NEW
"SRI Release a Complete Reverse Engineering of the Conficker C P2P Service."
September 2009.
Our Latest Threat Intelligence
The data on this website is supplied as is, without warranty of any kind. You may NOT redistribute this data. Use or reliance on this data is at your own risk. (If you REALLY REALLY must redistribute our stuff or get access to the live backend data, binaries, and traces, then click HERE.)
Most Aggressive Malware Attack Source and Filters
Fri Nov 6 08:34:19 2009
rank = 30-day importance ranking (1 to 100) of most aggressive infection sources
| rank | hits | first | last | domain | country | filter |
|---|---|---|---|---|---|---|
| 75 | 6 | 10/19 | 11/05 | mchsi.com |  |
deny ip host 173.23.56.33 any log |
| 72 | 6 | 10/14 | 11/03 | hinet.net |  |
deny ip host 61.218.193.250 any log |
| 60 | 4 | 10/28 | 11/05 | ccnet-ai.ne.jp |  |
deny ip host 202.45.170.4 any log |
| 58 | 5 | 10/20 | 10/31 | hinet.net | |
deny ip host 211.20.222.150 any log |
| 43 | 3 | 10/27 | 11/05 | suscom-maine.net | |
deny ip host 207.5.161.171 any log |
| 41 | 3 | 10/24 | 11/04 | pacbell.net | |
deny ip host 67.125.140.230 any log |
| 38 | 4 | 10/08 | 11/02 | starcat.ne.jp | |
deny ip host 203.91.165.198 any log |
| 38 | 5 | 10/13 | 11/01 | rr.com | |
deny ip host 24.103.196.250 any log |
| 35 | 3 | 10/19 | 11/05 | altuscgi.net | |
deny ip host 63.246.125.200 any log |
| 35 | 3 | 10/18 | 11/01 | cavtel.net | |
deny ip host 98.141.163.84 any log |
Most Effective Malware-Related Snort Signatures
Fri Nov 6 08:34:26 2009
detects = 30-day signature detection rates based on exposure to 3477 malware infections
| detects | sidrev | author | phase | description |
|---|---|---|---|---|
| 56% | 299913:1 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 43% | 5001684:99 | bothunter | egg download | bothunter malware windows executable (p... |
| 43% | 2001683:3 | emerging threats | egg download | bleeding-edge malware windows executabl... |
| 36% | 52123:3 | snort | outbound scan | registered free attack-responses micros... |
| 29% | 3001441:1 | snort | egg download | tftp get .exe from external source |
| 29% | 1444:3 | snort | egg download | tftp get from external source |
| 29% | 2008120:1 | emerging threats | egg download | policy outbound tftp read request |
| 28% | 22466:7 | snort | inbound exploit | netbios smb-ds ipc$ unicode share access |
| 19% | 292000032:99 | bothunter | inbound exploit | bothunter exploit lsa exploit |
| 18% | 22000032:6 | emerging threats | inbound exploit | bleeding-edge exploit lsa exploit |
Most Prolific BotNet Command and Control Servers and Filters
Fri Nov 6 08:33:52 2009
| rate | hits | first | last | domain | country | filter |
|---|---|---|---|---|---|---|
| 51 | 91 | 10/07 | 11/05 | eastweb.ru |  |
deny ip host 213.219.245.212 any log |
| 24 | 32 | 10/08 | 11/03 | louisianadynamics.com | |
deny ip host 66.252.13.214 any log |
| 18 | 33 | 10/07 | 11/05 | 163data.com.cn |  |
deny ip host 218.93.205.30 any log |
| 14 | 25 | 10/07 | 11/02 | lightstorm.sk |  |
