New exploit or CVE samples in the wild (daily)

This service provides per-day information about new file hashes in the Spectra Intelligence system that contain CVE or Exploit identifications. These identifiers are related to files that target vulnerabilities (i.e. that contain exploits), not files that are vulnerable. These files have been collected in the wild and indicate exploitation of their respective vulnerability. We do not have information on the efficacy, targeting or prevalence of the exploit. Unlike TCF-0201: CVEs Exploited in the Wild and TCF-0202: Reports on CVEs Exploited in the Wild, this feed contains first scans only. If a sample has been scanned, it will be included in the results for that specific day. If it was then rescanned on another day, it will not be included in the results for that day.

An exploit is an application that uses a vulnerability or a flaw in another component (be it software or hardware) to impact the target's behavior in some way. In other words, it uses or communicates with its target in an unexpected or improperly handled way, usually resulting in a behavior change in the targeted program. Exploits can be remote or local, and the payload can range from allowing remote access or gaining elevated privileges, to downloading or dropping other malware. All known exploits are described in the Common Vulnerabilities and Exposures (CVE) system. The best way to deal with exploits is to prevent attacks by regularly updating software, but there is no efficient way to cope with the threats coming from the exploits that have not yet been patched, also known as zero-day exploits.

The feed stores records for the last 365 days.

Daily Malware Exploit Feed Query

This query returns a document containing the list of malware hashes (SHA1, SHA256) with CVE and Exploit identifications and their file type description for the requested day.

If the requested day / timestamp is not within the last 365 days, the service will respond with the status code 400 Bad Request.

GET /api/feed/malware/exploit/daily/v1/query/{time_format}/{time_value}[?format=json|xml|htsv][&sample_available=true|false]

• time_format
  • Format in which the time value will be specified. Supported values are: timestamp - number of seconds since 1970-01-01 00:00:00; utc - UTC date in the YYYY-MM-DDThh:mm:ss format, date in the YYYY-MM-DD format.
  • Required
• time_value
  • Accepts values in the format set by time_format. Values that are not rounded to a full day will be rounded down to the midnight of the requested date. For example, if the time format is timestamp, querying the value 1412036355 is the same as querying 1412035200. If the time format is utc, querying the value 2014-09-30T10:32:12 is the same as querying 2014-09-30T00:00:00.
  • Required
• sample_available
  • When true, the result contains only the hashes of samples that are available for download (through Spectra Intelligence).
  • Optional
• format
  • Specifies the format in which the resulting data will be returned. Supported values are: xml (default), json, htsv (Headless Tab Separated Values, delimiter character \t 0x09).
  • Optional

"Latest" query

Use the "latest" endpoint to retrieve results from the latest day for which we have data:

GET /api/feed/malware/exploit/daily/v1/query/latest[?format=json|xml|htsv][&sample_available=true|false]

Response format

HTTP response code 404 Not Found means there were no new malware exploits in Spectra Intelligence for the requested day.

The first line of the response contains the day indicator in Unix timestamp format. Each malware sample record is listed on a separate line, with columns corresponding to SHA1, SHA256 and sample type description. The column separator is tab (t, 0x0A), and the line separator is line feed (n, 0x0A).

{"rl": 
  {"feed": 
    "entries": [
      {"sha256": "7b051ab689a9a29450dc0e752be5829b250f07ccef5ff7655751be0522fba503",
      "sha1": "a66db9f2b63a2b17ad8a29754bd7eea5c4427a6b",
      "sample_type": "Description of the file"},
      "..."
      ]
  }
}

Examples

These examples request different response formats and use different time formats.

Fetching new malware detections between 2014-09-29 00:00:01 and 2014-09-30 00:00:00

/api/feed/malware/exploit/daily/v1/query/timestamp/1412035200
/api/feed/malware/exploit/daily/v1/query/utc/2014-09-30T00:00:00
/api/feed/malware/exploit/daily/v1/query/date/2014-09-30

In this case, the hour will be floor rounded to the midnight of the requested day (same as querying 1412035200):

/api/feed/malware/exploit/daily/v1/query/timestamp/1412036555

In this case, the hour will be floor rounded to the midnight of the requested day (same as querying 2014-14-30T00:00:00):

/api/feed/malware/exploit/daily/v1/query/utc/2014-09-30T12:13:14

Fetching new malware detections from 2014-09-29 00:00:01 till 2014-09-30 00:00:00 for which samples are available for download

/api/feed/malware/exploit/daily/v1/query/timestamp/1412035200?sample_available=true
/api/feed/malware/exploit/daily/v1/query/date/2014-09-18?sample_available=true

Fetching the list of the latest detections in JSON and XML format

/api/feed/malware/exploit/daily/v1/query/latest?format=json
/api/feed/malware/exploit/daily/v1/query/**latest?format=xml**