Introduction

While we collect a lot of different data, it does not become useful unless that information is shared. We are willing to share most of the data we collect daily filtered appropriately for responsible areas. We are able to filter by ASN, CIDR, Country Code or TLD (all levels of TLDs). Each report represents the last 24-hours or seven-days (for C&C's) of activity that we were able to monitor. Note that just because there is a report type listed, does not imply that it will be available for access. We normally only allow access to filtered versions of the reports.

The frequency of reports will depend on the data that we collect or have received from partner organizations. It is possible to receive no reports from us if we had not gather anything data on your networks within the last 24-hours. By default all the available reports are enable for all our consumers.

Time

Note that all times in all the reports are always presented in UTC+0.

Report Formats

The available formats for reports are:

  • CSV
  • HTML
  • XML
  • Text
  • URL to download (always included, but can be changed to only be that)

If you would like your reports in a format different from what you get now, please let us know.

Compression

By default all reports will be compressed because of the usage of non-ASCII characters. This has become much more common in the last couple of years, and most mail systems cannot handle the special characters very well. Most in fact will just drop the emails. Compression is one method of encapsulating the text from the mail systems, although causes a new issue with border protections that prevent compressed files from being delivered.

If you cannot receive compressed files we can disable the compression for your reports. You will have to let us know if that is the case.

Report Delivery

We currently have three types of delivery, and all depend upon the subscription to the mailing list for your area of responsibility. Each day an email will go out for each report type if we had collected any data on that area for your network. Within the email will be a URL leading to the download location of the appropriate file. We will maintain older downloads as long as possible with space permitting. An example of the URL looks like this:

http://dl.shadowserver.org/Gi3MOXk0n1f2UvV0vXrFaXx7U8s?-QPI5glAxzKER0Axncp1yQ

To help extract out the download command and automatically download the referenced file you can use this perl here.

Note: It is highly suggested that for importing the data from our files you take into account the header names and do not use column counting. Occasionally we will re-order or add additional columns and this can mess of you data sets if you are doing column counting.

The last method is to visit the download web site and access the reports directly. But do do so it will be required to sync your mailing list accounts if you are subscribed to more than one list. The instructions to do this are here. Once the email list accounts are synced, the downloads can be accessed here

Note that any report that is greater than 833kB will not be sent out, only the download URL will be included in the email message. This is the help save on bandwidth and resource consumption.

Blocks from Downloads

If more than three bad downloads are attempted within a five minute period, the IP attempting the downloads will be blocked. All blocks are removed at Midnight (UTC-7) every day.

Report Types

Each of these reports as a different source and format. While we have attempted to keep them some what similar, that is not always possible based on the data.

