This group of (possible) infections is discovered by recognising specific traffic characteristics. For example, to which a computer communicates.
Detection is mainly based on a continuously up-to-date list of known malicious destinations. But Shadow-IT can also be recognised with this type of discovery.


Heuristics are the algorithms that analyse network traffic based on behaviour and time. Without knowing a malicious destination, this method indicates that the network traffic based on recognisable patterns is different and therefore probably malicious.

A botnet is several Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allow the attacker access to the device and its connection. The owner can control the botnet using command and control (C&C) software or server. The word botnet is a combination of the words robot and network. The term is usually used with a negative or malicious connotation.

read more…

Malware is active on your client’s system, but the controller IP has been seized or diverted in order to disable the botnet. The infected client still tries to connect to it and, therefore, a breach and an infection occurred in the past. Sinkholed servers are former and disarmed Botnet Controllers that are disabled by security companies or law enforcement.

Connecting to Tor is done to hide illicit activities, either on purpose or automated by malware. The Tor Network is designed to offer anonymous Internet access to its users and can also be used to hide a Botnet Controller. Anonymous access could be used as a means to subvert company usage policy or even engage in illicit activity. Since mid-2013, the Tor Network has been used by an increasing number of operators to hide communications with Botnet Controllers. If not initiated by an employee, then an infection is present within your network. An alert in this category should be investigated at all times.

Mining Pools are used by malware to produce cryptocurrency assets (e.g., Bitcoins) using your computing resources.

Cryptocurrencies are generated by users who offer their CPU or GPU power to calculate complex algorithms. The calculating power is rewarded with cryptocoins which can be exchanged for cash. A mining pool occurs when multiple people combine computing resources to produce cryptocurrencies. Malware writers are always looking for ways to make money and illicitly using your computer to generate cryptocurrencies pays off. In addition to malware, mining can also be done by personnel who uses resources for personal benefit. An alert in this category should warrant further investigation.

Various uncategorised malicious indicators that require your attention.

New methods used by cybercriminals appear daily. When we see a threat that does not fit any other category, it will be placed into the Miscellaneous category. When a specific method recurs over a longer period, it will be moved to a new dedicated category. It is advised that you review the meta-data of the alert, as it can provide some insight into the nature of the threat.

A Bad Internet Neighbourhood refers to Internet Service Providers (ISPs) that are known to be used solely for questionable and/or blatantly illegal activities.

Cybercriminals have a preference for Internet Service Providers that offer services without asking their customers’ too many questions (e.g., few rules, anonymous payment methods, etc.). These IP-addresses are frequently used in targeted attacks, phishing/pharming campaigns or as Botnet Controllers.

Certain cloud services are considered more harmful than others based on their user policy.

Cloud storage services are often installed in violation of your organisation’s computer usage policy and are frequently responsible for enterprise data leakage & theft.

Filesharing tools increase the risk of malware infections and can also facilitate the sharing of more data than may be initially intended.

Filesharing tools, such as eMule and BitTorrent, are used to download music, movies and software from other users in that network. Most of these protocols are illegal to use due to the sharing of copyright-protected material. About 60% of the software found in the most popular P2P networks has malware attached to it; unfortunately, users are typically unaware of this risk. Even the software used for sharing files may present a risk, as they are frequently not secure. The sharing of unwanted directories is also common.

Well known and less known IRC-servers are occasionally used in malware campaigns.

Connecting to a proxy is often done to bypass company policies and can also be initiated by malware.

A computer user can use a public proxy to re-route their browser through a different system. This is frequently done to bypass URL-based company policies. In addition, malware can also use public proxies to spread infections. An alert in this category should warrant further investigation.

Remote administration tools provide full control of systems within your network or originating from your network.

