New exploit or CVE samples in the wild (hourly) (TCF-0203)
This service provides a list of new file hashes that contain CVE or Exploit Identification and that are detected within the requested one-hour period in the Spectra Intelligence system. These identifiers are related to files that target vulnerabilities (i.e. that contain exploits), not files that are vulnerable. These files have been collected in the wild and indicate exploitation of their respective vulnerability. We do not have information on the efficacy, targeting or prevalence of the exploit. Information about the file download availability is included. Unlike TCF-0201: CVEs Exploited in the Wild and TCF-0202: Reports on CVEs Exploited in the Wild, this feed contains first scans only. If a sample has been scanned, it will be included in the results for that specific hour. If it was then rescanned, it will not be included again.
An exploit is an application that uses a vulnerability or a flaw in another component (be it software or hardware) to impact the target's behavior in some way. In other words, it uses or communicates with its target in an unexpected or improperly handled way, usually resulting in a behavior change in the targeted program. Exploits can be remote or local, and the payload can range from allowing remote access or gaining elevated privileges, to downloading or dropping other malware. All known exploits are described in the Common Vulnerabilities and Exposures (CVE) system. The best way to deal with exploits is to prevent attacks by regularly updating software, but there is no efficient way to cope with the threats coming from the exploits that have not yet been patched, also known as zero-day exploits.
The feed stores records for the last 365 days.
Hourly Malware Detection Exploit Feed Query
This query returns a recordset containing a list of malware samples that contain CVE or Exploit identifications and that were detected within the requested hour.
The one-hour period is calculated upwards from the user's input. The input is rounded down to the nearest full hour.
For example, the time value of 11:22 will be rounded down to 11:00 and the query will return the results for the period between 11:00 and 12:00.
To search for detections between 13:00 and 14:00, it is enough to input any value between those two hours as the time value (13:19, 13:33, 13:54…). To search for detections between 14:52 and 15:52, two queries would need to be sent (one for detections between 14:00 and 15:00, and another for 15:00 to 16:00).
If the requested hour / timestamp is not within the last 365 days, the service will respond with the status code 400 Bad Request.
GET /api/feed/malware/detection/exploit/hourly/v2/query/{time_format}/{time_value}[?format=xml|json|tsv][&sample_available=true|false][&active_cve=true|false]
time_format- Format in which the time value will be specified. Supported values are: timestamp - number of seconds since 1970-01-01 00:00:00; utc - UTC date in the YYYY-MM-DDThh:mm:ss format
- Required
time_value- Accepts values in the format set by
time_format. Values that are not provided as a full hour will be rounded down to the closest full hour. For example: time_value 1415714400 for time_format timestamp is the same as querying 1398517200; time_value 2014-11-11T18:33:22 for time_format utc is the same as 2014-11-11T18:00:00 - Required
- Accepts values in the format set by
sample_available- When true, the result contains only the hashes of samples that are available for download (through Spectra Intelligence SamPle EXchange service)
- Optional
format- Specifies the format in which the resulting data will be returned. Supported values are: xml (default), json, tsv (Tab Separated Values, delimiter character t 0x09)
- Optional
active_cve- When true (default), returns only exploits with active CVE identifiers. When false, returns only exploit candidates.
- Optional "Latest" query
The endpoint below returns the results from the latest hour for which we have data:
GET /api/feed/malware/detection/exploit/hourly/v2/query/latest[?format=xml|json|tsv][&sample_available=true|false][&active_cve=true|false]
Response format
HTTP response code 404 Not Found means that there were no new exploit malware detections in the given hour in Spectra Intelligence.
rl > feed > entries
scanner_count- Number of scanners used in the last scan
first_seen_on- Indicates the date and time when the sample was first uploaded to the system, or when it has received a scan result for the first time
cve_id- Contains the Common Vulnerabilities and Exposures (CVE) identifier. Only available for samples with active CVE status, not for candidates.
scanner_percent- Percent of scanners that detected malware in the last scan
md5- MD5 hash of the sample
sha1- SHA1 hash of the sample
record_on- Date when the entry was added to the feed
scanner_match- Number of scanners that detected malware in the last scan
last_seen_on- Indicates the date and time when the sample was last uploaded to the system, or the date and time of the last scan result it has received
sample_type- A description of the file
active_cve- Whether or not the sample holds the active CVE identification
sha256- SHA256 hash of the sample
Examples
Retrieving new exploit malware detections between 2014-11-20 13:00:00 and 2014-11-20 13:59:59
/api/feed/malware/detection/exploit/hourly/v2/query/timestamp/1416488400
/api/feed/malware/detection/exploit/hourly/v2/query/utc/2014-11-20T13:00:00
In this case, the hour value in the timestamp format will be floor rounded to midnight of the requested day (same as querying 1416488400) :
/api/feed/malware/detection/exploit/hourly/v2/query/timestamp/1416487800
Retrieving new exploit malware detections between 2014-11-20 13:00:00 and 2014-11-20 13:59:59 with active CVE identifiers only
/api/feed/malware/detection/exploit/hourly/v2/query/timestamp/1416488400?active_cve=true
Retrieving new exploit malware detections between 2014-07-24 12:00:01 and 2014-07-24 13:00:00 in JSON and XML format with the sample_available option
/api/feed/malware/detection/exploit/hourly/v2/query/timestamp/1406204891?format=json&sample_available=true
/api/feed/malware/detection/exploit/hourly/v2/query/timestamp/1406203200?format=xml&sample_available=true
Retrieving the latest exploit malware detections in JSON and XML format
/api/feed/malware/detection/exploit/hourly/v2/query/latest?format=json
/api/feed/malware/detection/exploit/hourly/v2/query/latest?format=xml
Retrieving the latest exploit malware detections in XML and JSON with the active_cve option
/api/feed/malware/detection/exploit/hourly/v2/query/latest?format=json&active_cve=true
/api/feed/malware/detection/exploit/hourly/v2/query/**latest?format=xml&active_cve=true**