RSA Admin

Deprecated Feeds and the New Malicious Filename Feed

Blog Post created by RSA Admin Employee on Jan 31, 2014

There have been many legacy feeds available in RSA LIVE that contained threat intelligence feeds of known “bad stuff” that were attributed to older malware campaigns and threats.   These threats are simply not seen very often anymore.

 

Many of those older feeds will be deprecated soon.  Look for official statements regarding this, along with full details soon.  We are working to raise the quality of our feed content by eliminating elements that do not produce quality intelligence and detection for our customers.  The goal of RSA FirstWatch is to create feeds that reflect today’s threats.

 

One of the feeds scheduled to be deprecated  was the Malicious Filenames Feed.  It contained things like 1.exe, 2.exe, etc, and a.exe, b.exe, etc. The entries were based on older Trojans including the Storm Worm, Zeus Beta Versions and some intelligence gathered from professional services engagements over the years.  And while we wholeheartedly agreed that the contents of the feed were old and needed to go, we were also confident that we could substitute that older content with real-world, live intelligence gathered from the RSA FirstWatch  malware database.

 

Below is a feed that we use internally to “normalize” the known malicious filenames for alerts and tracking, versus the known “expected” filenames that we should try to ignore.  We are providing this as an example of the real-world malware names that we encounter in our malware database.   Below are some screenshots of this feed in action.

 

776307763177632

 

Essentially, this will become the basis for the new Live Feed of RSA FirstWatch’s Known Malicious Filenames.  You will see that these certainly are NOT a-z.exe filenames.  Many are associated with specific malware families, which will be noted when possible in the threat description column.

 

We have automated the generation of filenames meta in our database to populate this feed.  Here is how our logic works:

FirstWatch has identified behaviors and malicious activity in our malware database, and we track those behaviors as alerts.  These alerts represent known intelligence that has been verified by FirstWatch threat analysts.  One example alert would be “Password Stealing IE5 Trojans.”  We identified a specific pattern to this Trojan family and monitor its activity on an ongoing basis.  What we are doing now is selecting each of our known intelligence types from the Alert Keys and looking up and adding the top filenames associated with that intelligence.   Additionally we are also filtering out known normal and expected traffic.  The results are analyzed and added to the new feed.  If those values exist in that feed going forward, they will be ignored in new reports, yielding new filenames to analyze.

 

In addition, we look at the top executables by filename that are downloaded from infected systems. Those filenames, if judged to produce very low false positives, are also added to the new feed.  One example of a false positive would be “setup.exe.”  We understand that there are many malware samples that use this filename, however, there is an equally large number of legitimate software that uses the filename as well.

 

If you can’t wait for the new version of this feed to be on LIVE, you can install the one attached, at your own unsupported risk.  Refer to our previous posts here and here on how to use SA’s Live menu to install this feed.  The feed would be non-ip, index column 1, callback to the filename meta, and tag column 2, 3 & 4 as feed.name, feed.category, and feed.description.  This is actually two feeds in one- identifying known malicious file and whitelist file.  You can use this feed and add your own content as well.

 

All feedback is welcome.  Good Luck and Happy Hunting!

 

UPDATE:  I have replaced the original attachment to this post with a newer version of this feed.

Attachments

Outcomes