Last Updated 09/20/2006 15:37EDT
The following is a portion of The Shadowserver Foundation's overall process standards and guidelines. It is presented in a public manner in order to provide a basic glimpse into the key elements of the overall Shadowserver mission and process and how our work is conducted.
As a volunteer security organization working on behalf of the general public, The Shadowserver Foundation operates under a defined process flow which attempts to maximize the quality and quantity of the data and intelligence we gather, and do it efficiently and effectively. While the team is not truly a business, nor a company, we seek to project a professional and consistent image to the public and to ourselves.
Our basic mission is to study the Internet criminal element in its many forms, and to gather data that can be used to help detect malicious networks and protect against them. Another major goal is to raise the general public awareness of botnets, malware, and the propagation methods they use.
As such, our process flow requires that all operations are done the right way and on the right side of the law. Our process and methodology is recognized world-wide by many professional and law enforcement organizations.
Shadowserver seeks to make the bad guys' capability to commit computer crime as difficult as possible. To do this we must many times use the bad guys' tools against him. While doing this we must always ensure that we are not also crossing any legal line, and that we must always do no harm. This is a standard of operation that must be followed. Our job is to seek out the criminal activity, gather intelligence, and then report that to the appropriate authorities. That could be Internet Service Providers, Law Enforcement Organizations, or just certain mailing lists.
Another standard of operation is that Shadowserver does not exceed the authority on any system that would normally be allowed for the malware that we reverse or analyze. We only do what the malware would have normally have done as a part of its communication.
As part of the botnet research process, detailed information about the botnet is gathered and studied. After this information has been assembled, a command and control point is tested by simply emulating the malware that is already connecting to the system. This is done via a method that will not allow the Shadowserver's testing or monitoring system to participate or act as a drone of the botnet. At no time is there any attempt to exceed any authority levels or to cause any harm to the subject system.
During any testing phase, no member of the Shadowserver team will engage or establish a dialogue in a taunting or challenging manner with the bot herder or any other op of the botnet. In fact, any direct communication on a C&C server between a Shadowserver team member and the bot operators is discouraged.
A major component to the research of botnets is in the gathering and storage of malware. Shadowserver maintains a significant repository of categorized malware. This malware is used only by the Shadowserver team in a controlled environment for its research purposes only. The repository is tightly controlled by a limited number of Shadowserver team members.
Shadowserver strongly encourages the distribution of newly discovered malware directly to the established AV companies to further their research.
All communication with outside organizations with respect to the reporting or dissemination of malicious activity is documented and carefully tracked.
Shadowserver acts independently of any outside organization and does not act on their behalf. Any information or intelligence that is gathered is presented to the organization as a means of assisting them in their own internal research or mitigation.