2. Analyzing IPs with MetaDefender Cloud

About

MetaDefender Cloud allows users to check IP addresses and domains for malicious behavior using many IP reputation sources. This functionality makes it possible to identify threats like botnets that would not be found through scanning files when accessing content. By providing a standardized interface for the leading IP reputation sources, MetaDefender Cloud makes it possible to obtain aggregated data on whether an IP address or domain should be trusted, so that you can monitor your network for possible threats.

The potential maliciousness of an IP address or domain can change frequently. To keep our results up-to-date and reduce false positives, we only save our results from the IP reputation sources for 15 days. In addition, we are experimenting with an algorithm for determining the confidence level for a given IP address result. The confidence level we display for each result aims to provide an additional data point for decision making, to allow a balance between security and flexibility.

Below are some additional explanations for the scan results we return for IP addresses and domains.

Source

We are currently using 13 sources to collect bad IP addresses. However, we plan to expand this list to include URL-based as well as non-CIF compatible sources. Below is a list of the sources that MetaDefender Cloud currently incorporates. This list is subject to change depending on the availability and reliability of its contents.

SOURCE

OVERVIEW

Alien Vault

This source is generated by AlienVault Open Threat Exchange, a crowd-sourced service for IP reputation information.
It was first published on 22 Feb 2012 and updates daily.
It contains many assessments (botnet, scanner, spam, malware, phishing).

Brute Force Blocker

This source's main purpose is to block SSH bruteforce attacks via its firewall.
It was first published on 12 Nov 2005 and updates daily.
It returns results for IP addresses considered "scanners".

Chaos Reigns

This source is generated by the corresponding automated, free, public email IP-reputation system.
It was first published on 31 Mar 2011 and updates daily.
It provides results for IP addresses it has whitelisted.

Clean MX

Over 700 abuse departments worldwide use this data to detect proactive harmful pages.
This source was first published on 01 Feb 2006 and updates hourly.
It returns results for IP addresses assessed as "malware" and "phishing".

Feodo Tracker

This source contains IP addresses (IPv4) that have been used as Command & Control (C&C) communication channels by the Feodo Trojan.
It updates weekly.
It provides the "botnet" assessment.

Malc0de

This source updates daily.
It returns the "malware" assessment.

Malware Domain List

The Malware Domain List website maintains a list of domains that are known to host malware.
This source was first published on 29 Aug 2009 and updates weekly.
It returns the "malware" assessment.

Phish Tank

This source is provided by PhishTank, a free community site where anyone can submit, verify, track and share phishing data.
The total phishes that this source has verified as valid at time of writing is 1,533,197.
It updates hourly.
It returns results for IP addresses assessed as "phishing".

The Spamhaus Project

As of 02 October 2014, the Spamhaus Blocklists are protecting 2,199,795,000 users' mailboxes.
This source is one of these blocklists and contains netblocks that are "hijacked" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers).
It updates daily.
It returns the assessment "suspicious".

Zeus Tracker

ZeuS Tracker offers various IP- and domain-blocklists that contain known ZeuS C&C servers associated with the ZeuS crimeware.
It updates daily.
It provides results for IP addresses considered "botnets".

ISC

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.
Today the Internet Storm Center gathers millions of intrusion detection log entries every day, from sensors covering over 500,000 IP addresses in over 50 countries.

BruteForceBlocker

BruteForceBlocker is a perl script, that works along with pf – firewall developed by OpenBSD team.

Result

There are three possible results for each of the sources. These are listed below. MetaDefender Cloud will categorize anything as BadIP if it belongs to the blacklist. Our policy is to keep these up to 15 days in order to limit potential false positives.

See more details about our expiration policy in the Last Detected section.

Blacklisted

IP (or corresponding IP) is listed by the source in their blacklist. Refer to the source for more information regarding their blacklist.

Whitelisted

IP (or corresponding IP) is listed by the source in their whitelist. Note: Not all sources provide whitelists.

