This is a centralized repository for threat data collected by the Animus threat intelligence system. This repository contains reports generated by the Animus system on a daily basis. Additionally, this repository contains a set of master files which include all data collected historically by the honeypot sensors distributed around the Internet.

Currently, Animus threat reports only contain data on SSH threat actors and tactics. Other methods and vulnerabilities are currently being developed.

The following are some numbers surrounding Animus activity to date. These stats were last updated on September 28, 2015. All activity is fully automated.

• Attacker IP addresses collected: 27545
• Total SSH attempts observed: 36660857
• Unique malware samples captured: 1800
• Malicious domains identified: 499
• Unique passwords collected from sensors: 885960
• Unique usernames collected from sensors: 38507
• SSH library versions observed from SSH bruteforce tools: 207

Current version: 0.1.1 - Added malware URLs to Animus Threat Report

Animus publishes daily reports containing attacker IP addresses which can be preemptively blocked in your environment

Animus threat reports include a list of all URLs attackers attempted to download malware from.

Animus mass scans the Internet once per week to locate known-malicious command and control servers which can serve as indicators of compromise (IOCs).

Once Animus discovers a C2 server using software it knows how to communicate with, it will connect to the C2 server and begin logging distributed denial-of-service target IP addresses. This allows Animus to track who different adversary groups are targeting with denial-of-service attacks in real time.

Animus collects all data in a centralized repository. This repository can be queried on a per-IP basis via a Twitter bot, @threatbot.

Threatbot will parse one or more IP addresses in a tweet, query the Animus database, and response back with a summarized report of that IP address. This report includes first sighting of attacks from the IP address and most recent attacks from this IP address.

Threatbot will tweet once per day with a link to the daily Animus threat report. This tweet will include the total number of attacks received, as well as the most aggresive attacker IP address of the day.

Threatbot also will tweet once per day with a summary of malware URLs captured

Animus will be expanding the threat reports to include data on the following threats:

• Shellshock
• Heartbleed
• Wordpress attacks

Current: 0.1.1

• 0.1.1 - Added malware URLs to Animus Threat Report
• 0.1.0 - Initial version, publish reports on SSH attacker IP addresses and surrounding metadata.

If you have any questions or feedback about the Animus threat intelligence system, don't hesitate to reach out to the main developer via email or Twitter.

All rights reserved by Andrew Morris under Creative Commons Non-Commercial 4.0 license, 2014-2015.
Contact me if you'd like to use this data for commercial purposes.