Locky is a new cyberthreat that has received a lot of attention in security circles over the last few months because it has been unusually successful. Locky is advanced ransomware that encrypts a person’s files and holds them for ransom. It uses a number of different technologies to avoid being detected or blocked and takes great care to hide its path back to the attackers. The code is obfuscated to avoid detection by antivirus and malware software. The blackmailers communicate through TOR and only accept Bitcoin as payment, making it nearly impossible to discover who they are.
Nominum Data Science detected a huge wave of malicious DNS queries rolling across the Internet Dec 14 and 15 2015, adding to stress for service providers already have around the holidays. Since it’s one of the peak buying seasons on the Internet most networks are locked down and operations teams are on alert. Many unfortunately were probably not expecting a huge surge in DNS DDoS as it has been fairly consistent the past few months. ThreatAvert customers were protected but many other networks likely experienced adverse impact – substantial slowdowns or even outages for servers that saw high volumes of queries.
Android fans were probably chuckling over the XcodeGhost malware news – hackers don’t often penetrate Apple’s defenses. This provoked the Nominum Data Science team to take a look at what’s happening with malware targeting Android. Common wisdom is Android is exposed because there’s less rigor in the development and supply chain, and third party app stores with no protections are popular. Determined hackers can allegedly subvert defenses and get various kinds of exploits placed on mobile devices running the highly popular operating system. But what does the data show?
2014 saw numerous huge spikes in DDoS traffic – some as large as 5 billion queries per day across Nominum worldwide data set which covers around 3% of overall ISP DNS traffic. Extrapolating, this meant more than 150 Billion unwanted queries across the Internet on the peak days.
DNS DDoS continues on the trend line established in 2014 – with tens of billions of malicious queries Internet-wide every day. Many of the domains attacked are lightly trafficked, but popular (Alexa 5000) domains are commonly targeted. For example alternative news sites, a university, and ecommerce sites have been attacked in the past couple of months. Attacks on popular domains require extra care when mitigating to avoid blocking legitimate queries.
Nominum Research shows about 15% of DNS DDoS traffic is amplification yet it still has impact (the rest are random subdomains). Data also shows bad guys continue to leverage open DNS resolvers which after more than 2 years might be considered an “old-days” technique, yet there are still around 17 million of them on the Internet. More recently our research teams have seen bots sending amplification queries.
Europol recently took control of the ramnit botnet in order to disrupt more than 3.2 million infections around the world. Ramnit is a sophisticated bot that appeared in 2010 and spread quickly. It enables remote access to infected machines and can steal files and credentials. It can also monitor web browsing and even use stolen website cookies to impersonate victims. Internet users are nearly always unaware they have been infected by malware and usually not well equipped to deal with infections even when they are made aware. It is also not realistic to expect all bots will be taken down, in fact the reverse is true, few bots are.
We’ve written extensively about open DNS proxies running in home gateways (“open home gateways”). Affected devices proxy DNS queries received on their WAN interface to whatever DNS resolver they are configured to use. This is typically the DNS configured by the ISP. The DNS has always been a handy tool for various kinds of attacks and the presence of these gateways gives attackers a back door into provider networks.
Nominum analyzed customer data from around the world to find the top cyber threats ranked by degree of infection. The result was a mix of new and modern bots, and legacy bots.
In previous posts, Pat discussed the risks associated with BYOD, and a DNS-based approach for reducing those risks. Essentially this approach consisted of making use of an enterprise’s caching DNS server to monitor and block DNS queries to known botnet command and control (C&C) domains. Finding these C&C domains is something Nominum does quite well.