Maltrail is opensource malicious traffic detection system.
https://github.com/stamparm/maltrail
Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g. http://109.162.38.120/harsh02.exe for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware).
Think it would be a excellent addition to the admin panel.
Benefits:
The following (black)lists (i.e. feeds) are being utilized:
alienvault, autoshun, badips, bambenekconsultingc2dns,
bambenekconsultingc2ip, bambenekconsultingdga, bitcoinnodes,
blocklist, botscout, bruteforceblocker, ciarmy, cruzit,
cybercrimetracker, deepviz, dataplanesipinvitation,
dataplanesipquery, dataplane, dshielddns, dshieldip,
emergingthreatsbot, emergingthreatscip, emergingthreatsdns,
feodotrackerdns, malwaredomainlist, malwaredomains, malwarepatrol,
maxmind, myip, nothink, openbl, openphish, packetmailcarisirt,
packetmailramnode, palevotracker, policeman, proxylists, proxyrss,
proxy, ransomwaretrackerdns, ransomwaretrackerip,
ransomwaretrackerurl, riproxies, rutgers, sblam, securityresearch,
snort, socksproxy, sslipbl, sslproxies, torproject, torstatus,
turris, urlvir, voipbl, vxvault, zeustrackerdns, zeustrackerip,
zeustrackermonitor, zeustrackerurl, etc.
As of static entries, the trails for the following malicious entities (e.g. malware C&Cs or sinkholes) have been manually included (from various AV reports and personal research):
aboc, adwind, alienspy, almalocker, alureon, android_acecard,
android_adrd, android_alienspy, android_arspam,
android_backflash, android_basebridge, android_boxer,
android_chuli, android_claco, android_coolreaper,
android_counterclank, android_cyberwurx, android_dendoroid,
android_dougalek, android_droidjack, android_droidkungfu,
android_enesoluty, android_ewalls, android_exprespam,
android_fakebanco, android_fakedown, android_fakeinst,
android_fakelog, android_fakemart, android_fakemrat,
android_fakeneflic, android_fakesecsuit, android_feabme,
android_flexispy, android_frogonal, android_geinimi,
android_ghostpush, android_ginmaster, android_gmaster,
android_godwon, android_golddream, android_gonesixty,
android_ibanking, android_kemoge, android_lockdroid,
android_lovetrap, android_maistealer, android_maxit,
android_oneclickfraud, android_opfake, android_ozotshielder,
android_pikspam, android_pjapps, android_qdplugin,
android_repane, android_roidsec, android_samsapo,
android_sandorat, android_selfmite, android_simplocker,
android_skullkey, android_sndapps, android_spytekcell,
android_stealer, android_stels, android_teelog, android_tetus,
android_tonclank, android_torec, android_uracto,
android_usbcleaver, android_walkinwat, android_windseeker,
android_zertsecurity, androm, andromem, angler, anuna, arec,
aridviper, artro, autoit, avalanche, avrecon, axpergle, babar,
bachosens, badblock, balamid, bamital, bankapol, bankpatch,
banloa, banprox, bayrob, bedep, blackenergy, blackvine,
blockbuster, bredolab, bubnix, bucriv, buterat, camerashy,
carbanak, carberp, careto, casper, cerber, changeup, chanitor,
chekua, cheshire, chewbacca, chisbur, cleaver, cloud_atlas,
conficker, contopee, copykittens, corebot, cosmicduke,
couponarific, criakl, cridex, crilock, cryakl, cryptinfinite,
cryptodefense, cryptolocker, cryptowall, ctblocker, cutwail,
darkhotel, defru, desertfalcon, destory, dnschanger,