Remote administration tools/desktop sharing tools can be used with good intent, but can also be used to dangerous effect by malware and consequently used in social engineering attacks. Well-intended actions, such as remote working programmes, are often facilitated via remote administration tools but doing so opens up a gap in your security environment. Certain tools, regardless of popularity, can be detected based on 3rd party IP-addresses; others can be detected via their port number. TeamViewer, for example, can be detected even though no connection is in place.

Certain countries deliver no legitimate services to normal daily Internet activity but are known as being an origination point of cyber-attacks.

In an open network, connections to these countries will occur regularly; secure networks, however, should limit accessibility to IP-addresses from questionable locations. Browsing less popular websites, international NTP-pools (time servers) and P2P software will trigger an alert for this category. In maximum security networks, connections to IP-addresses from this category require attention.

Domain parkers are IP’s which host expired domains.

Recurring connections to domain parkers can indicate infection with malware.

IP Self-Check services are web-based services which show the extern (public) IP of the source host.

These services are extensively used by malware and recurring connections to IP Self Check Services can indicate indection with malware.

Indicators of path traversal in URLs.

This may signal attempts to access confidential files elsewhere in the directory structure, such as password files. This technique is often used as a starting point for hacking.

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).

This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.

Periodic heartbeat connections, indicating potential malware infections.

Heartbeats are behavioural characteristics of botnets and other malware types.

In computer science, a heartbeat is a periodic signal generated by hardware or software to indicate normal operation or to synchronize other parts of a computer system. Usually a heartbeat is sent between machines at a regular interval in the order of seconds.

A heartbeat protocol is generally used to negotiate and monitor the availability of a resource, such as a floating IP address. Typically when a heartbeat starts on a machine, it will perform an election process with other machines on the heartbeat network to determine which machine, if any, owns the resource. On heartbeat networks of more than two machines, it is important to take into account partitioning, where two halves of the network could be functioning but not able to communicate with each other. In a situation such as this, it is important that the resource is only owned by one machine, not one machine in each partition.

As a heartbeat is intended to be used to indicate the health of a machine, it is important that the heartbeat protocol and the transport that it runs on is as reliable as possible. Affecting a failover because of a false alarm may, depending on the resource, be highly undesirable. It is also important to react quickly to an actual failure, so again it is important that the heartbeat is reliable. For this reason it is often desirable to have heartbeat running over more than one transport; for instance, an Ethernet segment using UDP/IP, and a serial link.

Identifies various types of network port scans

Identifies both horizontal and vertical network port scans. Horizontal port scans are scans against a specific port on different hosts. Vertical port scans are scans against different ports, on the same host.

Connections by instant messaging (IM) applications.

Downloads/uploads of disguised executable (.exe) files.

This type of file is often used as payload to mislead users.

Connections towards Peer-to-peer (P2P) networks.

This category includes connection patterns for various P2P networks.

HTTP requests towards dynamic DNS domains.

Persistent connections towards dynamic DNS domains may indicate infections by various backdoors and trojans.

Network-based indicators of potential malware infections.

Heuristics that are based on network-based characteristics of specific malware families, such as HTTP request structures, specific user agents and others.

Experimental heuristics.

This collection of heuristics is experimental and may require further investigation.

Indicators of potentially malicious Web shell.

Indicators of potentially malicious shell placed on a Web server by malicious actors. Used to add, modify or remove data on the compromised server.

Connections towards BitTorrent trackers.

Connections towards BitTorrent trackers based on URL structure. A BitTorrent tracker is a server that connects peers using the BitTorrent protocol.

Connections towards free hosting domains.

These environments are often used by threat actors to perform attacks, such as phishing, or to exfiltrate stolen data towards the hosting environment.

Connections towards Adware / PUP networks.

This module reports on adware and potentially unwanted program (PUP) connections. Adware and PUPs are designed to serve advertisements and may redirect your search requests to advertisement Web sites that collect marketing data about you.

Connections to blacklisted hosts, detected by means of hostnames instead of IP addresses.

This provides a means for detecting connections to malware in shared hosting environments, for example.