Summary
This article explains the meaning of the different exploit category names present in the Reputation Feed (RepFeed) component of the Threat Digital Vaccine (ThreatDV).
Details
Exploit | Explanation |
Blended Threat | IP Address or DNS Name known to attack using several different attack vectors. An example of hosts which fall into this category could be a host which is infected with slammer, and is also hosting Malware. |
Botnet | IP Address or DNS Name known to participate as a Botnet Command and Control device. Many newer botnets communicate with nodes in a Peer to Peer fashion. In such cases the RepFeed may contain the individual nodes in the botnet. |
Malware | IP Address or DNS Name known to be a distribution point for malware on the internet. Websites hosting malicious software are the most common hosts in this category. |
Miscellaneous | IP Address or DNS Name does not fit into any category but are known to be malicious. |
Misuse and Abuse | IP Address or DNS Name known to misuse resources. Hosts using click fraud, or sites misrepresenting themselves might fall into this category. |
Mobile | IP Address or DNS Name known to host malicious/suspicious mobile applications or participate in CnC-related communication with infected mobile devices. |
Network Worm | IP Address or DNS Name known to be infected with a network worm. Hosts infected with SQL Slammer/code red fall into this category |
P2P | IP Address known to be a central node for a Peer 2 Peer protocol. |
Phishing | IP Address or DNS Name known to have executed multiple Phishing attacks. |
Spam | IP Address or DNS Name known to be sending very large amounts of verified Spam traffic. This entry only contains devices sending very large amounts of spam. |
Spyware | IP Address or DNS Name known to be hosting significant amounts of Spyware. Spyware such as "Hotbar" and "wildtangent" fall into this category |
TOR Exit | IP Address or DNS Name known to be a node in an anonymous network, a gateway where encrypted Tor traffic communicates with the Internet. This tag consists of both published and unpublished Tor nodes. |
Web Application Attackers | IP Address or DNS Name known to attack using attacks against vulnerabilities in web application vulnerabilities. Attackers using SQL Injection, PHP File Include, and Cross Site Scripting all fall into these categories. |
Worm | These entries are known to be actively distribution self-replicating code, otherwise known as a network worm. |