From afdbcb93291b308035f68375d2145a356386e571 Mon Sep 17 00:00:00 2001 From: SDOIR Date: Tue, 5 Jul 2016 22:00:18 +0300 Subject: [PATCH] Microsoft's Computer Antivirus Research Organization implementation for malware classification --- ms-caro-malware/machinetag.jso | 459 +++++++++++++++++++++++++++++++++ 1 file changed, 459 insertions(+) create mode 100644 ms-caro-malware/machinetag.jso diff --git a/ms-caro-malware/machinetag.jso b/ms-caro-malware/machinetag.jso new file mode 100644 index 0000000..0c65d22 --- /dev/null +++ b/ms-caro-malware/machinetag.jso @@ -0,0 +1,459 @@ +{ + "namespace": "ms-caro-malware", + "description": "Malware Type and Platform classification based on Microsoft's implementation of the Computer Antivirus Research Organization (CARO) Naming Scheme and Malware Terminology. Based on https://www.microsoft.com/en-us/security/portal/mmpc/shared/malwarenaming.aspx, https://www.microsoft.com/security/portal/mmpc/shared/glossary.aspx, https://www.microsoft.com/security/portal/mmpc/shared/objectivecriteria.aspx, and http://www.caro.org/definitions/index.html. Malware families are extracted from Microsoft SIRs since 2008 based on https://www.microsoft.com/security/sir/archive/default.aspx and https://www.microsoft.com/en-us/security/portal/threat/threats.aspx. Note that SIRs do NOT include all Microsoft malware families.", + "version": 1, + "predicates": [ + { + "value": "malware-type", + "expanded": "Malware Type: What the threat does on a computer" + }, + { + "value": "malware-platform", + "expanded": "Malware Platform: Operating system that the threat is designed to work on, scripting language, macros, and other file types" + } + ], + "values": [ + { + "predicate": "malware-type", + "entry": [ + { + "value": "Adware", + "expanded": "Adware - Software that shows you extra promotions that you cannot control as you use your PC" + }, + { + "value": "Backdoor", + "expanded": "A type of trojan that gives a malicious hacker access to and control of your PC" + }, + { + "value": "Behavior", + "expanded": "A type of detection based on file actions that are often associated with malicious activity" + }, + { + "value": "BroswerModifier", + "expanded": "A program than makes changes to your Internet browser without your permission" + }, + { + "value": "Constructor", + "expanded": "A program that can be used to automatically create malware files" + }, + { + "value": "DDoS", + "expanded": "When a number of PCs are made to access a website, network or server repeatedly within a given time period. The aim of the attack is to overload the target so that it crashes and can't respond" + }, + { + "value": "Dialer", + "expanded": "A program that makes unauthorized telephone calls. These calls may be charged at a premium rate and cost you a lot of money" + }, + { + "value": "DoS", + "expanded": "When a target PC or server is deliberately overloaded so that it doesn't work for any visitors anymore" + }, + { + "value": "Exploit", + "expanded": "A piece of code that uses software vulnerabilities to access information on your PC or install malware" + }, + { + "value": "HackTool", + "expanded": "A type of tool that can be used to allow and maintain unauthorized access to your PC" + }, + { + "value": "Joke", + "expanded": "A program that pretends to do something malicious but actually doesn't actually do anything harmful. For example, some joke programs pretend to delete files or format disks" + }, + { + "value": "Misleading", + "expanded": "The program that makes misleading or fraudulent claims about files, registry entries or other items on your PC" + }, + { + "value": "MonitoringTool", + "expanded": "A commercial program that monitors what you do on your PC. This can include monitoring what keys you press; your email or instant messages; your voice or video conversations; and your banking details and passwords. It can also take screenshots as you use your PC" + }, + { + "value": "Program", + "expanded": "Software that you may or may not want installed on your PC" + }, + { + "value": "PUA", + "expanded": "Potentially Unwanted Applications. Characteristics of unwanted software can include depriving users of adequate choice or control over what the software does to the computer, preventing users from removing the software, or displaying advertisements without clearly identifying their source." + }, + { + "value": "PWS", + "expanded": "A type of malware that is used steal your personal information, such as user names and passwords. It often works along with a keylogger that collects and sends information about what keys you press and websites you visit to a malicious