stealth_malware to match taxonomy namespace

pull/47/head
Alexandre Dulaunoy 2016-10-29 11:45:37 +02:00
parent c4d4e75548
commit bed7f3004a
2 changed files with 72 additions and 0 deletions

35
stealth_malware/README.md Normal file
View File

@ -0,0 +1,35 @@
# Stealth Malware Taxonomy
## Malware Types
All malware samples should be classified into one of the categories listed in the table below.
<dl>
<dt>Type 0</dt>
<dd>No OS or system compromise. The malware runs as a normal user process using only official API calls.<dd>
<dt>Type I</dt>
<dd>The malware modifies constant sections of the kernel and/or processes such as code sections.<dd>
<dt>Type II</dt>
<dd>The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections.<dd>
<dt>Type III</dt>
<dd>The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques.<dd>
</dl>
# Machine-parsable Stealth Malware Taxonomy
The repository contains a [JSON file including the machine-parsable tags](machinetag.json)
along with their human-readable description. The software can use both
representation on the user-interface and store the tag as machine-parsable.
~~~~
stealth_malware:type="II"
~~~~
Based on:
https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf

View File

@ -0,0 +1,37 @@
{
"namespace": "stealth_malware",
"description": "Classification based on malware stealth techniques. Described in https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf",
"version": 1,
"refs": [
"https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf"
],
"predicates": [
{
"value": "type",
"expanded": "Stealth technique type"
}
],
"values": [
{
"predicate": "type",
"entry": [
{
"value": "0",
"expanded": "No OS or system compromise. The malware runs as a normal user process using only official API calls."
},
{
"value": "I",
"expanded": "The malware modifies constant sections of the kernel and/or processes such as code sections."
},
{
"value": "II",
"expanded": "The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections."
},
{
"value": "III",
"expanded": "The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques."
}
]
}
]
}