Unknown

The source has not listed this IP address in either their blacklist or whitelist.

Corresponding IP: If the input is a URI, the IP for this hostname will be looked up using the freegeoip service. If we failed to retrieve the IP for the given hostname, it means we are not able to scan the input. In a future release, we plan to support the looking up of both the IP and the URI as inputs to a whitelist and block-list.

Last Updated

Currently, MetaDefender Cloud's BadIP database is updated daily for each source, which is indicated in the "Last updated" column of the results. However, this does not necessarily correspond directly with the source releasing their own list. In the near future, this information will represent the time when the feed is generated instead of the time when we consume the feed. Below is the update frequency for each source.

FREQUENCY

SOURCES

Hourly

Phish TankDragon Research GroupClean MX

Daily

The Spamhaus ProjectOpenBLZeus TrackerMalc0deBrute Force BlockerAlien VaultChaos ReignsSpy Eye TrackerFeodo Tracker

Weekly

Malware Domain List

*The update frequency for these sources are estimates due to their regular updates. They are not necessarily daily or weekly updates but relatively close to this.

Last Detected

The last detected date indicates the last time an IP address was confirmed as a BadIP by the source. There are two different types of feed (i.e., block-list or whitelist). One is reset with only active bad IPs and the other is accumulated with newly-found bad IPs.

For a source that resets their list

We use the time that we have seen in the list as the detection time. In this case, since our policy is to keep only up to 15 days, IP scan results will not show the detection after 15 days.

For a source that accumulates their list

We still show bad IP detections even if they are detected after 15 days. In this case, our confidence score will show a lower score than a more recent detection.

Assessment

MetaDefender Cloud utilizes the assessments below, which have been pulled from the collective-intelligence-framework.

botnet

  • Typically a host used to control another host or malicious process.

  • Matching traffic would usually indicate infection.

  • Typically used to identify compromised hosts.

malware

  • Typically a host used to exploit and/or drop malware to a host for the first time.

  • Typically NOT a botnet controller (although they could overlap).

  • Communications with these indicators may lead to a compromise and then to a possible botnet controller communication (if the infection was successful).

  • Typically used in preemptive blocking, alerts may not indicate infection was successful.

phishing

  • A luring attempt at a victim to exfiltrate some sort of credential.

  • A targeted attempt at getting someone to unintentionally cause infection (spear phishing).

scanner

  • Typically infrastructure being used to scan or brute-force (ssh, rdp, telnet, etc...).

spam

  • Typically infrastructure being used to facilitate the sending of spam.

suspicious

  • Unknown assessment.

whitelist

  • Denotes that a specific entity (usually an address) should be considered harmless in nature.

  • Denotes that blocking an entity would result in mass collateral damage (e.g., Yahoo virtually-hosted services).

  • Confidence should be applied to each entry to help calculate risk associated with whitelist.

Confidence

The confidence score represents the reliability of the detection based on several factors. The higher the score, the more reliable the result.

95-99

certain (not yet included in our ratings)

85-94

very confident

75-84

somewhat confident

50-74

not confident

0-49

unknown

Confidence (max 90) = 50 (base) 
+ feed update (up to 10)
+ source reputation (up to 15)
+ result expiration (-89 to 15)
+ multiple detections (30)

FACTOR

DESCRIPTION

Feed update

M ore frequently updated sources receive more confidence points. If it updates hourly, we add 10 points. If daily, then we add 5 points. If the source updates only weekly, no confidence points are added for this fac tor.

Source reputation

Based on internal analysis.

Result expiration

We consider results expired after 15 days, so we look at the last detected time for an IP address, and add confidence based on the age of the result. For results up to 15 days old, we add 15 points to the confidence. After 15 days, we decrement that amount added by one each day, until it becomes 1 (it never becomes 0).

Multiple detections

If 2 sources detect the IP address as malicious, we add 10 to the confidence level. If more than 2 sources detect the IP address as malicious, we add 30 to the confidence level.