The SRI International Nonprofit Research Institute has a few lists that I like to review on a regular basis.
- Most Effective Antivirus Tools Against New Malware Binaries – These detection rates represent the TRUE POSITIVE detection rates of these various antivirus tools on the limited corpus of malware binaries captures by our honeynet. The results do not take into consideration the false positive rate of a given tool, and thus a tool that declares everything to be infected would appear to have the highest true positive percentage rate. All antivirus results provide via www.virustotal.com
- Most Prolific BotNet Command and Control Servers and Filters – most observed botnet command and control server IP addresses, includes port numbers, filters, and examples of chatter.
- Most Aggressive Malware Attack Source and Filters – list of known infected malware clients currently propagating through the Internet
- Most Aggressively Spreading Malware Binaries – most aggressively spreading malware MD5s
- Most Effective Malware-Related Snort Signatures – most effective malware infection detection Snort signatures as experienced by the SRI Malware Honeynet
- Most Observed Malware-Related DNS Names – the most observed malware DNS names that SRI has seen looked up during malware infections or embedded within malware binaries
I use this data to tweak firewall and IDS/IPS rulesets, especially with Snort systems. On a semi-related note, another great resource for Snort rules is Emerging Threats.