On this page... (hide)
Introduction
While we collect a lot of different data, it does not become useful unless that information is shared. We are willing to share most of the data we collect daily filtered appropriately for responsible areas. We are able to filter by ASN, CIDR, or Country Code. Each report represents the last 24-hours or seven-days (for C&C's) of activity that we were able to monitor. Note that just because there is a report type listed, does not imply that it will be available for access. We normally only allow access to filtered versions of the reports.
Time
Note that all times in all the reports are always presented in UTC+0.
Report Formats
The available formats for reports are:
- CSV
- HTML
- XML
- Text
If you would like your reports in a format different from what you get now, please let us inow.
Compression
By default all reports will be compressed because of the usage of non-ASCII characters. This has become much more common in the last couple of years, and most mail systems cannot handle the special characters very well. Most in fact will just drop the emails. Compression is one method of encapsulating the text from the mail systems, although causes a new issue with border protections that prevent compressed files from being delivered.
If you cannot receive compressed files we can disable the compression for your reports. You will have to let us know if that is the case.
Report Delivery
We currently have three types of delivery, and all depend upon the subscription to the mailing list for your area of responsibility. Each day an email will go out for each report type if we had collected any data on that area for your network. Within the email will be a URL leading to the download location of the appropriate file. We will maintain older downloads as long as possible with space permitting. An example of the URL looks like this:
http://dl.shadowserver.org/Gi3MOXk0n1f2UvV0vXrFaXC7U8s?-QPI5glAizKER0AMncp1yQ
To help extract out the download command and automatically download the referenced file you can use this perl here.
The last method is to visit the download web site and access the reports directly. But do do so it will be required to sync your mailing list accounts if you are subscribed to more than one list. The instructions to do this are here. Once the email list accounts are synced, the downloads can be accessed here
Note that any report that is greater than 10mb will not be sent out, only the download URL will be included in the email message. This is the help save on bandwidth and resource consumption.
Report Types
Each of these reports as a different source and format. While we have attempted to keep them some what similar, that is not always possible based on the data.
| Report | Alternative Report Name | Description | Source | Interval |
| ASN Summary Report | Top 25 ASN's summarized by number of Command and Control systems that were within that ASN, by the highest closed C&C's, and lowest closed of C&C's | Summary from all data sources | Weekly (Sunday) | |
| Botnet URL Report | Any URL that was seen in a botnet channel is reported. The URL could be an update, complaint, or information related to the criminals. Everything is included in case there is something of value in the URL | Botnet Monitoring | 24-Hours | |
| Compromised Host Report | Specific hosts that were seen to be compromised from a botnet. These are usually seen when another infected system reports on each host that had been compromised | Botnet Monitoring | 24-Hours | |
| Click-Fraud Report | This is used as a source of fraud and possible revenue when a botnet is used to select links that are used for tracking or monetary purposes. The specific URL's are targeted are listed | Botnet Monitoring | 24-Hours | |
| Command and Control Report | A list of all the currently known active C&C's | Tracking System | 7-Days | |
| Conficker HTTP Drone Report | Any host connecting to any of the Conficker Working Group Sinkholes | Conficker Sinkholes | 24-Hours | |
| DDoS Report | Any attack is reported whether the recipient is the target or the source of the attack | Botnet Monitoring | 24-Hours | |
| Drone Report | RETIRED: All data has been rolled into the "New Style" report | Any host (IP) that was seen joining a known Command and Control system. | Botnet Monitoring (IRC and HTTP) | 24-Hours |
| Drone Report | Any host (IP) that was seen joining a known Command and Control system. | Botnet Monitoring (IRC and HTTP) and Sinkholes | 24-Hours | |
| Geographical Summary Report | Top 25 Countries summarized by number of Command and Control systems that were within that country, by the highest closed C&C's, and lowest closed of C&C's | Summary from all data sources | Weekly (Sunday) | |
| Honeypot URL Report | Daily Nepenthes Digest Report | This is a report of the source URL's of where malware was downloaded from by the Honeypot systems | Honeypots | 24-Hours |
| IRC Port Summary Report | Summary of the ports used by Command and Controls and sorted three ways. By the most seen, the highest rate of being shutdown, and the lowest rate of being shutdown. | Summary from all data sources | Weekly (Sunday) | |
| Proxy Report | Drones are used frequently as proxies or jump points either directly or sold to other criminals. | Botnet Monitoring | 24-Hours | |
| Scan Report | Vulnerbility scanning is a standard part of any botnet arsenal. We report on these as a warning that specific network blocks are being targeted | Botnet Monitoring | 24-Hours | |
| Sandbox URL Report | Daily HTTP Report | These are the URL's that were accessed by malware. There are two versions of this report, an unfiltered version, and a filtered version. | Sandbox | 24-Hours |
| Sandbox Connection Report | This is a summarization of all the network traffic that the sandbox has seen for the specific interval. | Sandbox | 24-Hours | |
| Sandbox IRC Report | Daily Digest Report | A list of all the new IRC Command and Control systems that were found after analyzing malware | Sandbox | 24-Hours |
| Sandbox SMTP Report | Daily SMTP Report | A list of e-mail addresses that was used by malware during a sandbox run. | Sandbox | 24-Hours |
| Sinkhole HTTP Drone Report | All the IP's that joined the sinkhole server that did not join via a referral URL | Sinkhole | 24-Hours | |
| Sinkhole HTTP Referer Report | A list of referral URL's that pushed systems to the sinkhole server | Sinkhole | 24-Hours | |
| Spam-URL Report | A list of the URL's and relays for Spam that was received. | Spam/E-Mail | 24-Hours |
