Europol recently took control of the ramnit botnet in order to disrupt more than 3.2 million infections around the world. Ramnit is a sophisticated bot that appeared in 2010 and spread quickly. It enables remote access to infected machines and can steal files and credentials. It can also monitor web browsing and even use stolen website cookies to impersonate victims. Internet users are nearly always unaware they have been infected by malware and usually not well equipped to deal with infections even when they are made aware. It is also not realistic to expect all bots will be taken down, in fact the reverse is true, few bots are.
There is an alternative to waiting for takedowns. Vantio ThreatAvert and the Global Intelligence Xchange (GIX) protect subscribers against ramnit and other bots immediately after they are discovered. Nominum researchers identify new bots and other threats such as domains used for DDoS every day. New findings are validated and incorporated into GIX threat lists where they provide completely automated protection and deep visibility into malware threats. After years of research GIX now tracks 1,000s of bots and their variants. Below is data showing queries for ramnit command and control queries since the beginning of the year. Nominum’s data set represents about 3% of overall provider DNS traffic so the overall number of queries is much higher.
ThreatAvert gathers data in networks where it is installed and feeds it into a graphical application where it’s displayed on a dashboard highlighting malicious activity. Top Threats and Clients querying malicious domains are displayed offering “at a glance” threat assessments with simple navigation to drill down into details. DNS based DDoS activity including domain names used, bandwidth consumed, and clients querying DDoS domains is also displayed including details about random subdomain attacks currently plaguing the Internet.
Vantio ThreatAvert not only gives providers a simple way to identify infected devices, it can optionally block bot queries to command and control servers, which disrupts the functioning of the malware on the victims machine. The solution is 100% automated and updated with new threats on a continuous basis using real time DNS data which Nominum research processes and vets, typically within 30 minutes.
With N2 Reach providers can optionally notify infected subscribers and provide access to remediation tools. The in-browser approach employed by N2 Reach offers a natural way to communicate with subscribers about exposures they face on the Internet and other operational issues. Subscriber Safety steers subscribers away from malware sites in the first place, helping to prevent future infections.
Nominum N2 Platform leverages DNS resolution for customized service delivery. Tight integration with Vantio servers meets the needs of business-oriented marketing teams and technically-focused operations teams with diverse services tailored to unique requirements of each. Turnkey solutions ensure a seamless customer experience and straightforward deployment at scale in provider networks.