Reputation Key Enumerator

Overview

Each record in the feed contains a Reputation Key reflecting different categories of behavior over the past 30 days. Each value is used to calculate the Reputation Score. A higher Reputation Score reflects more malicious behavior observed for a given IP.

Reputation scoring categories include:

• A:    Number of days in feed
• B:    IP seen in other categories
• C:    Number of events in same category
• D:    Detection type
• E:    SSL usage
• F:    Controller Instruction decoded
• G:    DDoS command observed
• H:    Non-standard port
• I:    Number of unique domain names on same IP
• J:    Distinct controllers on same IP
• K:    Other malicious controller/phishing IPs in same /24

---

Explanation

The reputation key can be used to generate adjusted scoring values for each individual entry.

Example:

<reputation_key>A6B3C98D6E0F0G0H0I0J1K1</reputation_key>

• A6:    6 Days in feed
• B3:    Seen in 3 categories/families
• C98:    Seen 98 times in the same category
• D6:    Active probe of controller
• E0:    No SSL usage detected on IP
• F0:    No Controller Instructions decoded on IP
• G0:    No DDoS command given by controller IP
• H0:    Standard port used (80)
• I0:    0 other domains on same IP hosted
• J1:    1 controller active on same IP
• K1:    1 other controller/phishing IP in same /24

---

Calculation

The reputation feed provides a key for customized scoring as well as a reputation score value based on Team Cymru's own scoring calculation. Our scoring algorithm uses a mix of scoring based on event and category counts, as well as scoring based on methods and techniques detected. Techniques include if the controller used SSL, nonstandard ports for communication or was observed giving DDoS commands. We also score on the detection method. The detection method reflects if we actively probed the IP, whether it was observed connecting to a sinkhole, darknet address space or reported by a third party.

The reputation key also includes detection of shared hosting activity, providing more context on confidence levels for IPs connecting to the controller. A controller IP with many other domains on the same IP can then be scored lower, bot IPs connecting to the associated controller will also be scored lower based on the same information. Reflected in the key is how many other controllers of phishing sites were hosted on the same IP. A separate key is available showing how many other controllers or phishing instances were hosted within the same /24. These characteristics in our algorithm are applied in the key scoring of both the controller and any bots observed connecting to the associated controller. They reputation key can be used to create a customized algorithm.

Example key: A30B1C691D6E0F0G0H0I4J1K0 results in score: 61

Calculation:

A30	(1.18 ** 30) = 143	(Max value for key = 20)	+20
B1	(4 ** 1) = 4	(Max value for key B = 20)	+4
C691	(1.04 ** 691) = 588894442000	(Max value for key C = 20)	+20
D6	Active probe = 20	Key Description Score D0 Other: Data Not Scored 0 D1 Netflow 2 D2 Sinkhole 16 D3 Darknet 16 D4 Honeynet 20 D5 Human Verified 20 D6 Active Probe 20 D7 Reported by 3rd Party 2 D8 Unverified Malware C2 10	+20
E0	No SSL usage = 0	(E1 = +2)	+0
F0	No controller instruction seen	(F1 = +2)	+0
G0	No DDoS related commands seen	(G1 = +2)	+0
H0	Standard port used	(H1 = +4)	+0
I4	-10% of final score = -6.82		-6.82
J1	(2 * 1.1 ** 1) = 2.2	(Max value for key J = 6)	+2.2
K0	(2 * 1.1 ** 0) = 0	(Max value for Key K = 4)	+2
			61.38