-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmalware.yaml
158 lines (139 loc) · 8.32 KB
/
malware.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
tracker_c2:
filter: parse_corpus
update_every: 24h0m0s
url: https://tracker.h3x.eu/download/5000
info: '[h3x.eu](http://tracker.h3x.eu/) Corpus and C&C sites'
maintainer: h3x.eu
maintainer_url: http://tracker.h3x.eu/
bbcan177_ms1:
filter: remove_comments
update_every: 24h0m0s
url: https://gist.githubusercontent.com/BBcan177/bf29d47ea04391cb3eb0/raw
info: pfBlockerNG Malicious Threats
maintainer: BBcan177
maintainer_url: https://gist.github.com/BBcan177
bbcan177_ms3:
filter: remove_comments
update_every: 24h0m0s
url: https://gist.githubusercontent.com/BBcan177/d7105c242f17f4498f81/raw
info: pfBlockerNG Malicious Threats
maintainer: BBcan177
maintainer_url: https://gist.github.com/BBcan177
cta_cryptowall:
filter: parse_cta_cryptowall
update_every: 24h0m0s
url: https://public.tableau.com/views/CTAOnlineViz/DashboardData.csv?:embed=y&:showVizHome=no&:showTabs=y&:display_count=y&:display_static_image=y&:bootstrapWhenNotified=true
info: '[Cyber Threat Alliance](http://www.cyberthreatalliance.org/cryptowall-dashboard.html) CryptoWall is one of the most lucrative and broad-reaching ransomware campaigns affecting Internet users today. Sharing intelligence and analysis resources, the CTA profiled the latest version of CryptoWall, which impacted hundreds of thousands of users, resulting in over US $325 million in damages worldwide.'
maintainer: Cyber Threat Alliance
maintainer_url: http://www.cyberthreatalliance.org/cryptowall-dashboard.html
cybercrime:
filter: extract_ipv4_from_any_file
update_every: 12h0m0s
url: http://cybercrime-tracker.net/fuckerz.php
info: '[CyberCrime](http://cybercrime-tracker.net/) A project tracking Command and Control.'
maintainer: CyberCrime
maintainer_url: http://cybercrime-tracker.net/
dyndns_ponmocup:
filter: parse_cvs_dyndns_ponmocup
update_every: 24h0m0s
url: http://security-research.dyndns.org/pub/malware-feeds/ponmocup-infected-domains-shadowserver.csv
info: '[DynDNS.org](http://security-research.dyndns.org/pub/malware-feeds/) Ponmocup. The malware powering the botnet has been around since 2006 and it’s known under various names, including Ponmocup, Vundo, Virtumonde, Milicenso and Swisyn. It has been used for ad fraud, data theft and downloading additional threats to infected systems. Ponmocup is one of the largest currently active and, with nine consecutive years, also one of the longest running, but it is rarely noticed as the operators take care to keep it operating under the radar.'
maintainer: DynDNS.org
maintainer_url: http://security-research.dyndns.org/pub/malware-feeds/
feodo:
filter: remove_comments
update_every: 30m0s
url: https://feodotracker.abuse.ch/downloads/ipblocklist.txt
info: |
[Abuse.ch Feodo tracker C2 IOC](https://feodotracker.abuse.ch)
Unlike the IP blocklist above, these datasets do not only contain additional information on tracked botnet C2s but also IP addresses that were acting as a botnet C2 within the past 30 days.
maintainer: Abuse.ch
maintainer_url: https://feodotracker.abuse.ch/
feodo_c2:
filter: remove_comments
update_every: 5m0s
url: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
info: |
[Abuse.ch Feodo tracker C2](https://feodotracker.abuse.ch)
Dridex, Heodo (aka Emotet), TrickBot, QakBot (aka QuakBot / Qbot) and BazarLoader (aka BazarBackdoor) botnet command&control servers (C2s) usually reside on compromised servers and such that have been rented and setup by the threat actor itself for the sole purpose of botnet hosting. Feodo Tracker offers a blocklist of IP addresses that are associated with such botnet C2s. It can be used to block botnet C2 traffic from infected machines towards hostline servers on the internet that are under the control of cybercriminals.
