Autoreporter categories

Advanced persistent threat, i.e. targeted attack. Targeted attacks use the same methods as ordinary, non-targeted attacks (malware, phishing, hacking, etc.) but the attack is targeted at a specific organisation or infrastructure. Ordinary attacks are not specifically launched against one target. Instead, any victim will do.

Incidents detected in this category are typically command-and-control server traffic or command-and-control servers of malware used in corporate espionage.

Communication between an infected computer and a botnet command-and-control server.

Some reported malware can be removed using the Microsoft Malicious Software Removal Tool (MSRT).

A computer or network used to hack into other computers or services by guessing passwords or other access credentials.

A botnet command-and-control server.

Server or network used in a distributed denial of service attack.

Server or site with the data content that an attacker has modified or replaced with its own. This category has no subcategories.

Website that distributes a program code exploiting a software vulnerability.

URL link that leads to a site distributing known malware or that has been mentioned on a botnet control channel. This category has only one subcategory: ‘malware hosting’.

Compromised server that guides users to a site distributing malware.

The Autoreporter report does not usually specify the type of the incident but usually you can easily find out the type using sites specialised in website analyses, for example. You can also search for problematic domains and websites in different databases.

Phishing website. Usually a compromised website where the attacker has injected its own content and program code. If the URL address of the fraudulent website is known, it is included in the Autoreporter report.

The server may contain relevant information for police investigation, such as contact addresses for the parties forwarding collected data. We recommend advising customers to report such cases to the police.

An open proxy server. Cyber criminals often try to cover their tracks and prevent getting caught by using open proxies to forward malicious traffic.

A computer scanning for open ports in other computers. Scanning for open ports is often used in preparation for other cyber-attacks.

Services, vulnerabilities and general scanning statistics related to ports are available at http://isc.sans.org/port.html?port=X, where X is the number of the port.

Servers, networks or sites used to distribute or exploit spam.

Service or server that contains a known vulnerability or insecure configuration, which is exposed to unauthorised use by a third party. Open proxies are listed in a category of their own.

• DynDNS: Some targeted attacks use certain dynamic DNS to cover the attacker’s tracks. If Autoreporter detects such activity, it indicates that there is traffic to certain dynamic DNS domains.
• Mirage: Windows malware that allows an attacker to gain full control of the infected computer (‘RAT’ or Remote Access Trojan).
• Volatile Cedar: Name given to a targeted malware campaign by IT security company Check Point. Targets include organisations in the fields of defence industry and communications technology.

