Shadowserver Foundation

Last updated
Shadowserver Foundation
Formation2004
Type nonprofit
26-2267933
Purposesecurity
Website https://shadowserver.org

Shadowserver Foundation is a nonprofit security organization that gathers and analyzes data on malicious Internet activity (including malware, botnets, and computer fraud), sends daily network reports to subscribers, and works with law enforcement organizations around the world [1] in cybercrime investigations. Established in 2004 [2] as a "volunteer watchdog group," [3] it liaises with national governments, CSIRTs, network providers, academic institutions, financial institutions, Fortune 500 companies, and end users to improve Internet security, enhance product capability, advance research, and dismantle criminal infrastructure. Shadowserver provides its data at no cost to national CSIRTs (by geo code) and network owners (according to their network space).

Contents

Funding

In early 2020, Cisco, which has been the primary funder for 15 years, announced they would be withdrawing their funding. [4] [5] In late May 2020 it was announced that the Shadowserver Foundation had received funding from various sources to enable “the group to continue in a more sustainable way without becoming dependent on a single backer again.” [6] Funding now comes from donations, grants, projects, and/or supportive organisations can join the Shadowserver Alliance

Activities

Data collection

Shadowserver scans the IPv4 Internet over 100 times per day. It harvests data on malware, spam, bots, and botnets [7] using large-scale sensor networks of honeypots and honeyclients [8] placed throughout the world. It uses sinkholes to collect data on bots and DDOS attacks. It also receives additional malware and sinkhole data from governments, industry partners, and law enforcement agencies that have established reciprocal data-sharing agreements with Shadowserver.

Data analysis

Shadowserver stores raw malware data permanently in its repository. As new data are collected, Shadowserver analyzes them using thousands of virtual sandboxes and hundreds of bare metal sandboxes. It regularly re-analyzes raw data previously collected. The results of these analyses are stored in the organization's analysis cluster.

Network reporting

Shadowserver sends free daily network reports to users who have subscribed to them. The reports contain all the data that Shadowserver has collected and analyzed about any suspicious activity it was able to detect within the specific networks or regions for which the subscriber is responsible. For example, a national government might receive data aggregated by geo-spatial coordinates defined by latitude and longitude, while an international network provider might receive data filtered by ASN.

Investigation support

Shadowserver liaises with security organizations, national governments, and CSIRTs to dismantle global cybercrime networks; for example, it worked with the FBI, Europol, and Interpol to take down the Avalanche network in 2016. [9] It also helps law enforcement partners to develop strategies against cyber security threats and to mitigate threats as they emerge, focusing on cases that involve criminal abuse of the Internet’s infrastructure.

Related Research Articles

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide. Its software is localized into more than 30 languages.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

The Russian Business Network is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale. It is the originator of MPack and an alleged operator of the now defunct Storm botnet.

The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.

Avalanche was a criminal syndicate involved in phishing attacks, online bank fraud, and ransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.

The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the "Butterfly Bot", making it one of the largest known botnets.

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world's third largest botnet, responsible for 18% of worldwide spam traffic.

There is no commonly agreed single definition of “cybercrime”. It refers to illegal internet-mediated activities that often take place in global electronic networks. Cybercrime is "international" or "transnational" – there are ‘no cyber-borders between countries'. International cybercrimes often challenge the effectiveness of domestic and international law, and law enforcement. Because existing laws in many countries are not tailored to deal with cybercrime, criminals increasingly conduct crimes on the Internet in order to take advantages of the less severe punishments or difficulties of being traced.

A DNS sinkhole, also known as a sinkhole server, Internet sinkhole, or Blackhole DNS is a Domain Name System (DNS) server that has been configured to hand out non-routable addresses for a certain set of domain names. Computers that use the sinkhole fail to access the real site. The higher up the DNS resolution chain the sinkhole is, the more requests will fail, because of the greater number of lower nameservers that in turn serve a greater number of clients. Some of the larger botnets have been made unusable by top-level domain sinkholes that span the entire Internet. DNS Sinkholes are effective at detecting and blocking bots and other malicious traffic.

<span class="mw-page-title-main">Palo Alto Networks</span> American technology company

Palo Alto Networks, Inc. is an American multinational cybersecurity company with headquarters in Santa Clara, California. The core product is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100. It is home to the Unit 42 threat research team and hosts the Ignite cybersecurity conference. It is a partner organization of the World Economic Forum.

<span class="mw-page-title-main">European Cybercrime Centre</span>

The European Cybercrime Centre is the body of the Police Office (Europol) of the European Union (EU), headquartered in The Hague, that coordinates cross-border law enforcement activities against computer crime and acts as a centre of technical expertise on the matter.