To keep the false positive rate as low as possible, an IP address will only get added to the blocklist if it responds with a valid botnet C2 response.
maintainer: Abuse.ch
maintainer_url: https://feodotracker.abuse.ch/
iblocklist_abuse_palevo:
filter: p2p_gz
update_every: 12h0m0s
url: http://list.iblocklist.com/?list=erqajhwrxiuvjxqrrwfj&fileformat=p2p&archiveformat=gz
info: palevotracker.abuse.ch IP blocklist.
maintainer: iBlocklist.com
maintainer_url: https://www.iblocklist.com/
iblocklist_abuse_spyeye:
filter: p2p_gz
update_every: 12h0m0s
url: http://list.iblocklist.com/?list=zvjxsfuvdhoxktpeiokq&fileformat=p2p&archiveformat=gz
info: spyeyetracker.abuse.ch IP blocklist.
maintainer: iBlocklist.com
maintainer_url: https://www.iblocklist.com/
iblocklist_abuse_zeus:
filter: p2p_gz
update_every: 12h0m0s
url: http://list.iblocklist.com/?list=ynkdjqsjyfmilsgbogqf&fileformat=p2p&archiveformat=gz
info: zeustracker.abuse.ch IP blocklist that contains IP addresses which are currently being tracked on the abuse.ch ZeuS Tracker.
maintainer: iBlocklist.com
maintainer_url: https://www.iblocklist.com/
iblocklist_malc0de:
filter: p2p_gz
update_every: 12h0m0s
url: http://list.iblocklist.com/?list=pbqcylkejciyhmwttify&fileformat=p2p&archiveformat=gz
info: malc0de.com IP blocklist. Addresses that have been identified distributing malware during the past 30 days.
maintainer: iBlocklist.com
maintainer_url: https://www.iblocklist.com/
sslbl:
filter: csv_comma_first_column
update_every: 30m0s
url: https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
info: '[Abuse.ch SSL Blacklist](https://sslbl.abuse.ch/) bad SSL traffic related to malware or botnet activities'
maintainer: Abuse.ch
maintainer_url: https://sslbl.abuse.ch/
sslbl_aggressive:
filter: csv_comma_first_column
update_every: 30m0s
url: https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv
info: '[Abuse.ch SSL Blacklist](https://sslbl.abuse.ch/) The aggressive version of the SSL IP Blacklist contains all IPs that SSLBL ever detected being associated with a malicious SSL certificate. Since IP addresses can be reused (e.g. when the customer changes), this blacklist may cause false positives. Hence I highly recommend you to use the standard version instead of the aggressive one.'
maintainer: Abuse.ch
maintainer_url: https://sslbl.abuse.ch/
urlvir:
filter: remove_comments
update_every: 24h0m0s
url: http://www.urlvir.com/export-ip-addresses/
info: '[URLVir.com](http://www.urlvir.com/) Active Malicious IP Addresses Hosting Malware. URLVir is an online security service developed by NoVirusThanks Company Srl that automatically monitors changes of malicious URLs (executable files).'
maintainer: URLVir.com
maintainer_url: http://www.urlvir.com/
urlvir_last:
filter: urlvir_last
update_every: 24h0m0s
url: http://www.urlvir.com/
info: '[URLVir.com](http://www.urlvir.com/) Active Malicious IP Addresses Hosting Malware. URLVir is an online security service developed by NoVirusThanks Company Srl that automatically monitors changes of malicious URLs (executable files).'
maintainer: URLVir.com
maintainer_url: http://www.urlvir.com/
urlhaus:
filter: urlhaus
update_every: 5h0m0s
url: https://urlhaus.abuse.ch/downloads/text/
info: '[Abuse.ch URLhaus](https://urlhaus.abuse.ch/) URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution'
maintainer: Abuse.ch
maintainer_url: https://urlhaus.abuse.ch/
vxvault:
filter: extract_ipv4_from_any_file
update_every: 12h0m0s
url: http://vxvault.net/ViriList.php?s=0&m=100
info: '[VxVault](http://vxvault.net) The latest 100 additions of VxVault.'
maintainer: VxVault
maintainer_url: http://vxvault.net
threatcrowd:
filter: remove_comments
update_every: 1h0m0s
url: https://www.threatcrowd.org/feeds/ips.txt
info: '[Crowdsourced IP feed from ThreatCrowd](http://threatcrowd.blogspot.gr/2016/02/crowdsourced-feeds-from-threatcrowd.html). These feeds are not a substitute for the scale of auto-extracted command and control domains or the quality of some commercially provided feeds. But crowd-sourcing does go some way towards the quick sharing of threat intelligence between the community.'
maintainer: Threat Crowd
maintainer_url: https://www.threatcrowd.org/
disabled_reason: "Service unavailable"