Malware Events

Malware events are available to customers who have purchased RiskIQ Enterprise Digital Footprint (view product description). They alert customers to any malware being hosted, linked to, or embedded on a site in their RiskIQ inventory. Each event is defined by malware occurring on a unique host-threat host pair. 

Note that there may be more than one page affected across the host and more than one unique threat URL within the threat host). Note also that the same asset host being infected by multiple threat hosts would constitute multiple events, as would the same threat host infecting multiple asset hosts. This grain is used to facilitate clean-up of multiple page infections by the web host owner across a single web host and events are reported in a format that is designed to help internal web site owners track down the source and extent of the problem for their inventory. 

When a threat is detected, a Malware event is created in the workspace which can be viewed in the the events dashboard and events list inside the RiskIQ web application, in an email alert, or via the RiskIQ events API. All hosts and individual URLs are also linked to PassiveTotal and RiskIQ's raw crawl data for further investigation. 

If you are looking to detect malware on third party sites that you do not own, you can do that through by adding additional crawl projects that look at external web pages. However, your RiskIQ technical account manager should be consulted beforehand as crawls outside your Inventory may or may not be included in your service. 

Malware Events 

Outlined below are tips on:

  1. How to read and interpret the information presented in a Malware event
  2. Suggested best practices for Malware event management, including user workflow and  tagging

Example: asset host, m.theclubsv.org, contains embedded third party resources and external links to URLs on the blacklisted host, snappy.applepie.com

Reading Malware Events - Field Definitions

Event List Item

This is how Malware events are represented in the Events section of the RiskIQ web application. Clicking on a list item brings up details for the event and user-initiated workflow actions. 

  • Event-Type: what kind of event it is.
  • Status: current status of the event.
  • Threat Host: host name associated to the malware detected. 
  • Active: Malware events are considered active as long as there is at least one page on the asset host affected by at least one URL from the threat host and the threat host is still blacklisted.
  • First Seen: date the event was generated.
  • Scanned At: when the page was last crawled to see whether the violation has been resolved
  • Tags (if any have been applied)

Event Header

At the top of each event's details is a header containing high-level information, as well as workflow actions.

  • Status: current event status and the ability to change the status of this event.
  • Tags: tags applied to this event and the ability to add or remove tags (if any tags are configured for this event-type).
  • Owner: current event owner responsible for reviewing or tracking the event and the ability to assign a new owner for this event. 
  • Priority: current event priority and the ability to assign a new priority for this event.
  • Email Event Details (via envelope icon at top right)

Summary Tab

The Summary provides basic information needed to assess the event and decide how to act on it, including a plain english description. The Summary tab is organized into multiple sections:

DESCRIPTION

  • Number of pages affected in the asset host
  • Number of unique blacklisted threat URLs found within those pages
  • Number of other hosts found to contain malware from the same threat host
  • Whether RiskIQ rates this as an exact or reputation match and with what level of confidence (high, medium, low)
    • Confidence is based on the score of the blacklist incident. High is > 75, Medium is > 50, <=50 is Low
  • How many top AV vendors have blacklisted this threat host, and how many AV vendors have blacklisted it overall
  • RiskIQ's classification of priority and recommended action (suspicious vs. urgent)
    • Urgent and suspicious classifications differentiate between high confidence detection and lower confidence detection for only potential problems.  This feature was designed to reduce "alert fatigue" from the major anti-virus blacklists.  
      Here is the logic for Urgent vs. Suspicious:

      ConditionRecommendation
      RiskIQ confidence is High or AbsoluteRiskIQ classifies this event as urgent and recommends immediate action.    
      RiskIQ match type is BehavioralRiskIQ classifies this event as urgent and recommends immediate action.    
      Event is Reported by any of these AV Vendors:
      • Symantec / Norton
      • McAfee (NOT McAfee Gateway Edition)
      • Kaspersky
      • BitDefender
      • MalwareBytes
      • AVG
      • Trend Micro
      • Webroot
      • Avast
      RiskIQ classifies this event as urgent and recommends immediate action.    
      Event is reported by 3 or more of any other AV VendorsRiskIQ classifies this event as urgent and recommends immediate action.    
      DOES NOT MEET ANY OF THESE CONDITIONSRiskIQ classifies this event at suspicious and recommends follow-up and continual monitoring. 

ATTRIBUTES

  • Malware Type (e.g. Adware, Trojan, PDF, etc.)
  • Affected Host
  • Threat Host
  • Match Level (URL, Host, or Domain)
  • Match Type (Exact or Reputation)
  • Malware Source: Where the malware is relative to your asset host, e.g. hosted internally (the threat host is also an asset host), embedded third party resource within a page of the asset host, external link on a page of the asset host, redirect from the asset host, etc.
  • Matched Lists: What blacklists the threat host is reported on
  • Binary
  • Detection Reason: This can be RiskIQ's own blacklist description or a reason based on another list (e.g. VirusTotal)

OCCURENCES

A calendar of when pages on this host were crawled and observed as affected by malware. Dates in red represent an active observance, and the number of pages observed is visible if you hover on the date.

HISTORY

  • Timeline of changes made to the event with the date, time, and name of the user who took each action, including:
    • Status changes 
    • Emails sent (with recipients)
    • Notes added
    • Tags added/removed

Affected Host

This tab shows information about the web host asset affected by the malware with details to help clean it up, such as the tags, brand, organization, and contact people assigned to it in your RiskIQ Inventory.

Threat Host

This tab shows information to help identify the source malware hosting infrastructure and links to PassiveTotal to further investigate this host.

Pages Affected

This tab helps users understand how many and which pages on the host are serving malware. If you expand the page by clicking the arrow on the left,  more details are exposed such as links to the individual crawls that found one of more threat URLs on that specific page and the details of the blacklisted content found in each crawl.

Threat URLs

This tab helps identify the root source of the malware. If you expand the page by clicking the arrow on the left,  more details are exposed such as links to the individual crawls that found that specific threat URL on one or more affected pages and the details of the blacklisted content found in each crawl.


Managing Malware Events - User Review Decision Workflow and Tagging Best Practices

  • Green represents steps taken automatically by the RiskIQ system
  • Pink represents steps taken by a human user
  • Blue represents a status and/or tag label








Note that unlike other events in the RiskIQ system, Malware events DO NOT automatically resolve when they are detected as inactive.  While it would help reduce noise for malware events that are resolved and removed from the Zlist, it was decided there were specific scenarios where this would expose clients to potentially serious malware threats.  The rationale:  The Zlist expires events automatically every 30 days . We do not want to remove a live malware event from a customer's queue just because they did not resolve it in 30 days.  

Talk to your RiskIQ Technical Account Manager or to RiskIQ Product Management if this becomes an issue for you.  

Tag Set

(Custom--there is typically no need to use tags for Malware events, but custom labels can be made as needed)