deny ip host 92.240.234.164 any log |
| 9 | 19 | 10/07 | 10/30 | - | |
deny ip host 91.212.220.75 any log |
| 2 | 2 | 11/05 | 11/05 | ipaper.com |  |
deny ip host 193.104.94.11 any log |
| 2 | 2 | 11/03 | 11/03 | louisianadynamics.com | |
deny ip host 66.252.13.212 any log |
| 1 | 2 | 10/11 | 10/31 | fhe3rz.net |  |
deny ip host 82.98.86.170 any log |
| 1 | 2 | 10/07 | 11/02 | allytech.com |  |
deny ip host 200.49.145.197 any log |
| 1 | 1 | 11/03 | 11/03 | csloxinfo.net |  |
deny ip host 203.146.251.62 any log |
Most Observed Malware-Related DNS Names
Fri Nov 6 08:38:10 2009
embeds = number of malware binaries in which this DNS name was discovered
lookups = number of observed infections in which this DNS name was looked up
rank = 30-day importance ranking (1 to 100) of most prolific malware-related DNS names
| rank | lookups | embeds | first | last | country | DNS |
|---|---|---|---|---|---|---|
| 19 | 150 | 0 | 10/07 | 11/05 | |
citi-bank.ru |
| 10 | 57 | 19 | 10/10 | 11/05 | |
proxim.ircgalaxy.pl |
| 9 | 41 | 33 | 10/08 | 11/05 | |
siliconfireware.ru |
| 7 | 47 | 32 | 10/07 | 11/04 |  |
moscow-advokat.ru |
| 5 | 27 | 0 | 10/20 | 11/05 |  |
sleepatnight.cn |
| 4 | 34 | 0 | 10/07 | 11/05 | |
www.petdoso.com |
| 4 | 8 | 33 | 10/08 | 11/05 | |
www.bbin.ru |
| 4 | 30 | 0 | 10/07 | 11/03 | |
cx10man.weedns.com |
| 4 | 33 | 0 | 10/08 | 11/05 | |
spi.domainsponsor.com |
| 3 | 7 | 33 | 10/08 | 11/05 | |
www.proxy-socks.net |
Most Effective Antivirus Tools Against New Malware Binaries
Fri Nov 6 08:40:32 2009
detects = Antivirus system overall detection rate based on exposure to 1311 malware binaries
| rank | detects | missed | analyzed | country | vendor |
|---|---|---|---|---|---|
| 1st | 89% | 133 | 1311 |  |
Ikarus Security Software |
| 2nd | 89% | 143 | 1311 |  |
Grisoft Inc |
| 3rd | 88% | 146 | 1311 | |
Microsoft Corporation |
| 4th | 88% | 146 | 1311 | |
Avira |
| 5th | 87% | 161 | 1311 | |
Dr. Web |
| 6th | 87% | 166 | 1311 | |
Kaspersky Lab |
| 7th | 87% | 170 | 1311 |  |
BitDefender Inc |
| 8th | 87% | 170 | 1311 |  |
Frisk Software International |
| 9th | 86% | 174 | 1311 | |
Sophos Labs |
| 10th | 86% | 177 | 1311 | |
Authentium |
Most Aggressively Spreading Malware Binaries
Fri Nov 6 08:40:42 2009
| rank | hits | first | last | AV rate | Binary MD5 |
|---|---|---|---|---|---|
| 38 | 10/07 | 11/05 | 33 0 of 32 | 53bfe15e9143d86b276d73fdcaf66265 | |
| 5 | 10/10 | 11/05 | 26 of 32 | 7d99b0e9108065ad5700a899a1fe3441 | |
| 4 | 10/08 | 11/05 | 37 of 32 | 5285741560bc82342a6c28db536711b6 | |
| 4 | 10/07 | 11/05 | 31 of 32 | 741e3b03b3ff6e464a5a61e7d1875f7f | |
| 4 | 10/07 | 11/02 | 25 of 32 | 7f60162c2c0bd2cc7531e51328e98290 | |
| 4 | 10/20 | 11/04 | 29 of 32 | df17a625eec94cdcd4b1b7998c099d87 | |
| 4 | 10/10 | 11/05 | 17 34 39 7 10 30 of 32 | 1c5e79f5f4caab5f5c9a69ab91d478b2 | |
| 3 | 10/12 | 11/05 | 34 of 32 | 9bb68450cdaad8713b49ce7204512bdc | |
| 3 | 10/08 | 11/04 | 3 of 32 | d9cb288f317124a0e63e3405ed290765 | |
| 3 | 10/11 | 11/05 | 29 of 32 | a12cab51ef99e98305668d189d0db147 |