For service providers undergoing digital transformation, the importance of subscriber and network protection cannot be understated. When subscribers and networks are at risk of attack or infection, a provider’s digital strategy is weakened and business growth limited.
This story has been told thousands of times before – a botnet is born, a botnet goes down, a botnet tries to get its bots back together. But the story of Necurs is unique.
Locky is a new cyberthreat that has received a lot of attention in security circles over the last few months because it has been unusually successful. Locky is advanced ransomware that encrypts a person’s files and holds them for ransom. It uses a number of different technologies to avoid being detected or blocked and takes great care to hide its path back to the attackers. The code is obfuscated to avoid detection by antivirus and malware software. The blackmailers communicate through TOR and only accept Bitcoin as payment, making it nearly impossible to discover who they are.
Android fans were probably chuckling over the XcodeGhost malware news – hackers don’t often penetrate Apple’s defenses. This provoked the Nominum Data Science team to take a look at what’s happening with malware targeting Android. Common wisdom is Android is exposed because there’s less rigor in the development and supply chain, and third party app stores with no protections are popular. Determined hackers can allegedly subvert defenses and get various kinds of exploits placed on mobile devices running the highly popular operating system. But what does the data show?
The DNS offers visibility into many kinds of Internet trends including various security threats. We’ve reported extensively on DNS DDoS and Nominum Data Science also tracks botnet activity. In this case queries for Command and Control (C&C) domains for the recently disclosed XcodeGhost malware were observed in September. Infected development tools were reported to have been used for the popular iOS app WeChat.
Europol recently took control of the ramnit botnet in order to disrupt more than 3.2 million infections around the world. Ramnit is a sophisticated bot that appeared in 2010 and spread quickly. It enables remote access to infected machines and can steal files and credentials. It can also monitor web browsing and even use stolen website cookies to impersonate victims. Internet users are nearly always unaware they have been infected by malware and usually not well equipped to deal with infections even when they are made aware. It is also not realistic to expect all bots will be taken down, in fact the reverse is true, few bots are.
Nominum analyzed customer data from around the world to find the mobile malware that presents the greatest risk to mobile subscribers. The top five mobile-device-only malware threats are:
Last month Microsoft led an effort to take control of a domain – 3322.org – in order to disrupt more than 500 different strains of malware affecting millions of innocent people around the world. Using a surgical approach implemented with software from Nominum, Microsoft was able to sinkhole traffic to malware subdomains hosted on 3322.org without impacting queries to legitimate subdomains. Numerous articles covered the effort; some of the better ones are below:
Everyone agrees protecting Internet users from malware and social engineering exploits like phishing is a valuable thing to do. At minimum these attacks are a nuisance because they degrade the Internet experience, worst case they can be costly and dangerous. But protecting networks and end users is becoming more difficult because attackers are making their exploits more dynamic and thus harder to detect. This is stressing some solutions, like client software, that have been a primary means of protecting end systems.