hacker" + }, + { + "value": "Ransom", + "expanded": "A detection for malicious programs that seize control of the computer on which they are installed. This trojan usually locks the screen and prevents the user from using the computer. It usually displays an alert message." + }, + { + "value": "RemoteAccess", + "expanded": "A program that gives someone access to your PC from a remote location. This type of program is often installed by the computer owner" + }, + { + "value": "Rogue", + "expanded": "Software that pretends to be an antivirus program but doesn't actually provide any security. This type of software usually gives you a lot of alerts about threats on your PC that don't exist. It also tries to convince you to pay for its services" + }, + { + "value": "SettingsModifier", + "expanded": "A program that changes your PC settings" + }, + { + "value": "SoftwareBundler", + "expanded": "A program that installs unwanted software on your PC at the same time as the software you are trying to install, without adequate consent" + }, + { + "value": "Spammer", + "expanded": "A trojan that sends large numbers of spam emails. It may also describe the person or business responsible for sending spam" + }, + { + "value": "Spoofer", + "expanded": "A type of trojan that makes fake emails that look like they are from a legitimate source" + }, + { + "value": "Spyware", + "expanded": "A program that collects your personal information, such as your browsing history, and uses it without adequate consent" + }, + { + "value": "Tool", + "expanded": "A type of software that may have a legitimate purpose, but which may also be abused by malware authors" + }, + { + "value": "Trojan", + "expanded": "A trojan is a program that tries to look innocent, but is actually a malicious application. Unlike a virus or a worm , a trojan doesn't spread by itself. Instead they try to look innocent to convince you to download and install them. Once installed, a trojan can steal your personal information, download more malware, or give a malicious hacker access to your PC" + }, + { + "value": "TrojanClicker", + "expanded": "A type of trojan that can use your PC to click on websites or applications. They are usually used to make money for a malicious hacker by clicking on online advertisements and making it look like the website gets more traffic than it does. They can also be used to skew online polls, install programs on your PC, or make unwanted software appear more popular than it is" + }, + { + "value": "TrojanDownloader", + "expanded": "A type of trojan that installs other malicious files, including malware, onto your PC. It can download the files from a remote PC or install them directly from a copy that is included in its file." + }, + { + "value": "TrojanDropper", + "expanded": "A type of trojan that installs other malicious files, including malware, onto your PC. It can download the files from a remote PC or install them directly from a copy that is included in its file." + }, + { + "value": "TrojanNotifier", + "expanded": "A type of trojan that sends information about your PC to a malicious hacker. It is similar to a password stealer" + }, + { + "value": "TrojanProxy", + "expanded": "A type of trojan that installs a proxy server on your PC. The server can be configured so that when you use the Internet, any requests you make are sent through a server controlled by a malicious hacker." + }, + { + "value": "TrojanSpy", + "expanded": "A program that collects your personal information, such as your browsing history, and uses it without adequate consent." + }, + { + "value": "VirTool", + "expanded": "A detection that is used mostly for malware components, or tools used for malware-related actions, such as rootkits." + }, + { + "value": "Virus", + "expanded": "A type of malware. Viruses spread on their own by attaching their code to other programs, or copying themselves across systems and networks." + }, + { + "value": "Worm", + "expanded": "A type of malware that spreads to other PCs. Worms may spread using one or more of the following methods: Email programs, Instant messaging programs, File-sharing programs, Social networking sites, Network shares, Removable drives with Autorun enabled, Software vulnerabilities" + } + ] + }, + { + "predicate": "malware-platform", + "entry": [ + { + "value": "AndroidOS", + "expanded": "Android operating system" + }, + { + "value": "DOS", + "expanded": "MS-DOS platform" + }, + { + "value": "EPOC", + "expanded": "Psion devices" + }, + { + "value": "FreeBSD", + "expanded": "FreeBSD platform" + }, + { + "value": "iPhoneOS", + "expanded": "iPhone operating