Overview of a Well-Evidenced Malware Report
The purpose of a well-evidenced malware report is to ensure the reported abuse is accurately escalated to the Registrar/Registry to act on the reported abuse in hopes of minimizing the harm inflicted on users. Strong reports consist of the alleged abusive domain, details about what the malware does, evidence of the reported abuse, and a brief explanation of the suspected observed abuse. Ensure you have contacted the registrant (if they're unlikely to be a malicious actor), the hosting provider, the registrar, registry, and queried the WHOIS record to determine the status of the domain. Include the evidence and the correspondence from the prior level with each escalation.
The following is intended to guide users in reporting malware. CleanDNS is not responsible for any damages that stem from use, misuse, or misunderstanding of this guidance nor anything that stems from reporting the malware.
Gathering Evidence
To properly evidence the malware report CleanDNS deems the following methods effective in gathering malware evidence. The evidence should clearly show what the malware does and how the domain is being used in the malware.
- Screenshots of the malware in action
- Logs of the malware
- Videos of the malware in action
- Links or details from a sandbox tool (ex. Any.run) depicting the malware
- Link to a VirusTotal page, blacklist site, any.run report, etc. that supports your claim that the domain is being used as an alleged malware site
Lastly, a brief written explanation of the observed abuse is required when submitting the abuse report.
Submitting a Report
A report that is too technical may not be actioned because the connection is not clear enough to the individual reviewing the report. A report without enough detail is likely to be dismissed as inadequate. Once all the required information is gathered for the report, please submit it through the appropriate abuse form or to the abuse email address.