IP Scanning User Guide

About

Metadefender Cloud allows users to check IP addresses and domains for malicious behavior using many IP reputation sources. This functionality makes it possible to identify threats like botnets that would not be found through scanning files when accessing content. By providing a standardized interface for the leading IP reputation sources, Metadefender Cloud makes it possible to obtain aggregated data on whether an IP address or domain should be trusted, so that you can monitor your network for possible threats.

The potential maliciousness of an IP address or domain can change frequently. To keep our results up-to-date and reduce false positives, we only save our results from the IP reputation sources for 15 days. In addition, we are experimenting with an algorithm for determining the confidence level for a given IP address result. The confidence level we display for each result aims to provide an additional data point for decision making, to allow a balance between security and flexibility.

Below are some additional explanations for the scan results we return for IP addresses and domains.

Source

We are currently using 13 sources to collect bad IP addresses. However, we plan to expand this list to include URL-based as well as non-CIF compatible sources. Below is a list of the sources that Metadefender Cloud currently incorporates. This list is subject to change depending on the availability and reliability of its contents.

Source Overview
Alien Vault This source is generated by AlienVault Open Threat Exchange, a crowd-sourced service for IP reputation information.
It was first published on 22 Feb 2012 and updates daily.
It contains many assessments (botnet, scanner, spam, malware, phishing).
Brute Force Blocker This source's main purpose is to block SSH bruteforce attacks via its firewall.
It was first published on 12 Nov 2005 and updates daily.
It returns results for IP addresses considered "scanners".
Chaos Reigns This source is generated by the corresponding automated, free, public email IP-reputation system.
It was first published on 31 Mar 2011 and updates daily.
It provides results for IP addresses it has whitelisted.
Clean MX Over 700 abuse departments worldwide use this data to detect proactive harmful pages.
This source was first published on 01 Feb 2006 and updates hourly.
It returns results for IP addresses assessed as "malware" and "phishing".
Dragon Research Group This source's purpose is to mitigate VNC password authentication brute force attacks and SSH password authentication brute force attacks.
It was first published on 29 Apr 2011 and updates hourly.
It returns results for IP addresses considered "scanners".
Feodo Tracker This source contains IP addresses (IPv4) that have been used as Command & Control (C&C) communication channels by the Feodo Trojan.
It updates weekly.
It provides the "botnet" assessment.
Malc0de This source updates daily.
It returns the "malware" assessment.
Malware Domain List The Malware Domain List website maintains a list of domains that are known to host malware.
This source was first published on 29 Aug 2009 and updates weekly.
It returns the "malware" assessment.
OpenBL This source is generated by monitoring ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for bruteforce login attacks as well as scanning on ports 80 (HTTP) and 443 (HTTPS) for vulnerable installations of phpMyAdmin and other web applications.
It was first published on 10 Oct 2010 and updates daily.
It provides results for IP addresses considered "scanners".
Phish Tank This source is provided by PhishTank, a free community site where anyone can submit, verify, track and share phishing data.
The total phishes that this source has verified as valid at time of writing is 1,533,197.
It updates hourly.
It returns results for IP addresses assessed as "phishing".
Spy Eye Tracker The SpyEye Tracker is another project by abuse.ch. This source contains all addresses (IPv4) which are currently being tracked as malicious by SpyEye Command&Control Servers.
It updates daily.
It returns the "botnet" assessment.
The Spamhaus Project As of 02 October 2014, the Spamhaus Blocklists are protecting 2,199,795,000 users' mailboxes.
This source is one of these blocklists and contains netblocks that are "hijacked" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers).
It updates daily.
It returns the assessment "suspicious".
Zeus Tracker ZeuS Tracker offers various IP- and domain-blocklists that contain known ZeuS C&C servers associated with the ZeuS crimeware.
It updates daily.
It provides results for IP addresses considered "botnets".

Result

There are three possible results for each of the sources. These are listed below. Metadefender Cloud will categorize anything as BadIP if it belongs to the blacklist. Our policy is to keep these up to 15 days in order to limit potential false positives.

See more details about our expiration policy in the Last Detected section.

Blacklisted

IP (or corresponding IP) is listed by the source in their blacklist. (e.g., Feodo IP Blocklist). Refer to the source for more information regarding their blacklist.

