection could also have been identified by other means.
> So my intention is to use the term 'infected system' to cover both
> 'botnet drones' identified by sinkholing as well as malware infections
> identified by other means.
In intelmq we currently have 3 types for malicious code infections:
malware
botnet drone
ransomware

The term 'infected system' covers them all. 'malware' covers the other
two. So we would then have this "hierarchy" (thinking of mathematical
set theory):
infected system
> malware
> > botnet drone
> > ransomware
but all of them are classification types and are on the same level of
classification.

And in practice, which of the terms is used for classification (in the
parser bots) is kind of random. But ransomware is not used at all (but
it can be and should be, as some data actually covers ransomware).

(The three others types are: dga domain, malware configuration, c&c)

Sebastian

-- 
// Sebastian Wagner <wagner at cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20180312/66ffce61/attachment.sig>


More information about the Intelmq-dev mailing list