Virut is a cybercrime malware botnet, operating at least since 2006, and one of the major botnets and malware distributors on the Internet. In January 2013, its operations were disrupted by the Polish organization Naukowa i Akademicka Sieć Komputerowa.

<span class="mw-page-title-main">Microsoft Digital Crimes Unit</span>

The Microsoft Digital Crimes Unit (DCU) is a Microsoft sponsored team of international legal and internet security experts employing the latest tools and technologies to stop or interfere with cybercrime and cyber threats. The Microsoft Digital Crimes Unit was assembled in 2008. In 2013, a Cybercrime center for the DCU was opened in Redmond, Washington. There are about 100 members of the DCU stationed just in Redmond, Washington at the original Cybercrime Center. Members of the DCU include lawyers, data scientists, investigators, forensic analysts, and engineers. The DCU has international offices located in major cities such as: Beijing, Berlin, Bogota, Delhi, Dublin, Hong Kong, Sydney, and Washington, D.C. The DCU's main focuses are child protection, copyright infringement and malware crimes. The DCU must work closely with law enforcement to ensure the perpetrators are punished to the full extent of the law. The DCU has taken down many major botnets such as the Citadel, Rustock, and Zeus. Around the world malware has cost users about $113 billion and the DCU's jobs is to shut them down in accordance with the law.

Operation Tovar was an international collaborative operation carried out by law enforcement agencies from multiple countries against the Gameover ZeuS botnet, which was believed by the investigators to have been used in bank fraud and the distribution of the CryptoLocker ransomware.

<span class="mw-page-title-main">Gameover ZeuS</span> Peer-to-peer botnet

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

<span class="mw-page-title-main">Dark0de</span>

dark0de, also known as Darkode, is a cybercrime forum and black marketplace described by Europol as "the most prolific English-speaking cybercriminal forum to date". The site, which was launched in 2007, serves as a venue for the sale and trade of hacking services, botnets, malware, stolen personally identifiable information, credit card information, hacked server credentials, and other illicit goods and services.

<span class="mw-page-title-main">MalwareMustDie</span> Whitehat security research workgroup

MalwareMustDie, NPO is a whitehat security research workgroup that was launched in August 2012. MalwareMustDie is a registered nonprofit organization as a medium for IT professionals and security researchers gathered to form a work flow to reduce malware infection in the internet. The group is known for their malware analysis blog. They have a list of Linux malware research and botnet analysis that they have completed. The team communicates information about malware in general and advocates for better detection for Linux malware.

Emotet is a malware strain and a cybercrime operation believed to be based in Ukraine. The malware, also known as Heodo, was first detected in 2014 and deemed one of the most prevalent threats of the decade. In 2021, the servers used for Emotet were disrupted through global police action in Germany and Ukraine and brought under the control of law enforcement.

Hack Forums is an Internet forum dedicated to discussions related to hacker culture and computer security. The website ranks as the number one website in the "Hacking" category in terms of web-traffic by the analysis company Alexa Internet. The website has been widely reported as facilitating online criminal activity, such as the case of Zachary Shames, who was arrested for selling keylogging software on Hack Forums in 2013 which was used to steal personal information.

Trickbot is a trojan for Microsoft Windows and other operating systems. Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem.

References

  1. Halpern, Jake (May 2015). "Bank of the Underworld". The Atlantic. Archived from the original on 26 July 2015. Retrieved 21 April 2024.
  2. "Tackling the botnets at source". 2006-10-05. Retrieved 2018-02-13.
  3. "Cybercrime flourishes in online hacker forums - USATODAY.com". usatoday30.usatoday.com. Retrieved 2018-02-13.
  4. "The Web's Bot Containment Unit Needs Your Help — Krebs on Security". 16 March 2020. Retrieved 2020-03-16.
  5. "A Critical Internet Safeguard Is Running Out of Time". Wired. ISSN   1059-1028 . Retrieved 2020-03-16.
  6. Newman, Lily Hay. "Shadowserver, an Internet Guardian, Finds a Lifeline". Wired. Retrieved 2020-06-01.
  7. Krebs, Brian (2006-03-21). "Bringing Botnets Out of the Shadows". The Washington Post . ISSN   0190-8286 . Retrieved 2018-02-13.
  8. "Shadowserver Battles the Botnets". Darknet. 2006-06-29. Retrieved 2018-02-13.
  9. "'Avalanche' network dismantled in international cyber operation". Europol. Retrieved 2018-02-13.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.