ANNOUNCEMENT
What's Next For Us: www.BLADE-DEFENDER.org
ATTENTION GRADUATE STUDENTS
SRI is seeking graduate student research interns for Summer 2010. For more details, click here.
Our Latest Threat Intelligence
The data on this website is supplied as is, without warranty of any kind. You may NOT redistribute this data. Use or reliance on this data is at your own risk. (If you REALLY REALLY must redistribute our stuff or get access to the live backend data, binaries, and traces, then click HERE.)
Most Aggressive Malware Attack Source and Filters
Sat Sep 4 09:02:38 2010
rank = 30-day importance ranking (1 to 100) of most aggressive infection sources
| rank | hits | first | last | domain | country | filter |
|---|---|---|---|---|---|---|
| 58 | 4 | 08/26 | 09/03 | rr.com |  |
deny ip host 173.170.223.26 any log |
| 53 | 4 | 08/23 | 09/01 | rr.com | |
deny ip host 69.193.78.147 any log |
| 52 | 5 | 08/17 | 08/29 | rr.com | |
deny ip host 69.193.68.239 any log |
| 52 | 5 | 08/09 | 08/27 | - |  |
deny ip host 184.74.74.202 any log |
| 48 | 3 | 09/02 | 09/03 | jws.com |  |
deny ip host 109.86.115.152 any log |
| 46 | 4 | 08/19 | 08/31 | hinet.net |  |
deny ip host 59.120.228.224 any log |
| 46 | 5 | 08/05 | 08/28 | sbcglobal.net | |
deny ip host 75.37.173.251 any log |
| 46 | 4 | 08/18 | 09/01 | - |  |
deny ip host 194.19.234.252 any log |
| 44 | 4 | 08/19 | 09/03 | hinet.net | |
deny ip host 60.250.199.56 any log |
| 43 | 3 | 08/23 | 09/03 | shawcable.net |  |
deny ip host 174.6.21.151 any log |
Most Effective Malware-Related Snort Signatures
Sat Sep 4 09:02:46 2010
detects = 30-day signature detection rates based on exposure to 7978 malware infections
| detects | sidrev | author | phase | description |
|---|---|---|---|---|
| 56% | 299913:1 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 35% | 52123:3 | snort | outbound scan | registered free attack-responses micros... |
| 31% | 3001441:1 | snort | egg download | tftp get .exe from external source |
| 31% | 1444:3 | snort | egg download | tftp get from external source |
| 31% | 2008120:1 | emerging threats | egg download | policy outbound tftp read request |
| 30% | 5001684:99 | bothunter | egg download | bothunter malware windows executable (p... |
| 30% | 2001683:3 | emerging threats | egg download | bleeding-edge malware windows executabl... |
| 28% | 22466:7 | snort | inbound exploit | netbios smb-ds ipc$ unicode share access |
| 21% | 2002750:10 | snort | inbound | policy reserved ip space traffic - bogon nets 2 |
| 21% | 3000003:99 | bothunter | egg download | bothunter http-based .exe upload on bac... |
Most Prolific BotNet Command and Control Servers and Filters
Sat Sep 4 09:02:21 2010
| rate | hits | first | last | domain | country | filter |
|---|---|---|---|---|---|---|
| 34 | 63 | 08/05 | 09/03 | - |  |
deny ip host 213.155.0.224 any log |
| 19 | 26 | 08/09 | 09/02 | host7x24.com |  |
deny ip host 62.193.249.122 any log |
| 14 | 20 | 08/05 | 09/02 | 163data.com.cn |  |
deny ip host 60.190.222.139 any log |
| 4 | 9 | 08/05 | 09/03 | greatnet.de |  |
deny ip host 83.133.119.206 any log |
| 1 | 2 | 08/27 | 08/27 | - |  |
deny ip host 210.127.253.90 any log |
| 1 | 2 | 08/22 | 08/25 | verizon.net | |
deny ip host 70.107.249.167 any log |
| 1 | 1 | 09/03 | 09/03 | web.okusados.cl |  |
deny ip host 164.77.252.196 any log |
Most Observed Malware-Related DNS Names
Sat Sep 4 09:08:31 2010
embeds = number of malware binaries in which this DNS name was discovered
lookups = number of observed infections in which this DNS name was looked up
rank = 30-day importance ranking (1 to 100) of most prolific malware-related DNS names
| rank | lookups | embeds | first | last | country | DNS |
|---|---|---|---|---|---|---|
| 55 | 314 | 0 | 08/05 | 09/03 | |
citi-bank.ru |
| 5 | 29 | 0 | 08/09 | 09/02 |  |
cx10man.weedns.com |
| 4 | 37 | 0 | 08/05 | 09/03 | |
ad.ghura.pl |
| 3 | 25 | 0 | 08/05 | 09/03 | |
proxim.ircgalaxy.pl |
| 3 | 15 | 8 | 08/09 | 09/02 |  |
siliconfireware.ru |
| 2 | 14 | 0 | 08/05 | 09/03 | |
www.vouchercodes.com |
| 2 | 12 | 0 | 08/18 | 09/03 | |
gg.arrancar.org |
| 2 | 11 | 0 | 08/18 | 09/02 | |
sb.perfectexe.com |
| 2 | 9 | 6 | 08/18 | 08/30 | |
moscow-advokat.ru |
| 2 | 11 | 0 | 08/17 | 09/03 | |
www.pirateparty.in.ua |
Most Aggressively Spreading Malware Binaries
Sat Sep 4 09:13:04 2010
| rank | hits | first | last | AV rate | Binary MD5 |
|---|---|---|---|---|---|
| 33 | 08/27 | 09/03 | 0 of 32 | d41d8cd98f00b204e9800998ecf8427e | |
| 14 | 08/05 | 08/26 | 33 0 of 32 | 53bfe15e9143d86b276d73fdcaf66265 | |
| 9 | 08/05 | 08/26 | 26 of 32 | 7d99b0e9108065ad5700a899a1fe3441 | |
| 4 | 08/27 | 09/03 | 2 0 of 32 | ca832de942ad18471ca9a38ffe3cf7a9 | |
| 3 | 08/27 | 09/01 | 2 0 of 32 | 9ba1f1416a20fd97cdd2fcd9b45c08a9 | |
| 2 | 08/17 | 08/26 | 31 of 32 | 741e3b03b3ff6e464a5a61e7d1875f7f | |
| 2 | 08/27 | 09/03 | 0 0 of 32 | c9b4b7f0b994b5f2322b03140a5170da | |
| 2 | 08/05 | 08/26 | 3 of 32 | d9cb288f317124a0e63e3405ed290765 | |
| 1 | 08/05 | 08/23 | 32 of 32 | b502f83a7c9b237018a9e24485af2b79 | |
| 1 | 08/09 | 08/26 | 39 of 32 | d8040f84d47c7ab0476b8f624098b29b |