“Time flies like an arrow; fruit flies like a banana.” -- Groucho Marx


Staying on top of the current Internet abuse situation mandates that you follow your sources as close to real time as possible. On the left you can see a spanking new ZeuS binary, which has been observed by a source on 2012-10-01. They do not report the actual time of their observation, only a date, which is why we record an accurate timestamp for each observation we make. This is recorded as an observation time for our abuse tracking system. Since time is an important asset not to be wasted, we can stream the data real-time to the endpoint recipient. We don't want to sit on top of it or mull over it, rather than package the observation with additional observations through automatic augmentation. This action in turn is recorded as attribution time. Some sources are meticulous about time and they do inform you about the exact time of their observations, which we record as source time. Since time is a difficult thing to handle properly we have adopted a ISO8601:ish time format of YYYY-MM-DD HH:MM:SS UTC.


ZeroAccess, anyone?

Following the times of course gives you the opportunity, or challenge, of evolving the sources you follow to suit the need. For a while I've seen everybody hyping about the ZeroAccess malware and producing map views detailing infections. I knew we have some observations on the issue from the public sources, so I dug up the AbuseHelper source bot data and modified the bot to classify the findings with this evolved threat. On the left, you can see the latest 1 hour worth of sightings of ZeroAccess infections by this single source. So in essence, knowing your sources and what they provide is the key to gaining Abuse Situation Awareness in a timely manner.

I would like to exploit this opportunity and thank two of the numerous public sources, which AbuseHelper uses to gather information about abuse, namely Abuse.ch and AutoShun. Without their efforts, the anti-abuse work of many a CSIRT team would be much more difficult.

-- ?svimes 2012-10-01 09:58:21

return to the blog ...