system" + }, + { + "value": "Linux", + "expanded": "Linux platform" + }, + { + "value": "MacOS", + "expanded": "MAC 9.x platform or earlier" + }, + { + "value": "MacOS_X", + "expanded": "MacOS X or later" + }, + { + "value": "OS2", + "expanded": "OS2 platform" + }, + { + "value": "Palm", + "expanded": "Palm operating system" + }, + { + "value": "Solaris", + "expanded": "System V-based Unix platforms" + }, + { + "value": "SunOS", + "expanded": "Unix platforms 4.1.3 or earlier" + }, + { + "value": "SymbOS", + "expanded": "Symbian operatings system" + }, + { + "value": "Unix", + "expanded": "General Unix platforms" + }, + { + "value": "Win16", + "expanded": "Win16 (3.1) platform" + }, + { + "value": "Win2K", + "expanded": "Windows 2000 platform" + }, + { + "value": "Win32", + "expanded": "Windows 32-bit platform" + }, + { + "value": "Win64", + "expanded": "Windows 64-bit platform" + }, + { + "value": "Win95", + "expanded": "Windows 95, 98 and ME platforms" + }, + { + "value": "Win98", + "expanded": "Windows 98 platform only" + }, + { + "value": "WinCE", + "expanded": "Windows CE platform" + }, + { + "value": "WinNT", + "expanded": "WinNT" + }, + { + "value": "ABAP", + "expanded": "Advanced Business Application Programming scripts" + }, + { + "value": "ALisp", + "expanded": "ALisp scripts" + }, + { + "value": "AmiPro", + "expanded": "AmiPro script" + }, + { + "value": "ANSI", + "expanded": "American National Standards Institute scripts" + }, + { + "value": "AppleScript", + "expanded": "compiled Apple scripts" + }, + { + "value": "ASP", + "expanded": "Active Server Pages scripts" + }, + { + "value": "AutoIt", + "expanded": "AutoIT scripts" + }, + { + "value": "BAS", + "expanded": "Basic scripts" + }, + { + "value": "BAT", + "expanded": "Basic scripts" + }, + { + "value": "CorelScript", + "expanded": "Corelscript scripts" + }, + { + "value": "HTA", + "expanded": "HTML Application scripts" + }, + { + "value": "HTML", + "expanded": "HTML Application scripts" + }, + { + "value": "INF", + "expanded": "Install scripts" + }, + { + "value": "IRC", + "expanded": "mIRC/pIRC scripts" + }, + { + "value": "Java", + "expanded": "Java binaries (classes)" + }, + { + "value": "JS", + "expanded": "Javascript scripts" + }, + { + "value": "LOGO", + "expanded": "LOGO scripts" + }, + { + "value": "MPB", + "expanded": "MapBasic scripts" + }, + { + "value": "MSH", + "expanded": "Monad shell scripts" + }, + { + "value": "MSIL", + "expanded": ".Net intermediate language scripts" + }, + { + "value": "Perl", + "expanded": "Perl scripts" + }, + { + "value": "PHP", + "expanded": "Hypertext Preprocessor scripts" + }, + { + "value": "Python", + "expanded": "Python scripts" + }, + { + "value": "SAP", + "expanded": "SAP platform scripts" + }, + { + "value": "SH", + "expanded": "Shell scripts" + }, + { + "value": "VBA", + "expanded": "Visual Basic for Applications scripts" + }, + { + "value": "VBS", + "expanded": "Visual Basic scripts" + }, + { + "value": "WinBAT", + "expanded": "Winbatch scripts" + }, + { + "value": "WinHlp", + "expanded": "Windows Help scripts" + }, + { + "value": "WinREG", + "expanded": "Windows registry scripts" + }, + { + "value": "A97M", + "expanded": "Access 97, 2000, XP, 2003, 2007, and 2010 macros" + }, + { + "value": "HE", + "expanded": "macro scripting" + }, + { + "value": "O97M", + "expanded": "Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and Powerpoint" + }, + { + "value": "PP97M", + "expanded": "PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros" + }, + { + "value": "V5M", + "expanded": "Visio5 macros" + }, + { + "value": "W1M", + "expanded": "Word1Macro" + }, + { + "value": "W2M", + "expanded": "Word2Macro" + }, + { + "value": "W97M", + "expanded": "Word 97, 2000, XP, 2003, 2007, and 2010 macros" + }, + { + "value": "WM", + "expanded": "Word 95 macros" + }, + { + "value": "X97M", + "expanded": "Excel 97, 2000, XP, 2003, 2007, and 2010 macros" + }, + { + "value": "XF", + "expanded": "Excel formulas" + }, + { + "value": "XM", + "expanded": "Excel 95 macros" + }, + { + "value": "ASX", + "expanded": "XML metafile of Windows Media .asf files" + }, + { + "value": "HC", + "expanded": "HyperCard Apple scripts" + }, + { + "value": "MIME", + "expanded": "MIME packets" + }, + { + "value": "Netware", + "expanded": "Novell Netware files" + }, + { + "value": "QT", + "expanded": "Quicktime files" + }, + { + "value": "SB", + "expanded": "StarBasic (Staroffice XML) files" + }, + { + "value": "SWF", + "expanded": "Shockwave Flash files" + }, + { + "value": "TSQL", + "expanded": "MS SQL server files" + }, + { + "value": "XML", + "expanded": "XML files" + } + ] + } + ] +}