Whitelisted

IP (or corresponding IP) is listed by the source in their whitelist (e.g. Chaos Reigns' White List). Note: Not all sources provide whitelists.

Unknown

The source has not listed this IP address in either their blacklist or whitelist.

Corresponding IP: If the input is a URI, the IP for this hostname will be looked up using the freegeoip service. If we failed to retrieve the IP for the given hostname, it means we are not able to scan the input. In a future release, we plan to support the looking up of both the IP and the URI as inputs to a whitelist and block-list.

Last Updated

Currently, Metadefender Cloud's BadIP database is updated daily for each source, which is indicated in the "Last updated" column of the results. However, this does not necessarily correspond directly with the source releasing their own list. In the near future, this information will represent the time when the feed is generated instead of the time when we consume the feed. Below is the update frequency for each source.

Frequency Sources
Hourly
Phish Tank
Dragon Research Group
Clean MX
Daily
The Spamhaus Project
OpenBL
Zeus Tracker
Malc0de
Brute Force Blocker
Alien Vault
Chaos Reigns
Spy Eye Tracker
Feodo Tracker
Weekly
Malware Domain List

*The update frequency for these sources are estimates due to their regular updates. They are not necessarily daily or weekly updates but relatively close to this.

Last Detected

The last detected date indicates the last time an IP address was confirmed as a BadIP by the source. There are two different types of feed (i.e., block-list or whitelist). One is reset with only active bad IPs and the other is accumulated with newly-found bad IPs.

For a source that resets their list

We use the time that we have seen in the list as the detection time. In this case, since our policy is to keep only up to 15 days, IP scan results will not show the detection after 15 days.

For a source that accumulates their list

We still show bad IP detections even if they are detected after 15 days. In this case, our confidence score will show a lower score than a more recent detection.

Assessment

Metadefender Cloud utilizes the assessments below, which have been pulled from the collective-intelligence-framework.

botnet
  • Typically a host used to control another host or malicious process.
  • Matching traffic would usually indicate infection.
  • Typically used to identify compromised hosts.
malware
  • Typically a host used to exploit and/or drop malware to a host for the first time.
  • Typically NOT a botnet controller (although they could overlap).
  • Communications with these indicators may lead to a compromise and then to a possible botnet controller communication (if the infection was successful).
  • Typically used in preemptive blocking, alerts may not indicate infection was successful.
phishing
  • A luring attempt at a victim to exfiltrate some sort of credential.
  • A targeted attempt at getting someone to unintentionally cause infection (spear phishing).
scanner
  • Typically infrastructure being used to scan or brute-force (ssh, rdp, telnet, etc...).
spam
  • Typically infrastructure being used to facilitate the sending of spam.
suspicious
  • Unknown assessment.
whitelist
  • Denotes that a specific entity (usually an address) should be considered harmless in nature.
  • Denotes that blocking an entity would result in mass collateral damage (e.g., Yahoo virtually-hosted services).
  • Confidence should be applied to each entry to help calculate risk associated with whitelist.

Confidence (Beta)

The confidence score represents the reliability of the detection based on several factors. The higher the score, the more reliable the result.

This is an experimental feature that we are currently evaluating. It will be adjusted based on further assessments and statistics. Below you will find the definitions for our score categories. These have been adapted to the CIF definition.

95-99 certain (not yet included in our ratings)
85-94 very confident
75-84 somewhat confident
50-74 not confident
0-49 unknown
        
Confidence (max 90) = 50 (base)
        + feed update (up to 10)
        + source reputation (up to 15)
        + result expiration (-89 to 15)
        + multiple detections (30)
        
    
Factor Description
Feed update More frequently updated sources receive more confidence points. If it updates hourly, we add 10 points. If daily, then we add 5 points. If the source updates only weekly, no confidence points are added for this factor.
Source reputation Based on internal analysis.
Result expiration We consider results expired after 15 days, so we look at the last detected time for an IP address, and add confidence based on the age of the result. For results up to 15 days old, we add 15 points to the confidence. After 15 days, we decrement that amount added by one each day, until it becomes 1 (it never becomes 0).
Multiple detections If 2 sources detect the IP address as malicious, we add 10 to the confidence level. If more than 2 sources detect the IP address as malicious, we add 30 to the confidence level.
Install Chrome Extension