ANNOUNCEMENT
What's Next For Us: www.BLADE-DEFENDER.org
ATTENTION GRADUATE STUDENTS
SRI is seeking graduate student research interns for Summer 2010. For more details, click here.
Our Latest Threat Intelligence
The data on this website is supplied as is, without warranty of any kind. You may NOT redistribute this data. Use or reliance on this data is at your own risk. (If you REALLY REALLY must redistribute our stuff or get access to the live backend data, binaries, and traces, then click HERE.)
Most Aggressive Malware Attack Source and Filters
Tue May 15 08:30:52 2012
rank = 30-day importance ranking (1 to 100) of most aggressive infection sources
| rank | hits | first | last | domain | country | filter |
|---|---|---|---|---|---|---|
| 68 | 7 | 04/16 | 05/14 | grandenetworks.net |  |
deny ip host 72.48.210.10 any log |
| 67 | 6 | 04/19 | 05/11 | rr.com | |
deny ip host 67.8.181.206 any log |
| 60 | 6 | 04/20 | 05/10 | - |  |
deny ip host 94.242.20.122 any log |
| 57 | 5 | 04/27 | 05/09 | fineblank.com |  |
deny ip host 178.158.139.26 any log |
| 51 | 6 | 04/17 | 05/10 | charter.com | |
deny ip host 68.114.87.151 any log |
| 50 | 5 | 04/19 | 05/14 | kbronet.com.tw |  |
deny ip host 123.192.62.232 any log |
| 45 | 3 | 05/08 | 05/13 | - |  |
deny ip host 217.17.102.186 any log |
| 45 | 3 | 05/08 | 05/11 | - |  |
deny ip host 151.22.179.66 any log |
| 45 | 3 | 05/08 | 05/11 | famvid.com | |
deny ip host 66.94.200.153 any log |
| 37 | 4 | 04/19 | 05/12 | ccnw.ne.jp |  |
deny ip host 221.121.243.222 any log |
Most Effective Malware-Related Snort Signatures
Tue May 15 08:30:56 2012
detects = 30-day signature detection rates based on exposure to 6040 malware infections
| detects | sidrev | author | phase | description |
|---|---|---|---|---|
| 77% | 299913:1 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 65% | 2001683:3 | emerging threats | egg download | bleeding-edge malware windows executabl... |
| 65% | 5001684:99 | bothunter | egg download | bothunter malware windows executable (p... |
| 61% | 3000003:99 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 60% | 22466:7 | snort | inbound exploit | netbios smb-ds ipc$ unicode share access |
| 53% | 292000032:99 | bothunter | inbound exploit | bothunter exploit lsa exploit |
| 53% | 22000032:6 | emerging threats | inbound exploit | bleeding-edge exploit lsa exploit |
| 52% | 3000000:99 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 28% | 52123:3 | snort | outbound scan | registered free attack-responses micros... |
| 24% | 2002750:10 | snort | inbound | policy reserved ip space traffic - bogon nets 2 |
Most Prolific BotNet Command and Control Servers and Filters
Tue May 15 08:30:39 2012
| rate | hits | first | last | domain | country | filter |
|---|---|---|---|---|---|---|
| 61 | 149 | 04/15 | 05/14 | - |  |
deny ip host 213.155.14.161 any log |
| 2 | 6 | 04/19 | 05/12 | greatnet.de |  |
deny ip host 83.133.119.197 any log |
| 2 | 4 | 04/30 | 04/30 | - |  |
deny ip host 182.72.4.108 any log |
| 1 | 4 | 04/22 | 05/11 | - |  |
deny ip host 114.112.255.81 any log |
| 1 | 1 | 05/11 | 05/11 | nacksystem.net | |
deny ip host 91.217.82.147 any log |
Most Observed Malware-Related DNS Names
Tue May 15 08:32:44 2012
embeds = number of malware binaries in which this DNS name was discovered
lookups = number of observed infections in which this DNS name was looked up
rank = 30-day importance ranking (1 to 100) of most prolific malware-related DNS names
| rank | lookups | embeds | first | last | country | DNS |
|---|---|---|---|---|---|---|
| 52 | 437 | 0 | 04/15 | 05/14 | |
citi-bank.ru |
| 6 | 52 | 1 | 04/15 | 05/12 | |
moscow-advokat.ru |
| 1 | 11 | 8 | 04/30 | 04/30 |  |
m.drd3h.com |
| 0 | 7 | 0 | 04/19 | 05/11 | |
proxim.ircgalaxy.pl |
| 0 | 3 | 0 | 04/27 | 05/12 |  |
www.zzxml.com |
| 0 | 7 | 0 | 04/19 | 05/06 | |
tyui89.com |
| 0 | 5 | 0 | 04/16 | 05/07 | |
gg.arrancar.org |
| 0 | 0 | 8 | 04/30 | 04/30 | |
cilevb.com |
| 0 | 2 | 0 | 05/11 | 05/12 | |
open-consulting-company.com |
| 0 | 2 | 0 | 05/11 | 05/12 | |
proxima.ircgalaxy.pl |
Most Aggressively Spreading Malware Binaries
Tue May 15 08:35:36 2012
| rank | hits | first | last | AV rate | Binary MD5 |
|---|---|---|---|---|---|
| 12 | 04/15 | 05/13 | 26 of 32 | 7d99b0e9108065ad5700a899a1fe3441 | |
| 11 | 04/15 | 05/14 | 33 0 of 32 | 53bfe15e9143d86b276d73fdcaf66265 | |
| 6 | 04/16 | 05/13 | 3 of 32 | d9cb288f317124a0e63e3405ed290765 | |
| 3 | 04/16 | 05/14 | 38 38 of 32 | d031b42d3fae9174b101871ef25cb257 | |
| 2 | 04/15 | 05/13 | 34 of 32 | d20f15711701f8549184e9e2ded2d2ae | |
| 2 | 04/16 | 05/14 | 32 34 of 32 | 0b951c2832d8f4f56a9a07731ed287e3 | |
| 2 | 04/15 | 05/10 | 40 of 32 | bcb3ec60f24c71b13afaea068503ded8 | |
| 2 | 04/15 | 05/11 | 41 of 32 | fb486908b086c67488dab1deb871f706 | |
| 2 | 04/15 | 05/11 | 38 of 32 | 9276456bf8f5b676ccd60d249e025a11 | |
| 2 | 04/18 | 05/10 | 32 of 32 | 488d27fe978a88f8bf4b0d3e173fb62e |