• Andromeda: Windows malware that steals information and forwards malicious traffic to other computers (‘proxy’).
• Bamital: Windows malware that modifies internet search results.
• Banatrix: Windows malware that illegally modifies money transfers online.
• BankPatch: Windows malware that steals information.
• Beagle: Beagle (or Bagle) allows unauthorized access to an infected computer (‘backdoor’) and typically sends spam to third parties. Windows malware.
• Bedep: General-purpose Windows malware that spreads via advertisements and apps. Used in malvertisements and in spreading other malware to computers (‘dropper’).
• Beebone: Windows malware that downloads other malware (‘downloader’).
• Bezigate: Windows malware that steals information and allows unauthorized access to an infected computer (‘backdoor’).
• BlackEnergy: Multi-purpose Windows and Linux malware platform used for criminal activity and spying.
• Bladabindi: Windows malware that steals information and can also download other malware.
• Blaster:  Windows malware that downloads other malware and is used for DDoS attacks against third parties.
• Bolek: Windows malware that steals online banking information. Also known as Bolik.
• Caphaw: (or Shylock) is Windows malware that steals information.
• Citadel: Windows malware that steals information. Closely related to Zeus malware.
• Citeary: Windows malware that downloads other malware (‘dropper’).
• Conficker: Windows malware that disables security software, blocks access to information security websites and slows down network performance. Conficker is also known as Downadup, Downup, Kido, DNS Changer and Trafficconverter. Workstation (Windows/Mac OS X) or home router has made DNS queries (UDP/53 or TCP/53) to such IP addresses that are known to relate to Conficker.
• Corkow: Windows malware that steals information, especially online banking credentials.
• CryptoWall: Ransomware that encrypts files. If your computer has been infected, you cannot help noticing.
• CryptPHP: Malware that infects servers running content management systems, such as WordPress, Joomla and Drupal. It typically spreads via content management system plugins that the attackers have modified and provided for free downloading. The malware allows unauthorized access to an infected server.
• Cutwail: Windows malware that downloads other malware (‘dropper’), sends spam to third parties and steals information. Also known as Pushdo.
• Cycbot: Windows malware that allows an attacker to gain full control of an infected computer.
• DirtJumper: Windows malware used for DDoS attacks against third parties.
• Dofoil: Windows malware that downloads other malware (‘dropper’).
• Dorkbot: Windows malware that downloads other malware (‘dropper’) and blocks access to some information security websites.
• Downloader.BOT: Malware that affects older Windows versions. It steals information and downloads other malware (‘dropper’).
• Dridex: Windows malware that steals information, especially online banking credentials.
• Dynamer: Ransomware that encrypts files on a Windows computer.
• Esfury: Windows malware that modifies security features and network settings. It may also download other malware.
• Expiro: Windows malware that steals information and changes security settings on a computer.
• FakeAV: Windows malware family that attempts to pass as anti-malware software, but in reality, it allows unauthorized access to an infected computer (‘backdoor’).
• Flashback: Mac OS X malware that steals information.
• Fynloski: Windows malware that allows attackers to take control of a computer (‘RAT’ or Remote Access Trojan). Also known as DarkComet.
• Gamarue: Windows malware that steals information and allows unauthorized access to an infected computer (‘backdoor’).
• Gameover Zeus: Windows malware that steals information and downloads other malware (‘dropper’). The same malware family includes ZeuS, Zbot and Zitmo.
• GootKit: Malware that steals information, especially user information of French online banks.
• Gozi: Windows malware that steals information.
• GozNym: Windows malware that steals online banking information.
• Hesperbot: Windows malware that steals information and allows unauthorized access to an infected computer (‘backdoor’).
• IRCbot: Windows malware family that downloads other malware (‘dropper’) and allows unauthorized access to an infected computer (‘backdoor’). All malware in the family are controlled by attackers via IRC channels.
• Jadtre: Windows malware that downloads other malware (‘dropper’) and spreads to computers locally via shared resources and removable drives.
• Jenxcus: Windows malware that allows an attacker to gain full control of an infected computer. It can also steal information.
• KINS: Windows malware that steals information, especially online banking credentials.
• Kovter: Multi-purpose Windows malware that lowers the security settings on a computer and uses it in malvertising campaigns. Kovter can also download other malware, such as ransomware.
• Locky: Ransomware that encrypts files. If your computer has been infected, you cannot help noticing.
• Machbot: Windows malware used for DDoS attacks against third parties.
• Mirai: Malware infecting smart devices (connected devices, IoT (Internet of Things) devices) that is mainly used for DDoS attacks against third parties. The malware only infects devices with factory default passwords that have not been changed when taking the device in use.
• MKero: Android Trojan that subscribes victims to premium SMS services.
• Multiple malware: Multiple malware activity detected.
• Necurs: Malware that disables security features on a computer and sends spam containing other malware, such as Locky, to third parties.
• Neurevt: Windows malware that steals information, changes computer settings, and allows unauthorized access to an infected computer (‘backdoor’).
• Nivdort: Windows malware that steals information and changes computer settings.
• Nymaim: Windows ransomware that can download other malware on a computer.
• PadCrypt: Ransomware that encrypts files. If your computer has been infected, you cannot help noticing.
• Palevo:Multi-purpose Windows worm that, for example, steals user information and downloads other malware.
• Patcher: Windows malware that modifies the performance of web browsers and operating system, and steals user information, especially certain online banking credentials.
• PcClient: Windows malware that steals information and allows unauthorized access to an infected computer (‘backdoor’).
• Ponmocup: Windows malware that downloads other malware (‘dropper’).
• Pony: Windows malware that steals information.
• Pushdo: Windows malware that downloads other malware (‘dropper’), sends spam to third parties and steals information. Also known as Cutwail.
• Pykspa:  Windows malware that downloads other malware (‘dropper’). Pykspa typically downloads a worm also called Pykspa that spreads to other computers with no user interaction and allows criminals to execute arbitrary commands on an infected computer.
• Qakbot:  Windows malware that steals information, downloads other malware (‘dropper’) and allows unauthorized access to an infected computer (‘backdoor’).
• Ramdo: Windows malware that steals information.
• Ramnit: Windows worm spreading through removable drives, such as USB drives, that steals information and allows unauthorized access to an infected computer (‘backdoor’).
• Ranbyus: Windows malware that steals information.
• Rebhip: Windows Trojan that steals information.
• Redyms: Windows malware that modifies internet search engine results. The modified search results may redirect users to fake software updates, which, if installed, infect the user’s computer with other malware.
• Rovnix: Windows malware that steals information, downloads other malware (‘dropper’) and allows unauthorized access to an infected computer (‘backdoor’). Also known as ReactorBot.
• Sality: Multi-purpose Windows malware that can, for example, steal information and allow unauthorized access to an infected computer (‘backdoor’).
• Sdbot: Windows malware that allows attackers to take control of a computer.
• Simda:Multi-purpose Windows malware that can, for example, steal information and download other malware (‘dropper’). Also known as Shiz.
• SpyEye: Windows malware that steals information and downloads other malware (‘dropper’).
• Srizbi: Bot that can be remotely controlled by an attacker to send spam. The malware receives instructions from certain fixed URLs.
• Stealrat: Windows malware that sends spam to third parties.
• TDSS: Sophisticated bot that uses rootkit components to conceal itself in the infected workstation. Infected workstations are used as proxy servers for anonymous internet access. TDSS is also known as Alureon and Tidserv.
• Tinba: Windows malware that steals information. Also known as Tinybanker and Zusy.
• Torpig: Torpig is usually downloaded on an infected workstation together with Mebroot malware. Together these malware steal personal user information, such as online banking credentials. The malware uses HTTP protocol to provide stolen information to the attacker and receive new instructions. Torpig is also known as Sinowal.
• "Unknown" ja "Unspecified bot": Miscellaneous traffic that is suspected to be malware-related but the exact type of malware cannot be specified. ‘Unknown (avalanche)’ refers to malware distributed via the Avalanche botnet.
• Vawtrak: Windows malware that allows unauthorized secret access to an infected computer (‘backdoor’). The malware also steals information
• VBInject: Group of different malware that use certain techniques to prevent their detection or analysis. The purposes of these malware vary.
• Virut: Windows malware that downloads other malware (‘dropper’) and receives commands from the attacker via an IRC channel.
• Wapomi: Windows worm.
• XCodeGhost: Malware infecting Apple devices that steals information. XcodeGhost does not spread without interaction. It infects applications created by compromised developers already during the developing stage.
• Xpaj: Virus infecting files on Windows computers and network drives that downloads other malware (‘downloader’). Some variants of this virus infect the master boot record (MBR), which makes their removal especially difficult.
• Yash RAT: Malware that downloads other malware (‘dropper’) and allows unauthorized secret access to an infected computer (‘backdoor’ or Remote Access Trojan).
• ZeroAccess: Windows malware that downloads other malware (‘dropper’) and allows unauthorized access to an infected computer (‘backdoor’).
• Zeus: Windows malware that steals information, especially online banking credentials. The attacker has some control over the infected computer (‘backdoor’) and can forward suspicious traffic via the infected computer (‘proxy’). Also known as Zbot.

