While we collect a lot of different data, it does not become useful unless that information is shared. We are willing to share most of the data we collect daily filtered appropriately for responsible areas. We are able to filter by ASN, CIDR, Country Code or TLD (all levels of TLDs). Each report represents the last 24-hours or seven-days (for C&C's) of activity that we were able to monitor. Note that just because there is a report type listed, does not imply that it will be available for access. We normally only allow access to filtered versions of the reports.
The frequency of reports will depend on the data that we collect or have received from partner organizations. It is possible to receive no reports from us if we had not gather anything data on your networks within the last 24-hours. By default all the available reports are enable for all our consumers.
Note that all times in all the reports are always presented in UTC+0.
The available format for reports is CSV.
The URL to download is always included, but it can be changed to only be that, no attachment.
By default all reports will be compressed because of the usage of non-ASCII characters. This has become much more common in the last couple of years, and most mail systems cannot handle the special characters very well. Most in fact will just drop the emails. Compression is one method of encapsulating the text from the mail systems, although causes a new issue with border protections that prevent compressed files from being delivered.
If you cannot receive compressed files we can disable the compression for your reports. You will have to let us know if that is the case.
We currently have three types of delivery, and all depend upon the subscription to the mailing list for your area of responsibility. Each day an email will go out for each report type if we had collected any data on that area for your network. Within the email will be a URL leading to the download location of the appropriate file. We will maintain older downloads as long as possible with space permitting. An example of the URL looks like this:
To help extract out the download command and automatically download the referenced file you can use this perl here.
Note: It is highly suggested that for importing the data from our files you take into account the header names and do not use column counting. Occasionally we will re-order or add additional columns and this can mess of you data sets if you are doing column counting.
The last method is to visit the download web site and access the reports directly. But do do so it will be required to sync your mailing list accounts if you are subscribed to more than one list. The instructions to do this are here. Once the email list accounts are synced, the downloads can be accessed here
Note that any report that is greater than 833kB will not be sent out, only the download URL will be included in the email message. This is the help save on bandwidth and resource consumption.
If more than three bad downloads are attempted within a five minute period, the IP attempting the downloads will be blocked. All blocks are removed at Midnight (UTC-7) every day.
Each of these reports as a different source and format. While we have attempted to keep them some what similar, that is not always possible based on the data.
|Report||Alternative Report Name||Description||Source||Interval|
|Accessible XDMCP Service||This report identifies hosts that have the X Display Manager service running and accessible on the internet||Service Scan||24-Hours|
|ASN Summary Report||Top 25 ASN's summarized by number of Command and Control systems that were within that ASN, by the highest closed C&C's, and lowest closed of C&C's||Summary from all data sources||Weekly (Sunday)|
|Blacklist Report||IP addresses that have been Blacklisted by one of the many Blacklist services on the Internet||Aggregated from Blacklist providers||24-Hours|
|Botnet URL Report||Any URL that was seen in a botnet channel is reported. The URL could be an update, complaint, or information related to the criminals. Everything is included in case there is something of value in the URL||Botnet Monitoring||24-Hours|
|Compromised Host Report||Specific hosts that were seen to be compromised from a botnet. These are usually seen when another infected system reports on each host that had been compromised||Botnet Monitoring||24-Hours|
|Compromised Website Report||Websites that were seen to be compromised, and hence are likely to be abused for various types of attacks.||Tracking systems||24-Hours|
|Click-Fraud ReportReport||This is used as a source of fraud and possible revenue when a botnet is used to select links that are used for tracking or monetary purposes. The specific URL's are targeted are listed||Botnet Monitoring||24-Hours|
|Command and Control Report||A list of all the currently known active C&C's||Tracking System||7-Days|
|DDoS Report||Any attack is reported whether the recipient is the target or the source of the attack||Botnet Monitoring||24-Hours|
|DNS Open Resolvers Report||Any host (IP) that appears to be running an openly recursive DNS server.||Service Scan||24-Hours|
|Drone Report/Botnet-Drone||Any host (IP) that was seen joining a known Command and Control system.||Botnet Monitoring (IRC and HTTP) and Sinkholes||24-Hours|
|Geographical Summary Report||Top 25 Countries summarized by number of Command and Control systems that were within that country, by the highest closed C&C's, and lowest closed of C&C's||Summary from all data sources||Weekly (Sunday)|
|Honeypot URL Report||Daily Nepenthes Digest Report||This is a report of the source URL's of where malware was downloaded from by the Honeypot systems||Honeypots||24-Hours|
|IRC Port Summary Report||Summary of the ports used by Command and Controls and sorted three ways. By the most seen, the highest rate of being shutdown, and the lowest rate of being shutdown.||Summary from all data sources||Weekly (Sunday)|
|Microsoft Sinkhole Report||IP's accessing Microsofts Sinkholes and shared with Shadowserver for remediation||Sinkhole||24-Hours|
|Netcore/Netis Router Vulnerability Scan Report||Any host (IP) that appears to have an openly accessible backdoor on a Netcore/Netis router.||Service Scan||24-Hours|
|NTP Monitor Report||Any host (IP) that appears to have an openly accessible NTP service running that responds to Mode 7 requests.||Service Scan||24-Hours|
|NTP Version Report||Any host (IP) that appears to have an openly accessible NTP service running that responds to Mode 6 requests.||Service Scan||24-Hours|
|Open Portmapper Report||Any host (IP) that appears to have an openly accessible portmapper service running that responds to an rpcinfo request.||Service Scan||24-Hours|
|Open DB2 Discovery Service||This report identifies hosts that have the DB2 Discovery Service running and accessible on the internet||Service Scan||24-Hours|
|Open Proxy Report||Drones are used frequently as proxies or jump points either directly or sold to other criminals.||Search Engine Scraping, Botnets, Other||24-Hours|
|Open CharGen Report||Any host (IP) that appears to have an openly accessible chargen service running.||Service Scan||24-Hours|
|Open Elasticsearch Report||Any host (IP) that appears to have an openly accessible Elasticsearch server running.||Service Scan||24-Hours|
|Open IPMI Report||Any host (IP) that appears to have an openly accessible IPMU service running that responds to an IPMI ping.||Service Scan||24-Hours|
|Open Memcached Report||Any host (IP) that appears to have an openly accessible Memcached key-value server running.||Service Scan||24-Hours|
|Open MongoDB Report||Any host (IP) that appears to have an openly accessible MongoDB NoSQL server running.||Service Scan||24-Hours|
|Open MS-SQL Server Resolution Service Report||Any host (IP) that appears to have an openly accessible MS-SQL Server Resolution Service running.||Service Scan||24-Hours|
|Open NAT-PMP Report||Any host (IP) that appears to have an openly accessible NAT-PMP service running.||Service Scan||24-Hours|
|Open NetBIOS Report||Any host (IP) that appears to have an openly accessible NetBIOS service running.||Service Scan||24-Hours|
|Open QOTD Report||Any host (IP) that appears to have an openly accessible Quote Of The Day service running.||Service Scan||24-Hours|
|Open Redis Report||Any host (IP) that appears to have an openly accessible Redis key-value server running.||Service Scan||24-Hours|
|Open SNMP Report||Any host (IP) that appears to have an openly accessible SNMP service running.||Service Scan||24-Hours|
|Open SSDP Report||Any host (IP) that appears to have an openly accessible Simple Service Discovery Protocol service running.||Service Scan||24-Hours|
|Open/Accessible TFTP||This report identifies hosts that have the TFTP service running and accessible on the internet||Service Scan||24-Hours|
|Proxy Report||Drones are used frequently as proxies or jump points either directly or sold to other criminals.||Botnet Monitoring||24-Hours|
|Scan Report||Vulnerbility scanning is a standard part of any botnet arsenal. We report on these as a warning that specific network blocks are being targeted||Botnet Monitoring||24-Hours|
|Sandbox URL Report||Daily HTTP Report||These are the URL's that were accessed by malware. There are two versions of this report, an unfiltered version, and a filtered version.||Sandbox||24-Hours|
|Sandbox Connection Report||This is a summarization of all the network traffic that the sandbox has seen for the specific interval.||Sandbox||24-Hours|
|Sandbox IRC Report||Daily Digest Report||A list of all the new IRC Command and Control systems that were found after analyzing malware||Sandbox||24-Hours|
|Sandbox SMTP Report||Daily SMTP Report||A list of e-mail addresses that was used by malware during a sandbox run.||Sandbox||24-Hours|
|Sinkhole HTTP Drone Report||All the IP's that joined the sinkhole server that did not join via a referral URL||Sinkhole||24-Hours|
|Sinkhole HTTP Referer Report||A list of referral URL's that pushed systems to the sinkhole server||Sinkhole||24-Hours|
|Spam-URL Report||A list of the URL's and relays for Spam that was received.||Spam/E-Mail||24-Hours|
|SSL FREAK Report||Any host (IP) that could be used in a SSL FREAK attack||Service Scan||24-Hours|
|SSL POODLE Report||Any host (IP) that appears to be vulnerable to a SSL POODLE attack||Service Scan||24-Hours|