Malware Isn’t Going Anywhere
Given the volume and complexity of emerging threats, relying on a single source of data can significantly decrease your security team’s visibility. The most logical plan for organizations of all sizes and verticals is to obtain indicators of compromise (IOCs) from a variety of unrelated sources and utilize them as part of a layered security strategy.
Malware Patrol offers a wide variety of malware-related threat data feeds for commercial and research purposes. Our database contains over 12 years of data and is updated constantly by crawlers in the cloud: each URL and command and control (C&C) address is visited every day, DNS names are resolved 4-6 times a day and newly discovered URLs are processed within an hour.
Our Enterprise Threat Data Feeds can be customized and combined according to your ingestion needs – at no additional cost – to ensure that the data within them is both useful and actionable for your organization.
Get Only the Data You Need
We offer the following highly reliable and historically rich data feeds:
- Malware & Ransomware URLs
- Real-Time DDoS Attacks
- Malware Hashes or Binaries
- RPZ DNS Firewall
- Newly Registered Domains
- IP Reputation
- Domain Names Generated via DGAs
- Command & Control URLs
- Bitcoin Transactions
- Bitcoin Blockchain Strings – FREE to commercial customers!
Feeds are sold individually. Subscriptions are on an annual basis. Discounts available for multi-feed and multi-year subscriptions.
Data Feed Descriptions
This feed contains addresses that are actively hosting malicious binaries. Therefore, it can be used to block access to such URLs and avoid the infection of computers and connected devices. Or by companies that want to download badness for research purposes.
The feed is offered with URLs in two formats: (1) sanitized, which includes protocol, hostname, domain name and directories, but not the binary file name; and (2) unsanitized, which includes protocol, hostname, domain name, directories and also the file name and extension of the malware. Sanitized feeds are useful when there is no need to download the binary or to block it granularly. When downloading and/or monitoring the malware is important, the unsanitized feed is a better choice. Updated every hour.
DDoS attacks are a major threat to companies of all sizes. Apart from implementing DDoS mitigation strategies, access to threat data on the latest attacks is vital to understanding the current landscape and its trends. Many systems and protocols widely available on the internet are abused by attackers to generate abnormal amounts of traffic, including: NTP, DNS, CharGEN, SSDP, among others. These are the services that our honeypots mimic to capture real time information about attacks, without taking part in them.
Malware Patrol maintains a data feed containing live records of amplification and reflection DDoS attacks that happened in the last 24 hours. It is produced with data collected by sensors deployed all over the internet. Updated every 20 minutes.
Samples are collected around the internet and analyzed by our internal systems and multiple anti-virus products. If no malware is detected, our automated engines make an analysis of the binary to figure out its potential to be a new (unclassified) sample. This analysis includes packer detection and binary and PE header characteristics. Once a binary is classified as malware, the sample and its hashes are made available to customers immediately.
Malware Hashes Feed contains MD5 and SHA-1 hashes of malware and ransomware samples currently available on the internet. Updated every hour.
Malware Samples Feed contains malicious binaries currently available on the internet, shared immediately after categorization. Updated every hour.
RPZ (Response Policy Zone) DNS was developed by the ISC as a an open and vendor-neutral component of the BIND Domain Name Server. RPZ functions as a DNS firewall in which rules are expressed in specially constructed zone files. This segmented structure provides an effective – and granular – method of leveraging threat data for the detection and prevention of malware and ransomware activities at the DNS level.
Using this tool, administrators can override the global DNS and create rules that initiate specified responses and actions, such as providing alternate replies to queries. For example, when a workstation, server or other network resource tries to connect to a malicious location, it is unable to resolve DNS and is redirected to a specially crafted web page that explains why access was blocked.
Our customers can choose to use a combination or all three RPZ zone files: (1) C&C URLs, (2) URLs for DGAs used by over 40 malware and ransomware families and (3) Malware URLs. Configuration instructions are available here. Updated every hour.
On average, 175,000 new domains are registered every day. Most of these names are created for legitimate purposes, but there is a significant portion that only exist for malicious purposes. These include look-a-likes, type squatting and brand abusive domains.
Malware Patrol not only collects information about all new names, but also correlates this information with indicators of compromise (IOCs) from our other data feeds. Updated every hour.
This feed includes IP addresses known to actively host malicious files and command and control systems for malware and ransomware. The constant monitoring of traffic destined to such addresses, as well as potentially blocking access to the ones that host C2s, for example, is an effective protection measure and valuable information for research purposes. Updated every hour.
Malware Patrol acquires and monitors domain generation algorithms (DGAs) used by multiple malware and ransomware families. Most ransomware won’t be able the encrypt files if they can’t reach a C&C (command and control) server to retrieve cryptographic keys. Blocking access to domains generated via DGA is an effective way to prevent data loss and extortion. Monitoring DNS queries and network traffic to such domains is a way to determine computers in the internal network that may be infected. Updated every hour.
Most malware and ransomware families implement some sort of communication with a command and control (C&C) system that is responsible for relaying stolen financial information, personal data and anything the malware captures. It is also used to instruct the malicious software which institutions to target.
Knowing these malicious URLs, companies can block access, create alerts on IDS/IPS systems or investigate communications between samples and C2s. Updated every hour.
Bitcoin became the most popular crypto currency in the world and, apart from its legitimate uses, is commonly utilized to receive ransom payments among other criminal activities. Bitcoin transaction and/or blockchain strings data can be especially interesting to threat researchers and to companies monitoring data sources for potential brand infringement.
The Bitcoin Transactions Feed includes easy to parse information on all blocks and transactions since the genesis block on January 3, 2009. An average of 50,000 transactions happen every day. Malware Patrol produces a simple JSON file for each transaction, as soon information is available.
The Bitcoin Blockchain Strings Data Feed contains all the text from the Bitcoin blockchain since its inception. This includes information that ranges from miner names, poems and tributes, to URLs that point to obscure and illegal web sites, encoded files and malicious source code. Updated every 6 hours.