[nsp-sec] New "mwtype" in Daily Reports "bots" category tomorrow

[Tim Wilde]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey everyone,

As a quick heads-up, there's going to be a new "mwtype" value appearing
in your "bots" category Daily Reports tomorrow, "Hoster-HTTP".  A full
description of this mwtype will be on the bots daily report page
tomorrow at this URL:

	https://www.cymru.com/nsp-sec/dailyreports/bots.html

The short description for now is that this is similar data to that which
I sent out back in June with the subject "HTTP Bot C&C Hits -
2009-06-15".  We cannot reveal the source, srcport, or dstIP of this
traffic, but we can identify that it was malicious HTTP traffic at the
times indicated.  We understand that this is less than optimal for many
circumstances, but we feel that the value of getting this data to those
who can use it for non-proxied/NAT'd IPs outweighs that complication.
All hosts in the list have been confirmed to have completed a TCP
three-way handshake, and thus are not believed to be spoofed.

We anticipate that this mwtype will be used on a semi-regular basis,
though data input to it is not fully automated at this time.  The data
will all be from the same source, we won't be amalgamating multiple
sources into this one bucket, if others in similar situations come along
we'll come up with new names, so you can distinguish between them.

I apologize for the short notice, but we wanted to get the data out
there while it was as fresh and useful as possible.  Please feel free to
direct any comments, questions, concerns, etc, to me or to
team-cymru at cymru.com.

Best regards,
Tim Wilde

- -- 
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrWRUcACgkQluRbRini9thg+QCdHt41jj2CTrJuBkC98I882iiZ
8REAnA/7ngXRdGjaHgF9SN/sQC6Q/Zjh
=xkBg
-----END PGP SIGNATURE-----