OUR MISSION
abuse.ch is a research project at Institute for Cybersecurity and Engineering ICE hosted at the Bern University of Applied Sciences (BFH) in Switzerland. It was initially based on a private initiative of a random Swiss guy that wanted to fight cyber crime for the good of the internet. Today, the project fully relies on donations to cover infrastructure costs and paying salaries.
The project's main goal is to identify and track cyber threats, with a strong focus on malware and botnets. Being a non-profit project, we not only publish actionable open source threat intelligence but also develop and operate platforms for IT security researchers and experts enabling them sharing relevant threat intel data with the community.
Today, data from abuse.ch is already integrated in many commercial and open source security products. Vendors of security software and services rely on our data to protect their customers. But it doesn't stop there: organizations, internet service providers (ISPs), law enforcement and government entities consume data from abuse.ch to fight cyber threats targeting their constituency.
Public services and platforms abuse.ch operates:
Sharing malware samples with the community, AV vendors and threat intelligence providers
Tracking botnet C&C infrastructure associated with Emotet, Dridex and TrickBot
Collecting and providing a blocklist for malicious SSL certificates and JA3/JA3s fingerprints
Sharing malware distribution sites with the community, AV vendors and threat intelligence providers
Sharing indicators of compromise (IOCs) the community and threat intelligence providers
BLOG
abuse.ch gets a new home at BFH
Published on 1st June 2021, 07:25:31 UTC
In October 2020, I've described the challenges I'm facing with operating abuse.ch as a non-profit project. I've also draw a plan for the future of abuse.ch that was collecting sufficient funds to turn abuse.ch into a research project. Today, I'm very excited to announce that the fund raising was successful and that as of April 15th 2021, abuse.ch became a research project at Institute for Cybersecurity and Engineering ICE hosted at the Bern University of Applied Sciences (BFH) in Switzerland.
Read on >Introducing ThreatFox
Published on 8th March 2021, 12:41:55 UTC
In 2018, I've launched URLhaus - a platform where security researchers and threat analysts can share malware distribution sites with the community. A year ago, in March 2020, the launch of MalwareBazaar enabled the community to share malware samples with others and hunt for such by e.g. using YARA rules. The goal of abuse.ch always was to make threat intelligence easy accessible for everyone - for free, and without the need of a registration on a platform.
Read on >Moving Forward
Published on 26th October 2020, 13:45:09 UTC
13 years ago, I started to look at malware samples in my spare time that occasionally hit my personal mailbox. I've decided to document my findings in a blog, and abuse.ch was born. In the same year, ZeuS (aka Zbot) appeared. Sold on the dark web, it quickly became one of the most popular crimeware kits for cyber criminals to commit ebanking fraud and identity theft. Due to the rise of ZeuS in 2008/2009, I decided to create my first project: ZeuS Tracker.
Read on >Introducing MalwareBazaar
Published on 17th March 2020, 12:29:31 UTC
Almost two years ago, I've launched URLhaus with the goal of collecting malware distribution sites. With more than 300,000 malware distribution sites tracked, the project still is a great success. However, over the past weeks, I've been focusing my efforts on a new project. And here' it is: MalwareBazaar! MalwareBazaar collects known malicious malware sample, enriches them with additional intelligence and provides them back to the community - for free!
Read on >Using URLhaus as a Response Policy Zone (RPZ)
Published on 14th June 2019, 09:46:12 UTC
A few days ago, URLhaus, cracked 200,000 malware URLs tracked. The majority of the malware sites tracked by URLhaus are related to Emotet (aka Heodo), followed by Mirai, Gayfgyt and Gozi ISFB (aka Ursnif). But there are many other threats being tracked with the help of the infosec community. There are several ways how to utilize the data generated by the community to protect your network and users. This blog post is a short tutorial on how to use URLhaus as a DNS Response Policy Zone (RPZ). What is RPZ? RPZ is a way to rewrite or block responses to DNS queries. It is sometimes also refered as DNS Firewall, as it allows system administrators to block access to certain domain names.
Read on >How to Takedown 100,000 Malware Sites
Published on 21th January 2019, 11:23:48 UTC
End of March 2018, abuse.ch launched it's most recent project called URLhaus. The goal of URLhaus is to collect and share URLs that are being used for distributing malware. The project is a huge success: with the help of the community, URLhaus was able to takedown almost 100,000 malware distribution sites within just 10 months! During that time, 265 security researchers located all over the world have identified and submitted in average 300 malware sites to URLhaus each day, helping others to protect their network and users from malware campaigns.
Read on >STATISTICS
Most seen Malware
| # | Malware |
|---|---|
| 1 | Quakbot |
| 2 | Zatoxp |
| 3 | Worm.Soulclose |
| 4 | Blackmoon |
| 5 | Worm.Vobfus |
| 6 | Downloader.Upatre |
| 7 | Emotet |
| 8 | RedLineStealer |
| 9 | AgentTesla |
| 10 | Formbook |
Analysed File Types
| Malware Samples | File Type |
|---|---|
| 12512 | exe |
| 1492 | dll |
| 1110 | xlsb |
| 245 | xlsm |
| 158 | xlsx |
| 141 | xls |
| 140 | doc |
| 127 | rtf |
| 12 | docx |
| 7 | docm |