dnsmessenger, dnstrojan, dorifel, dorkbot, drapion, dridex,
dukes, dursg, dyreza, elf_aidra, elf_billgates, elf_darlloz,
elf_ekoms, elf_fysbis, elf_groundhog, elf_hacked_mint,
elf_mayhem, elf_mokes, elf_pinscan, elf_rekoobe, elf_shelldos,
elf_sshscan, elf_themoon, elf_turla, elf_xnote, elf_xorddos,
elpman, emogen, emotet, equation, evilbunny, ewind, expiro,
fakeav, fakeran, fantom, fareit, fbi_ransomware, fiexp,
fignotok, fin4, finfisher, fraudload, fynloski, fysna, gamarue,
gauss, gbot, generic, golroted, gozi, groundbait, harnig,
hawkeye, helompy, hiloti, hinired, htran, immortal, injecto,
ios_keyraider, ios_muda, ios_oneclickfraud, ios_specter,
ismdoor, jenxcus, kegotip, keydnap, kingslayer, kolab,
koobface, korgo, korplug, kovter, kradellsh, kulekmoko,
lazarus, locky, lollipop, lotus_blossom, luckycat, majikpos,
malwaremustdie, marsjoke, mdrop, mebroot, mestep, mhretriev,
miniduke, misogow, modpos, morto, nanocor, nbot, necurs,
nemeot, neshuta, nettraveler, netwire, neurevt, nexlogger,
nivdort, nonbolqu, nuqel, nwt, nymaim, odcodc, oficla, onkods,
optima, osx_keranger, osx_keydnap, osx_salgorea,
osx_wirelurker, palevo, pdfjsc, pegasus, pepperat, phytob,
picgoo, pift, plagent, plugx, ponmocup, poshcoder, potao,
powelike, proslikefan, pushdo, pykspa, qakbot, quasar, ramnit,
ransirac, reactorbot, redoctober, redsip, remcos, renocide,
reveton, revetrat, rovnix, runforestrun, russian_doll, rustock,
sakurel, sality, satana, sathurbot, scarcruft, scarletmimic,
scieron, seaduke, sednit, sefnit, selfdel, shifu, shylock,
siesta, silentbrute, silly, simda, sinkhole_abuse,
sinkhole_anubis, sinkhole_arbor, sinkhole_bitdefender,
sinkhole_blacklab, sinkhole_botnethunter, sinkhole_certgovau,
sinkhole_certpl, sinkhole_checkpoint, sinkhole_cirtdk,
sinkhole_conficker, sinkhole_cryptolocker, sinkhole_drweb,
sinkhole_dynadot, sinkhole_dyre, sinkhole_farsight,
sinkhole_fbizeus, sinkhole_fitsec, sinkhole_fnord,
sinkhole_gameoverzeus, sinkhole_georgiatech, sinkhole_gladtech,
sinkhole_honeybot, sinkhole_kaspersky, sinkhole_microsoft,
sinkhole_rsa, sinkhole_secureworks, sinkhole_shadowserver,
sinkhole_sidnlabs, sinkhole_sinkdns, sinkhole_sofacy,
sinkhole_sugarbucket, sinkhole_tech, sinkhole_unknown,
sinkhole_virustracker, sinkhole_wapacklabs, sinkhole_zinkhole,
skeeyah, skynet, skyper, smsfakesky, snake, snifula, snort,
sockrat, sofacy, sohanad, spyeye, stabuniq, stonedrill,
stuxnet, synolocker, tdss, teamspy, teerac, teslacrypt,
themida, tibet, tinba, torpig, torrentlocker, troldesh, turla,
unruy, upatre, utoti, vawtrak, vbcheman, vinderuf, virtum,
virut, vittalia, vobfus, volatilecedar, vundo, waledac,
waterbug, wecorl, wndred, xadupi, xcodeghost, xtrat, yenibot,
yimfoca, zaletelly, zcrypt, zemot, zeroaccess, zeus, zherotee,
zlader, zlob, zombrari, zxshell, etc.
This is an awesome opensource project that could greatly increase the security of your site.
I am currently trying to create self executable installers for the sensors. (windows / osx)
I am currently trying to figure out how to successfully include Maltrail as an iframe withing the admin dashboard view.
Ultimately users could opt in to install a sensor on their own workstation and be able to monitor any malware trail. Regardless of user interaction, you can at least monitor malware trails from your site.
