Monitoring Your Network for Malware, SPAM, BOTNET, and other Infections

A service provider does not have to build a huge “BOTNET Detection” infrastructure to get a survey of infections on their network.

Organizations who post public data on Malware, BOTNET, SPAM, and other Infections

There is no one “badness view” of the Internet that will give an complete picture of the extent of criminal activities. Each organization uses different tools, measurement techniques, and derivative analysis to present their analysis and conclusions. It is recommended that multiple sources and approached be used.

Organization Public Malware, SPAM, BOTNET, and other Data URL Provides up to data & statistics information on infection data.
SANS Institute / Internet Storm Center – DShield Distributed Intrusion Detection System Dshield was one of the first “collective security” approaches to look for badness on the Internet. They have reports that are often used in many “how bad are the infections” reports.
Arbor Network’s Active Threat Level Analysis System (ATLAS) ATLAS provides a range of reports.
SpamRankings.Net Even seasoned executives, managers, and network engineers don’t know, because spam is mostly sent by botnets without the owning organizations‘ knowledge.This research project ranks organizations for reputation by correlating anti-spam blocklist data to organizationsAutonomous Systems, giving them incentives improve their security.
Project Honey Pot Project Honey Pot gathers statistics on Internet robots and the spammers who sometimes use them to steal email addresses. We publish a snapshot of some of these statistics on this page. If our data can help you in some way, do not hesitate to contact us.
Composite Blocking List (CBL) The CBL takes its source data from very large mail server (SMTP) installations. Some of these are pure spamtrap servers, and some are not. The CBL only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate, Bagle call-back proxies etc) and dedicated Spam BOTs (such as Cutwail, Rustock, Lethic etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, dictionary mail harvesters etc. The CBL does not list based upon the volume of email from a given IP address. The CBL also lists certain portions of botnet infrastructure, such as Spam BOT/virus infector download web sites, botnet infected machines, and other web sites or name servers primarily dedicated to the use of botnets. Considerable care is taken to avoid listing IP addresses that are shared or are likely to be shared with legitimate use, except in the case of infector download websites or phish emission.
VirusTotal VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.
Team Cymru Research Team Cymru Research NFP is a specialized Internet security research firm and 501(c)3 non-profit dedicated to making the Internet more secure. Team Cymru helps organizations identify and eradicate problems in their networks, providing insight that improves lives.

Daily Botnet Statistics

Personal site run by Chih-Cherng Chin in Taiwan that post daily and yearly BOTNET & malware statistics.
Symantec Global Threat Center Symantec’s current view of the threat.
Anti-Phishing Working Group (APWG) APWG presents regular updates on Phishing threats.
Websense Global Threat Intelligence Websense Security Labs collects and processes a great deal of information on current cyber threats, including geo-location mapping details shown below. Review this site for other research details and statistics, and read the blog for breaking threat information.
Securelist Kaspersky Lab presentation from their security telemetry.
Security Wizardry Radar Page The “Computer Network Defence Operational Picture”, better known as The Radar Page has proved extremely popular, especially during periods of heightened tension where we experience hit rates of 12K/hour.  It is a useful resource that illustrates all of the latest Information Security Threats and News, updated by staff in Europe and the US.  The Radar Page is always complete with live information as it develops.The Radar Page was designed and built to cater for the demands of Government and Military networks requiring near real time information on new and emerging cyber threats. It’s public availability and lack of corporate identity has resulted in almost every industry, including home users, taking advantage of it either on an occasional basis or full time on plasma screens. The page auto updates every 20 minutes drawing information from multiple sources.
Cisco IronPort SenderBase Security Network SenderBase®— is the world’s largest email and Web traffic monitoring network. First introduced in February 2003 IronPort’s SenderBase Network collects nowadays data on more than 25 percent of the world’s email traffic and provides an unprecedented real-time view into security threats from around the world. SenderBase can be used like a “credit reporting service” for email, providing comprehensive data that ISPs and companies can use to differentiate legitimate senders from spammers and other attackers and giving email administrators visibility into who is sending them email.
PhishTank PhishTank is operated by OpenDNS. PhishTank is a free community site where anyone can submit, verify, track and share phishing data.

Organizations who will provide Networks (Enterprise and others) and Service Providers (SPs) with Reports on the Infections

These organizations will send a list of infections on networks if asked. They each have a process to validate the identity and authority to receive malware infection data. These “validation” processes protect the networks from having their infection details be abused by others.

Organization Service Description URL
Spamhaus DNSBL Datafeed The Spamhaus DNSBL Datafeed is a service for users with professional DNSBL query requirements, such as corporate networks and ISPs. It offers both a Query service and an Rsync service (you can choose).
Arbor Network’s Active Threat Level Analysis System (ATLAS) ATLAS provides networks with infection details that they see from their data set. Please use this link and ask via the contact forum – (Use web form)
Microsoft’s Smart Network Data Services Microsoft has set up telemetry on Windows Live Hotmail to provide Networks (based on their Autonomous System Number – ASN) reports for whom they see as malware infected (or malicious). They are strict on validation – making sure people asking for data are authorized to receive the data.
SANS Institute / Internet Storm Center – DShield Distributed Intrusion Detection System DShield provide networks with a list of badness seen from their system coming from their network. Provides ANY network with daily reports on the BOTNET infections seen on a specific IPv4 or IPv6 address block. Highly recommended for small, medium, and large networks.
Project Honey Pot Project Honey Pot’s IP Monitor service enables you to continuously watch the IP space you control for any malicious behavior. The basic service allows you to setup a range of up to 256 IPs, a /24, or an AS Number. You may also monitor up to 5 individual IPs not included in any of those ranges. We will create a Monitor page on our website which will inform you of IP addresses in your monitored range that are observed to be engaged in some form of malicious behavior: spamming, harvesting, comment spamming, or otherwise acting naughty.The basic service is free to any active member of Project Honey Pot. You can upgrade to the Advanced Monitoring Service if you need to monitor a wider range of IPs. If you don’t already have an account, simply create one to begin monitoring your IP space.

Contributing Data from your Network to help monitor, track down, and squash badness

Most of the organizations listed about only work with the participation of network operators contributing data. There are a range of data sources that could be used. Most safe guard personal information of the customers (check out each data collection solution). All could provide references to other peers in the industry so that you can consult and find the best way to contribute data.

Organization What is collected? Is Privacy Protected? URL
Arbor Network’s Active Threat Level Analysis System (ATLAS) ATLAS sensors are deployed pervasively around the world. Arbor Networks works with their service provider customers to roll out more sensors. If you are a service provider interested in working with Arbor to have an ATLAS sensor deployed in your network, please contact us here: Yes
SANS Institute / Internet Storm Center – DShield Distributed Intrusion Detection System DShield provides a platform for users of firewalls to share intrusion information. DShield is a free and open service. If you use a firewall, please submit your logs to the DShield database. Please download one of our ready to go client programs. Yes
Project Honey Pot Project Honey Pot is a distributed system for identifying spammers and the spambots they use to scrape addresses from your website. Using the Project Honey Pot system you can install addresses that are custom-tagged to the time and IP address of a visitor to your site. If one of these addresses begins receiving email we not only can tell that the messages are spam, but also the exact moment when the address was harvested and the IP address that gathered it.To participate in Project Honey Pot, webmasters need only install the Project Honey Pot software somewhere on their website. Project Honey Pot handle the rest — automatically distributing addresses and receiving the mail they generate. As a result, we anticipate installing Project Honey Pot should not increase the traffic or load to your website.

Project Honey Pot collate, process, and share the data generated by your site with you. We also work with law enforcement authorities to track down and prosecute spammers. Harvesting email addresses from websites is illegal under several anti-spam laws, and the data resulting from Project Honey Pot is critical for finding those breaking the law.

Additionally, we will periodically collate the email messages we receive and share the resulting corpus with anti-spam developers and researchers. The data participants in Project Honey Pot will help to build the next generation of anti-spam software.

Project Honey Pot was created by Unspam Technologies, Inc — an anti-spam company with the singular mission of helping design and enforce effective anti-spam laws. We are always looking to partner with top software developers and enforcement authorities. If there is some way we can help you fight spam, please don’t hesitate to contact us.

Dragon Research Group The Dragon Research Group (DRG) Distro is a Linux-based Live CD platform. It forms the cornerstone of much of DRG’s ongoing research, analysis and development efforts. The goal of the DRG Distro is to build a DRG Network of pods that can securely and anonymously help provide actionable intelligence to the Internet security community. The DRG Distro is designed to support varying network and privacy policies. It can act as a passive data collection facility for many common applications such as HTTP servers or if expressly permitted, can help actively monitor malicious Internet activity. It also includes a number of tools that when combined with the DRG Network help provide real-time, usable intelligence to the local pod partner. The entire DRG Network is designed to provide real-time actionable intelligence in the form of statistics, graphs, threat feeds and DRG Distro tool sets that will benefit the entire Internet security community. The DRG Distro is remotely supported by DRG and run by “pod partners” from around the globe. No pod partner or pod specific information is ever shared outside the core DRG team by DRG. The DRG Distro contains no known unauthenticated access nor any well known vulnerabilities. The DRG Distro is NOT designed to be compromised like a honeypot system might be.The DRG seeks trustworthy and reliable pod partners to help build and support the growing DRG Network. All pod partners are screened by DRG to help ensure the integrity of the DRG Network. Pod runners will have some advantages over the general public. They will have full insight into their own pods and their feedback will help determine the future direction of the DRG Distro and DRG Network. Pod partners are also in a good position to showcase their talents if they desire to become part of the core DRG team in the future. To volunteer to participate in the DRG Network by running one or more DRG Distro pods on a network you are administratively responsible for or for which you have approval to run custom projects such as this, please send the following information in a signed PGP message to:

  • Real and full name
  • PGP public key
  • Proposed network and geographic location(s) of the pod installation
  • General description of the planned pod connectivity (e.g. bandwidth available, network policy and global filter rules, special instructions)
RIPE Atlas RIPE Atlas will produce a collection of live Internet maps with unprecedented detail. Our goal is to deploy thousands of active probes primarily in the RIPE NCC service region and measure the Internet infrastructure in real time. As a sponsor or host you will not only help to achieve this ambitious goal, but will also have the possibility of conducting your own measurements using this network of probes. In order to learn more about RIPE Atlas, you can check out the RIPE Labs articles or the FAQs. Yes


Leave a Reply