2. Analyzing IPs with MetaDefender Cloud

About

MetaDefender Cloud allows users to check IP addresses and domains for malicious behavior using many IP reputation sources. This functionality makes it possible to identify threats like botnets that would not be found through scanning files when accessing content. By providing a standardized interface for the leading IP reputation sources, MetaDefender Cloud makes it possible to obtain aggregated data on whether an IP address or domain should be trusted, so that you can monitor your network for possible threats.

The potential maliciousness of an IP address or domain can change frequently. To keep our results up-to-date and reduce false positives, we only save our results from the IP reputation sources for 15 days.

The scan result for each provider will follow this sample structure:

{
"provider": "zeustracker.abuse.ch",
"assessment": "botnet, zeus",
"detect_time": "2019-03-08T09:33:58.303966Z",
"update_time": "2019-03-08T09:33:58.560775",
"status": 1
}

Below are some additional explanations for the scan results we return for IP addresses and domains.

Provider

We are currently using 13 sources to collect bad IP addresses. However, we plan to expand this list to include more sources of malicious URL and domains. Below is a list of the sources that MetaDefender Cloud currently incorporates. This list is subject to change depending on the availability and reliability of its contents.

SOURCE

OVERVIEW

Alien Vault

This source is generated by AlienVault Open Threat Exchange, a crowd-sourced service for IP reputation information.
It was first published on 22 Feb 2012 and updates daily.
It contains many assessments (botnet, scanner, spam, malware, phishing).

Brute Force Blocker

This source's main purpose is to block SSH brute-force attacks via its firewall.
It was first published on 12 Nov 2005 and updates daily.
It returns results for IP addresses considered "scanners".

Chaos Reigns

This source is generated by the corresponding automated, free, public email IP-reputation system.
It was first published on 31 Mar 2011 and updates daily.
It provides results for IP addresses it has whitelisted.

Clean MX

Over 700 abuse departments worldwide use this data to detect proactive harmful pages.
This source was first published on 01 Feb 2006 and updates hourly.
It returns results for IP addresses assessed as "malware" and "phishing".

Feodo Tracker

This source contains IP addresses (IPv4) that have been used as Command & Control (C&C) communication channels by the Feodo Trojan.
It updates weekly.
It provides the "botnet" assessment.

Malc0de

This source updates daily.
It returns the "malware" assessment.

Malware Domain List

The Malware Domain List website maintains a list of domains that are known to host malware.
This source was first published on 29 Aug 2009 and updates weekly.
It returns the "malware" assessment.

Phish Tank

This source is provided by PhishTank, a free community site where anyone can submit, verify, track and share phishing data.
The total phishes that this source has verified as valid at the time of writing is 1,533,197.
It updates hourly.
It returns results for IP addresses assessed as "phishing".

The Spamhaus Project

As of 02 October 2014, the Spamhaus Blocklists are protecting 2,199,795,000 users' mailboxes.
This source is one of these blocklists and contains netblocks that are "hijacked" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers).
It updates daily.
It returns the assessment "suspicious".

Zeus Tracker

ZeuS Tracker offers various IP- and domain-blocklists that contain known ZeuS C&C servers associated with the ZeuS crimeware.
It updates daily.
It provides results for IP addresses considered "botnets".

ISC

ISC provides a free analysis and warning service to thousands of Internet users and organizations and is actively working with Internet Service Providers to fight back against the most malicious attackers.
Today the Internet Storm Center gathers millions of intrusion detection log entries every day, from sensors covering over 500,000 IP addresses in over 50 countries.

BruteForceBlocker

BruteForceBlocker is a Perl script, that works along with pf – firewall developed by OpenBSD team.

Phish.ai

AI-powered Anti-Phishing platform detecting not only phishing websites but also the original website being targeted.

Updated hourly, it provides malicious IPs and URLs.

Status

There are three possible results for each of the sources. These are listed below. MetaDefender Cloud will categorize anything as BadIP if it belongs to the blacklist. Our policy is to keep these up to 15 days in order to limit potential false positives.

See more details about our expiration policy in the Last Detected section.

0

Whitelisted: IP (or corresponding IP) is listed by the source in their whitelist. Note: Not all sources provide whitelists.

1

Blacklisted: IP (or corresponding IP) is listed by the source in their blacklist. Refer to the source for more information regarding their blacklist.

5

Unknown: The source has not listed this IP address in either their blacklist or whitelist.

Last Updated

Currently, MetaDefender Cloud's BadIP database is updated daily for each source, which is indicated in the "update_time" field of the results. However, this does not necessarily correspond directly with the source releasing their own list. Below is the update frequency for each source:

FREQUENCY

SOURCES

Hourly

Phish TankDragon Research GroupClean MXPhish.ai

Daily

The Spamhaus ProjectOpenBLZeus TrackerMalc0deBrute Force BlockerAlien VaultChaos ReignsFeodo Tracker

Weekly

Malware Domain List

*The update frequency for these sources is estimated due to their regular updates. They are not necessarily daily or weekly updates but relatively close to this.

Last Detected

The "detect_time" indicates the last time an IP address was confirmed as belonging to a feed. There are two different types of feed (i.e., block-list or whitelist). One is reset with only active bad IPs and the other is accumulated with newly-found bad IPs.

For a source that resets their list

We use the time that we have seen on the list as the detection time. In this case, since our policy is to keep only up to 15 days, IP scan results will not show the detection after 15 days.

For a source that accumulates their list

We still show bad IP detections even if they are detected after 15 days.

Assessment

MetaDefender Cloud utilizes the assessments below, which have been pulled from the collective-intelligence-framework.

botnet

  • Typically a host used to control another host or malicious process.

  • Matching traffic would usually indicate infection.

  • Typically used to identify compromised hosts.

malware

  • Typically a host used to exploit and/or drop malware to a host for the first time.

  • Typically NOT a botnet controller (although they could overlap).

  • Communications with these indicators may lead to a compromise and then to a possible botnet controller communication (if the infection was successful).

  • Typically used in preemptive blocking, alerts may not indicate infection was successful.

phishing

  • A luring attempt at a victim to exfiltrate some sort of credential.

  • A targeted attempt at getting someone to unintentionally cause infection (spear phishing).

scanner

  • Typically infrastructure being used to scan or brute-force (SSH, RDP, telnet, etc...).

spam

  • Typically infrastructure being used to facilitate the sending of spam.

suspicious

  • Unknown assessment.

whitelist

  • Denotes that a specific entity (usually an address) should be considered harmless in nature.

  • Denotes that blocking an entity would result in mass collateral damage (e.g., Yahoo virtually-hosted services).