This is a centralized repository for threat data collected by the Animus threat intelligence system. This repository contains reports generated by the Animus system on a daily basis. Additionally, this repository contains a set of master files which include all data collected historically by the honeypot sensors distributed around the Internet.
Currently, Animus threat reports only contain data on SSH threat actors and tactics. Other methods and vulnerabilities are currently being developed.
Animus mass scans the Internet once per week to locate known-malicious command and control servers which can serve as indicators of compromise (IOCs).
Once Animus discovers a C2 server using software it knows how to communicate with, it will connect to the C2 server and begin logging distributed denial-of-service target IP addresses. This allows Animus to track who different adversary groups are targeting with denial-of-service attacks in real time.
Animus collects all data in a centralized repository. This repository can be queried on a per-IP basis via a Twitter bot, @threatbot.
Threatbot will parse one or more IP addresses in a tweet, query the Animus database, and response back with a summarized report of that IP address. This report includes first sighting of attacks from the IP address and most recent attacks from this IP address.
Additionally, Threatbot will tweet once per day with a link to the daily Animus threat report. This tweet will include the total number of attacks received, as well as the most aggresive attacker IP address of the day.
Animus will be expanding the threat reports to include data on the following threats:
- Shellshock
- Heartbleed
- Wordpress attacks
Additionally, Animus will begin to publish malware signatures and download links in the next revision.
If you have any questions or feedback about the Animus threat intelligence system, don't hesitate to reach out to the main developer via email or Twitter.