Skip to main content

Vertical feeds statistics (TCA-0307-0311, 0317)

ReversingLabs Malware Detection Family Feed V2 provides information about new malware samples detected in the Spectra Intelligence system, filtered by category (industry). Categories and API codes correspond to ReversingLabs Targeted and Industry-Specific File Indicator Feeds (e.g., Financial, Retail, Exploits...).

To make sense of that data, ReversingLabs is creating weekly statistics and providing them via this API (Statistics API).

CodeFeed Name
TCA-0307APT (Advanced Persistent Threats) Statistics
TCA-0308Financial Services Malware Statistics
TCA-0309Retail Sector Malware Statistics
TCA-0310Ransomware Statistics
TCA-0311CVE Exploits Statistics
TCA-0317Malware Configuration Statistics

This API is rate limited to 1 request per second.

Feed Statistics Query

The following endpoints are supported:

Fetch statistics for last week(s) - newly added

This query returns a list of family names and the times when they were added to a particular category. The data is retrieved for up to last 30 weeks, or for all time since the data collecting started.

GET /api/feed/malware/detection/family/v2/statistics/category/{category}/first_seen?[format=xml|json]&[all_time|weeks=0-30]

Fetch statistics for last week(s) - unique counts

This query returns the number of how many unique new samples were added to the statistics for each malware family in a given category. The data is retrieved for up to last 30 weeks, or for all time since the data collecting started.

GET /api/feed/malware/detection/family/v2/statistics/category/{category}/counts?[format=xml|json]&[all_time|weeks=0-30]

Fetch statistics for last week(s) - top list

This query returns family names together with their respective counts for the top 20 families in the requested number of weeks. Data for up to 30 latest weeks is available. It is also possible to request all-time top 20 families for the requested category.

GET /api/feed/malware/detection/family/v2/statistics/category/{category}/top_list?[format=xml|json]&[all_time|weeks=0-30]

The request and response formats are the same for all endpoints:

Request

Path parameters:

  • category
    • Accepts one of the following: financial, retail, ransomware, apt, exploit, configuration
    • required
    • Categories correspond to ReversingLabs Targeted and Industry-Specific File Indicator Feeds. If there is no access to a category, or if a category does not exist, the response will be 403 Forbidden.

Query parameters:

  • weeks
    • The number of weeks for which the data will be retrieved. The value can be a number between 0 and 30.
    • When the parameter is not included in the request, defaults to 0 (which returns equal results as all_time).
    • If an integer from 1 to 30 is provided, then it will return the data for that many latest weeks.
    • optional
    • Items are included in the statistics based on the date when they were added to a particular category.
    • 30 is the maximum number of weeks for which it is guaranteed that the data is preserved.
    • The statistics will return either a list with data for each week (1-30), or a list with a single item stating that it represents all_time data.
  • format
    • Allows choosing the response format. Accepts xml or json. When the parameter is not included in the request, defaults to xml
    • optional
  • all_time
    • If this parameter is provided instead of weeks, returns statistics for all data since collecting started.
    • optional

Response

Response example when weeks=0, or when using the all_time parameter

{
"rl": {
"feed": {
"name": "string",
"entries": []
}
}
}

rl.feed.entries[]

{
"all_time": true,
"category": "string",
"entries": []
}
  • all_time
    • Indicates whether the response includes statistics for all time. Returns true if the optional all_time parameter was included in the request
  • week
    • Indicates the week number for which statistics are returned. It is not included in the response if the request contained the all_time parameter.
    • The format is ISO week number YYYY-Ww. For example, week 30 in 2018 would be “2018-W30”
  • category
    • Indicates the category for which statistics are returned

rl.feed.entries[].entries[]

{
"family_name": "string",
"first_seen": "string",
"scanner_coverage": {
"entries": [
{
"percent": 0.0,
"name": "string"
}
]
}
}
  • family_name
    • Malware family name of the detected malware
  • count
    • The number of unique occurrences of this family name in a given category
  • first_seen
    • Date and time when the item was first seen (UTC)
  • scanner_coverage
    • Returned only for the exploit category.
    • For every item in the statistics, includes percent and name fields. Names correspond to antivirus scanners which were used to scan the sample. Percentage indicates how confident a specific scanner is that the particular sample belongs to an exploit family.