Report Alternative Report Name Description Source Interval
Accessible XDMCP Service This report identifies hosts that have the X Display Manager service running and accessible on the internet Service Scan 24-Hours
ASN Summary Report Top 25 ASN's summarized by number of Command and Control systems that were within that ASN, by the highest closed C&C's, and lowest closed of C&C's Summary from all data sources Weekly (Sunday)
Blacklist Report IP addresses that have been Blacklisted by one of the many Blacklist services on the Internet Aggregated from Blacklist providers 24-Hours
Botnet URL Report Any URL that was seen in a botnet channel is reported. The URL could be an update, complaint, or information related to the criminals. Everything is included in case there is something of value in the URL Botnet Monitoring 24-Hours
Compromised Host Report Specific hosts that were seen to be compromised from a botnet. These are usually seen when another infected system reports on each host that had been compromised Botnet Monitoring 24-Hours
Compromised Website Report Websites that were seen to be compromised, and hence are likely to be abused for various types of attacks. Tracking systems 24-Hours
Click-Fraud ReportReport This is used as a source of fraud and possible revenue when a botnet is used to select links that are used for tracking or monetary purposes. The specific URL's are targeted are listed Botnet Monitoring 24-Hours
Command and Control Report A list of all the currently known active C&C's Tracking System 7-Days
DDoS Report Any attack is reported whether the recipient is the target or the source of the attack Botnet Monitoring 24-Hours
DNS Open Resolvers Report Any host (IP) that appears to be running an openly recursive DNS server. Service Scan 24-Hours
Drone Report/Botnet-Drone Any host (IP) that was seen joining a known Command and Control system. Botnet Monitoring (IRC and HTTP) and Sinkholes 24-Hours
Geographical Summary Report Top 25 Countries summarized by number of Command and Control systems that were within that country, by the highest closed C&C's, and lowest closed of C&C's Summary from all data sources Weekly (Sunday)
Honeypot URL Report Daily Nepenthes Digest Report This is a report of the source URL's of where malware was downloaded from by the Honeypot systems Honeypots 24-Hours
IRC Port Summary Report Summary of the ports used by Command and Controls and sorted three ways. By the most seen, the highest rate of being shutdown, and the lowest rate of being shutdown. Summary from all data sources Weekly (Sunday)
Microsoft Sinkhole Report IP's accessing Microsofts Sinkholes and shared with Shadowserver for remediation Sinkhole 24-Hours
Netcore/Netis Router Vulnerability Scan Report Any host (IP) that appears to have an openly accessible backdoor on a Netcore/Netis router. Service Scan 24-Hours
NTP Monitor Report Any host (IP) that appears to have an openly accessible NTP service running that responds to Mode 7 requests. Service Scan 24-Hours
NTP Version Report Any host (IP) that appears to have an openly accessible NTP service running that responds to Mode 6 requests. Service Scan 24-Hours
Open Portmapper Report Any host (IP) that appears to have an openly accessible portmapper service running that responds to an rpcinfo request. Service Scan 24-Hours
Open DB2 Discovery Service This report identifies hosts that have the DB2 Discovery Service running and accessible on the internet Service Scan 24-Hours
Open Proxy Report Drones are used frequently as proxies or jump points either directly or sold to other criminals. Search Engine Scraping, Botnets, Other 24-Hours
Open CharGen Report Any host (IP) that appears to have an openly accessible chargen service running. Service Scan 24-Hours
Open Elasticsearch Report Any host (IP) that appears to have an openly accessible Elasticsearch server running. Service Scan 24-Hours
Open IPMI Report Any host (IP) that appears to have an openly accessible IPMU service running that responds to an IPMI ping. Service Scan 24-Hours
Open Memcached Report Any host (IP) that appears to have an openly accessible Memcached key-value server running. Service Scan 24-Hours
Open MongoDB Report Any host (IP) that appears to have an openly accessible MongoDB NoSQL server running. Service Scan 24-Hours
Open MS-SQL Server Resolution Service Report Any host (IP) that appears to have an openly accessible MS-SQL Server Resolution Service running. Service Scan 24-Hours
Open NAT-PMP Report Any host (IP) that appears to have an openly accessible NAT-PMP service running. Service Scan 24-Hours
Open NetBIOS Report Any host (IP) that appears to have an openly accessible NetBIOS service running. Service Scan 24-Hours
Open QOTD Report Any host (IP) that appears to have an openly accessible Quote Of The Day service running. Service Scan 24-Hours
Open Redis Report Any host (IP) that appears to have an openly accessible Redis key-value server running. Service Scan 24-Hours
Open SNMP Report Any host (IP) that appears to have an openly accessible SNMP service running. Service Scan 24-Hours
Open SSDP Report Any host (IP) that appears to have an openly accessible Simple Service Discovery Protocol service running. Service Scan 24-Hours
Open/Accessible TFTP This report identifies hosts that have the TFTP service running and accessible on the internet Service Scan 24-Hours
Proxy Report Drones are used frequently as proxies or jump points either directly or sold to other criminals. Botnet Monitoring 24-Hours
Scan Report Vulnerbility scanning is a standard part of any botnet arsenal. We report on these as a warning that specific network blocks are being targeted Botnet Monitoring 24-Hours
Sandbox URL Report Daily HTTP Report These are the URL's that were accessed by malware. There are two versions of this report, an unfiltered version, and a filtered version. Sandbox 24-Hours
Sandbox Connection Report This is a summarization of all the network traffic that the sandbox has seen for the specific interval. Sandbox 24-Hours
Sandbox IRC Report Daily Digest Report A list of all the new IRC Command and Control systems that were found after analyzing malware Sandbox 24-Hours
Sandbox SMTP Report Daily SMTP Report A list of e-mail addresses that was used by malware during a sandbox run. Sandbox 24-Hours
Sinkhole HTTP Drone Report All the IP's that joined the sinkhole server that did not join via a referral URL Sinkhole 24-Hours
Sinkhole HTTP Referer Report A list of referral URL's that pushed systems to the sinkhole server Sinkhole 24-Hours
Spam-URL Report A list of the URL's and relays for Spam that was received. Spam/E-Mail 24-Hours
SSL FREAK Report Any host (IP) that could be used in a SSL FREAK attack Service Scan 24-Hours
SSL POODLE Report Any host (IP) that appears to be vulnerable to a SSL POODLE attack Service Scan 24-Hours