[Intelmq-dev] Classification of malware events

[Sebastian Wagner]

On 2018-03-12 16:32, Thomas Hungenberg wrote:
> On 12.03.2018 15:49, Sebastian Wagner wrote:
>> In intelmq we currently have 3 types for malicious code infections:
>> malware
>> botnet drone
>> ransomware
> According to the description, 'malware' does not refer to an infection
> but to malware _distribution_.
> So maybe we should better rename this to "malware distribution"?

+1 But needs to be fixed in various places. I think it has been used as
synonym for 'infected device'.
>> And in practice, which of the terms is used for classification (in the
>> parser bots) is kind of random. But ransomware is not used at all (but
>> it can be and should be, as some data actually covers ransomware).
> I'd suggest dropping 'ransomware'. Why use a specific classification type
> only for this kind of malware but not for 'spambot', 'banking trojan',
> 'rootkit' and others?

It has been added 18 Jun 2015 by Dognaedis:
https://github.com/certtools/intelmq/commit/b53809b8c
I don't see a reasoning for this.
> I'd prefer using "infected system" as the classification type for
> malware infections as this fits with the classification level of
> other malicious code events.
>
> Then we would have:
>
> taxonomy	type			identifier
> malicious code	infected system		<malware-name>
> malicious code	c&c			<malware-name>
> malicious code	dga domain		<malware-name>
> malicious code	malware distribution	<malware-name>
> malicious code	malware configuration	<malware-name>

+1 Time to clean this chaos.

Sebastian

-- 
// Sebastian Wagner <wagner at cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20180312/55376aa5/attachment.sig>