What is ThreatTrack?
Through our extensive peering and partner relationships with security organizations around the globe, and our own extensive internal
research efforts, we have deep visibility into the Internet threat landscape. By combining that visibility with our capacity to parse these data
streams through our automated analysis, and augment that with our human research efforts, we provide unique, timely and actionable data.
With ThreatTrack, you get:
- Daily posts of malware samples
- 'Raw' URL/IP data extracted from malware analysis and updated hourly
- Fully-qualified URL/IP blocklists by threat category updated hourly
- Real-time analysis reports of all new malware samples as Sunbelt receives and analyzes them
Available Data Feeds
Feed #1: Avshare
Summary: Unique malware samples received daily, that are posted (by Md5 hash) by end of each business day. Samples posted are double-compressed (zipped) and password-protected.
Feed #2: Linkshare
Summary: Hourly posting of 'raw' URL/IP data extracted principally from network activity logged during malware analysis. URL/IP data posted can be used as an emergency block list and/or warning list for filtering and alerting applications.
Feed #3: ThreatTrack
Summary: Hourly posting of fully-qualified malicious and unwanted URL/IPs in four categories:
- Adware/clickfraud
- Pefile (direct links to portable malware)
- Phish URLs and Threat URLs (URLs as a result of malware execution)
- URLs/IPs provided come from Sunbelt's Malware Research Labs, Sunbelt research partners, and from URL/IPs that have been reported malicious each day.
Feed #4: XML Analysis Reports
Summary: Detailed analysis reports, posted in real time, of each malware sample scanned through Sunbelt's internal array of sandboxes.
Feed #5: Exploit Feed
Summary: Hourly posting of URL's passed through an array of "honeyclients" configured to detect malicious activity. Based on a set of heuristic detections a URL is deemed to be malicious or not. Also captured during the analysis are:
- Files dropped by the URL
- Code containing the actual exploit
- An analysis of all (file, registry, and process) changes
How to get it:
ThreatTrack samples and data feeds are posted hourly on the Sunbelt FTP server. Sunbelt issues to qualified and vetted security researchers a login and password for FTP access prior to evaluation or following purchase. With this login information researchers can access the complete repository of samples, as well as the data feeds within Sunbelt's FTP account.
For more information on how you can leverage ThreatTrack for your security products, enterprise security, or your organization's research efforts please contact the SunbeltLabs team at
oemsales@sunbeltsoftware.com or call 888-688-8457 x650.
ThreatTrack Frequently Asked Questions
+
What is ThreatTrack?
ThreatTrack is a comprehensive assortment of six unique data feeds: Avshare, Linkshare, Threat Track, Xml Reports, Exploit Feed, and Border Patrol. These feeds are updated on a very regular basis.
+
Can you show me some samples?
WARNING: DO NOT VISIT THESE LINKS. YOU WILL GET INFECTED.
Exploit Feed URL Sample Data
URLID,URL,OUTOFBOUNDS,SUSPICIOUS EXT,NUM OF PROC,OBFUSCATION,LONG STRING,IFRAME,VIRUSSCAN,THREATNAME
12424,hxxp://hanulsms.com,TRUE,TRUE,6,TRUE,TRUE,TRUE,FALSE,NULL
12426,hxxp://emost.net,TRUE,TRUE,7,TRUE,TRUE,TRUE,FALSE,NULL
12427,hxxp://designcodi.com,FALSE,FALSE,3,TRUE,TRUE,TRUE,FALSE,NULL
12430,hxxp://clubminicarlucca.it,FALSE,FALSE,3,TRUE,TRUE,TRUE,TRUE,Trojan-Clicker.HTML.IFrame.acy
12439,hxxp://xfcg.info/evo/exploits/x18.php,FALSE,TRUE,9,FALSE,FALSE,FALSE,TRUE,Exploit.PDF-JS.Gen (v)
12444,hxxp://anti-payed-porn.com/porn/stats.php,FALSE,TRUE,6,FALSE,FALSE,FALSE,TRUE,FraudTool.Win32.RogueSecurity (v)
12468,hxxp://reddii.ru/traffic/sploit1/?220383YaaaYYtYYY,TRUE,TRUE,6,TRUE,TRUE,FALSE,FALSE,NULL
12471,hxxp://saarcop.net/?click=12A44D3A,FALSE,TRUE,7,TRUE,TRUE,FALSE,TRUE,Downloader
PE Files Feed Sample Data
hxxp://img.ku6.com/speedupper/speedupper2.1.906.25.exe
hxxp://83.212.16.22/icons/doc-47473-4378914-34-jpg.exe
hxxp://www.freewebtown.com/v4v4v4/server.exe
hxxp://h1.ripway.com/sbcards008/red_bull.exe
hxxp://www.freewebtown.com/sptscenter/msn.exe
Phish Feed Sample Data
hxxp://85.216.167.162/www.paypal.fr/confirm-paypal/
hxxp://200.220.33.71/management/webscr.php?cmd=_login-run
hxxp://roxar-rc-klubb.net/paypal.fr/online-securise/fr_cgi-bin/webscrcmd=_login-run/
hxxp://174.120.37.82/~recyfer1/pp/us/Confirm.htm
hxxp://72.237.97.38/ebay.it.html
hxxp://i11lihhf.net/ws/eBayISAPIdll
+
I am a Vendor of security products. How can I incorporate this data into my products?
If you currently offer a web filtering application or appliance you will incorporate our feeds into your current blacklist. Your offering of AV software will benefit substantially from our large array of unique daily malware samples. If you are researching malware or need to compare your in-house research you will benefit from out huge assortment of XML reports, produced by our internal array of CWSandbox’s. These reports contain behavior analysis results sorted by MD5.
+
Can I use this data to include in my product as a black list?
Yes
+
Is the ThreatTrack data validated/certified bad?
Our Threat Track and Linkshare feeds are produced from websites visited during the analysis of malware in our internal array of CWSandbox machines.
+
How long is the data valid for?
We recommend that you cycle this data every few days.
+
Do you consistently requalify URLs as malicious?
No, as most malware is not hosted at the same site for long periods of time we do not go back and requalify these URLs.
+
How many new URLs do you post a day?
Between the different feeds we see anywhere from a couple hundred to over 1000 new URLs a day.
+
Does the Exploits feed only contain sites that push malware?
The Exploit feed is produced by our internal array of Honeyclients. These sites may not push malware, but have been qualified malicious by our internal heuristics.
+
How do I access ThreatTrack?
Once you have purchased (or an evaluation agreement has been received), we will give you access to our FTP site, where you can download the information.
+
How is pricing structured?
Pricing is dependent upon how the data will be incorporated into your product, or used at your site. Please contact oemsales@sunbeltsoftware.com to discuss our pricing options further.
