The Shadowserver Foundation

This section lists each of the current operational divisions within Shadowserver. The basic roles and responsibilities of each divison is listed as well.

Within some teams, are several volunteer security consultants that are instrumental to the overall responsibilities of their team.


Online identity theft, phishing and credit card theft are an overwhelming part of the internet underground. The eFraud Division sifts through this underground to gather and process intelligence that can assist the appropriate authorities in shutting down these operations. These reports are regularly fielded directly to law enforcement and banks in order to limit loss.

Responsibilities include:

  • Creating and maintaining maildrops to harvest spam / phishing
  • Monitoring known credit card and keylogger networks
  • Establishing and maintaining working relationships with LE and CC organizations.
  • Redundant backups of all logs in accordance with strong encryption standards.

Botnet Intelligence

Our initial focus and most popular division is related to botnet intelligence. Botnets are used as a weapon in online crime. From DDoS attacks, spam email, identity theft through keyloggers, and the spreading of malware these nets are the mafia of the internet. At any given time there are over 100 networks under constant surveillance, with many more checked up on regularly.

Responsibilities include:

  • Ensuring that all reported botnets are entered into the ticketing system.
  • Updating the status of assigned botnets.
  • The timely processing of newly submitted tickets or reports.
  • Reviewing botnet logs for patterns, activity, and other intelligence.
  • Sending abuse and notification emails to the appropriate providers.
  • Maintaining and building working relationships with LEO, service providers, and other security oriented organizations.
  • Forwarding malware to the Shadowserver malware team.
  • Redundant backups of all logs according to strong encryption standards.


This division focuses on disassembly and reverse engineering viruses, trojans, and other types of hostile code. Several thousand files have been reverse engineered by this division. They currently boast an impressive repository consisting of over 32,000 sample binaries, and over 12,000 unique viruses!

Additional Responsibilities include:

  • Establishing and maintaining contacts with antivirus or spyware vendors including BleedingSnort.
    • Offer samples of undetected malware if required.
  • Obtaining licenses for antivirus products.
  • Processing or working all malware provided by the honeypot or botnet team.
  • Manually analyzing hostile code if automated sandboxing fails ie. advanced redpill, timeout, etc.


The primary focus is to collect malware, phishing scams and other data which is later examined by the other divisions. With honeypots spreading to nearly every part of the world, we are likely to see events as they happen, rather than reporting on them days or weeks later.

Additional Responsibilities include:

  • Establishing new honeypots, not limited to Nepenthes
  • Scrubbing Searchirc,, Google API, etc. for malware.
  • Establishing email drops and trolling with those drops on newgroup and forum sites.
  • Locating bot sources and exploits.
  • Evaluating new exploits.
  • Establish and maintain working relationship with groups such as Nepenthes and iDefense.
  • Maintain autosubmission process to the Malware team.

The Toyshop

The Toyshop builds and enhances custom applications and reports to benefit overall Shadowserver operations.

Other responsibilities include:

  • Automation of processes and reports.
  • Researching and developing workarounds for advanced redpill or other vm detection.
  • Studying the feasibility of other back-end projects for future development.

Web Administration (part of Toyshop)

Responsibilities include:

  • Maintaining the content on the Shadowserver website.
  • Maintenance of the Shadowserver mailing lists.

Executive Team

Aside from assisting in the management and operation of each Shadowserver Division, the Executive team is also responsible for:

  • Providing overall direction and management for the Shadowserver Foundation.
  • Press releases and interview coordination.
  • Protection of assets and staff.
  • Building and developing relationships with outside organizations such as vendors, service providers, and LEO.
  • The release and dissemination of Shadowserver intelligence.
  • All business and financial matters related to the non-profit operation of The Shadowserver Foundation.

<< Standards and Guidelines | Shadowserver | Calendar >>