Examples

Request Examples

Fetching the latest counts for apt and exploit categories in JSON format:

/api/feed/malware/detection/family/v2/statistics/category/apt/counts?format=json&weeks=1
/api/feed/malware/detection/family/v2/statistics/category/exploit/counts?format=json&weeks=1

Fetching the all-time top list for apt, exploit and financial categories in XML format:

/api/feed/malware/detection/family/v2/statistics/category/apt/top_list
/api/feed/malware/detection/family/v2/statistics/category/exploit/top_list?format=xml&all_time
/api/feed/malware/detection/family/v2/statistics/category/financial/top_list?format=xml&weeks=0

Fetching families added in the last 3 weeks for retail and financial categories in JSON format:

/api/feed/malware/detection/family/v2/statistics/category/retail/first_seen?format=json&weeks=3
/api/feed/malware/detection/family/v2/statistics/category/financial/first_seen?format=json&weeks=3

Response Examples

{
"rl": {
"feed": {
"name": "Verticals Statistics Top List",
"entries": [
{
"all_time": true,
"category": "apt",
"entries": [
{
"count": 1229365,
"family_name": "FAMILY_NAME"
},
{
"count": 786435,
"family_name": "FAMILY_NAME"
},
{
"count": 219329,
"family_name": "FAMILY_NAME"
},
{
"count": 115916,
"family_name": "FAMILY_NAME"
},
{
"count": 76910,
"family_name": "FAMILY_NAME"
},
{
"count": 10765,
"family_name": "FAMILY_NAME"
},
{
"count": 10386,
"family_name": "FAMILY_NAME"
},
{
"count": 4957,
"family_name": "FAMILY_NAME"
},
{
"count": 3089,
"family_name": "FAMILY_NAME"
},
{
"count": 2847,
"family_name": "FAMILY_NAME"
},
{
"count": 2300,
"family_name": "FAMILY_NAME"
},
{
"count": 1109,
"family_name": "FAMILY_NAME"
},
{
"count": 989,
"family_name": "FAMILY_NAME"
},
{
"count": 755,
"family_name": "FAMILY_NAME"
},
{
"count": 608,
"family_name": "FAMILY_NAME"
},
{
"count": 603,
"family_name": "FAMILY_NAME"
},
{
"count": 445,
"family_name": "FAMILY_NAME"
},
{
"count": 423,
"family_name": "FAMILY_NAME"
},
{
"count": 315,
"family_name": "FAMILY_NAME"
},
{
"count": 268,
"family_name": "FAMILY_NAME"
}
]
}
]
}
}
}
{
"rl": {
"feed": {
"name": "Verticals Statistics Top List",
"entries": [
{
"category": "exploit",
"all_time": true,
"entries": [
{
"count": 132278,
"family_name": "CVE-2008-2992",
"scanner_coverage": {
"entries": [
{
"percent": 95.013291846660422,
"name": "SCANNER_NAME"
},
{
"percent": 97.528924870857622,
"name": "SCANNER_NAME"
},
{
"percent": 95.035948403467955,
"name": "SCANNER_NAME"
},
{
"percent": 94.961936984563337,
"name": "SCANNER_NAME"
}
]
}
}
]
}
]
}
}
}
{
"rl": {
"feed": {
"name": "Verticals Statistics First Seen",
"entries": [
{
"week": "2017-W20",
"category": "exploit",
"entries": [
{
"family_name": "FAMILY_NAME",
"first_seen": "2017-05-15 00:58:12"
},
{
"family_name": "FAMILY_NAME",
"first_seen": "2017-05-15 14:13:35"
},
{
"family_name": "FAMILY_NAME",
"first_seen": "2017-05-15 20:21:40"
}
]
},
{
"week": "2017-W21",
"category": "exploit",
"entries": [
{
"family_name": "FAMILY_NAME",
"first_seen": "2017-05-25 20:40:07"
},
{
"family_name": "FAMILY_NAME",
"first_seen": "2017-05-23 22:03:20"
},
{
"family_name": "FAMILY_NAME",
"first_seen": "2017-05-25 16:23:07"
}
]
}
]
}
}
}