• Unspecified brute-force: Attacker that attempts to hack into unspecified services.
• SSH: Attacker that attempts to hack into Secure Shell servers by guessing passwords.
• MySQL: Attacker that attempts hacking by guessing passwords for a MySQL database server.
• WordPress: Attacker that attempts to hack into websites using Wordpress content management system by guessing passwords.

• Command-and-control server: IP address, domain or other technical identifier of a botnet command-and-control server.
• command channel: Technical identifier of a botnet command-and-control channel, such as an IRC channel name.
• config: Bot configuration file.
• dropsite: Website to which bots upload captured information as requested by the attacker.

No subcategories.

• Amplifier: exploiting a specific service or application to amplify a DDoS attack.
• Chargen: Exploiting the Chargen protocol to amplify a DDoS attack.
• DDoS: Unspecified distributed denial-of-service attack.
• DNS: Exploiting DNS (Domain Name System) to amplify a DDoS attack. The target is usually a poorly protected or poorly configured network device.
• NTP: Exploiting the Network Time Protocol to amplify a DDoS attack.
• SNMP: Exploiting the Simple Network Management Protocol to amplify a DDoS attack.
• SSPD: Exploiting the Simple Service Discovery protocol to amplify a DDoS attack.
• Wordpress Pingback: Exploiting the pingback feature in the content management system Wordpress to amplify a DDoS attack.

No subcategories.

The only subcategory is ‘Malware hosting’: Website that distributes malware.

No information available.

The subcategory specifies the service or brand having user information that attackers try to capture.

The subcategory specifies the application or protocol forwarded by the proxy server.

• Port number TCP or UDP port especially scanned by the object.

• Unspecified spam infrastructure: the source of information has not specified why the object is considered as sender of spam.

• Cisco Smart install: rapid7 blog post: Cisco Smart Install (SMI) Remote Code Execution: What You Need To Know as well as Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability