[Intelmq-dev] Classification of malware events
Thomas Hungenberg
th at cert-bund.de
Mon Mar 12 16:32:05 CET 2018
On 12.03.2018 15:49, Sebastian Wagner wrote:
> In intelmq we currently have 3 types for malicious code infections:
> malware
> botnet drone
> ransomware
According to the description, 'malware' does not refer to an infection
but to malware _distribution_.
So maybe we should better rename this to "malware distribution"?
> The term 'infected system' covers them all. 'malware' covers the other
> two. So we would then have this "hierarchy" (thinking of mathematical
> set theory):
> infected system
>> malware
>>> botnet drone
>>> ransomware
'malware' does _not_ cover 'botnet drone' and 'ransomware'.
> And in practice, which of the terms is used for classification (in the
> parser bots) is kind of random. But ransomware is not used at all (but
> it can be and should be, as some data actually covers ransomware).
I'd suggest dropping 'ransomware'. Why use a specific classification type
only for this kind of malware but not for 'spambot', 'banking trojan',
'rootkit' and others?
I'd prefer using "infected system" as the classification type for
malware infections as this fits with the classification level of
other malicious code events.
Then we would have:
taxonomy type identifier
malicious code infected system <malware-name>
malicious code c&c <malware-name>
malicious code dga domain <malware-name>
malicious code malware distribution <malware-name>
malicious code malware configuration <malware-name>
- Thomas
CERT-Bund Incident Response & Malware Analysis Team
More information about the Intelmq-dev
mailing list