Use Threat Intelligence and Python Scripts In Malware Detection


Use Threat Intelligence and Python Scripts In Malware Detection

[4min Reading]

  1. Blacklisted IP
  2. Blacklisted Domain
  3. Blacklisted Certificate

1. Threat Intelligence definition

Intelligence, as defined by Edward Waltz, is “the information and knowledge about an adversary obtained through observation, investigation, analysis, or understanding, is the product that provides battlespace awareness”.

2. Blacklisted IP (C&C, specific malware, spammer, web crawler)

The better feeds of OSINT depends on our needs, in our case we will need to get blacklisted IP for Command and Control server, for most common malware, spammer, and web crawler servers, those feeds need to be in a .csv file, so it will be easier to extract information. After looking on many websites the best one, where we download the file each 5 min so our database will be updated. After we collect all the files we merge them, and we extract only the important data. Each packet we receive on our servers will be validated either the IP used is blacklisted or not, if it’s our client will receive a notification to block the connection.

3. Blacklisted Domain

Same as blacklisted IP, OSINT offer a list of the blacklisted domain used in different attacks, we also download the file each 5 min, and we check if this domain is the packet received from our client, we also check if that domain used in the certificate using the SSL field “x509ce.dNSName”.

4. Blacklisted Certificate

Each certificate has a unique fingerprint we can calculate it using the hash sha-1, We developed a script that extracts the certificate from the packets received and it automatically calculates the fingerprint.