Skip to main content

I can't resist a good metaphor, and so a sad dog to represent a PUP was just too perfect.  However, when it comes to IT, these are PUPs you don't want to rescue. Just to strike horror into those old enough to remember, I am including the next little pic of Gator.

Original PUP

PUPs or “potentially unwanted programs” have been a scourge on internet users almost since the beginning (some call these PUAs or potentially unwanted applications). Gator was a nifty little plug-in that you just couldn’t uninstall without herculean efforts and it was, in my experience, the OG of PUPs starting in 1998.  Here we are almost 25 years later and it hasn’t gotten much better. We're going to focus on a new PUP that started making the rounds in the fall of 2020 called Agafurrator.

Many sketchy tools that unsuspecting users install come with lovely browser redirects and ad tools. That is why I was so intrigued when I was looking at the aggregate block data in the CIRA DNS Firewall and noticed this one again.

How did I spot it and what you can do

I log into our ELK stack to review threat trends and start with the top-line number. This makes for nice PowerPoint presentations – but isn’t specifically useful for the IT security manager. In this case, we see just over 360,000 threats blocked (excluding botnets and content filtering that customers may be using) over a 24-hour period. With just over 3 million Canadian users that is a block rate of .12 threats per user. For organizations that use our CIRA DNS Firewall, they are likely keeping similar numbers and the blocks/user is a simple number to see if things are getting generally better or generally worse on the Canadian internet (for us) or the corporate network (for our customers).

Snapshot of CIRA DNS Firewall block count

Spotting a needle in a haystack gets easier when there are lots of needles

Agafurrator dot com appeared on a lot of unique IP addresses – meaning a lot of customers; this is a typical red flag. For IT managers looking at their own user data, it generally is not useful to look at every single log every single electronic device or program generates – it is a sea of data that just can’t be used for any useful purpose. The same goes for CIRA in looking at over 360,000 blocks in a day. However, as it relates to the DNS, a simple technique is to look for (1) single users generating lots of malicious traffic and (2) multiple users/networks generating the same traffic. Both are red flags that require follow-up.


Lots of blocks on the same domain

We saw agafurretor appear on lots of networks.  In addition to it being pervasive, this domain had the double whammy of being the top malicious block on the entire network – it is pervasive right now. Notably, the top spot is very often related to single IP addresses generating a ton of activity due to an infection – but not in this case.

Well, a PUP isn’t ransomware, so can it wait?

We will be the first to admit that what usually makes headlines is zero-day attacks based on critical events (i.e. fake vaccine clinics or fake CRA at tax time). If we saw that kind of pervasive activity, it would trigger us to communicate with our partners and perhaps issue a more formal announcement. The point of this blog is simply to point out that just because it is “run of the mill” doesn’t mean it isn’t a real problem for IT teams.

While serving up advertisements isn’t the worst problem in the world, the fact that it is on the network shows user behaviour that isn’t desirable. It consumes employee time and your network resources without your permission. This spike in agafurrator is something that IT teams should consider taking a look at on their networks. It also underscores that even for resource-constrained teams, using DNS data to monitor the network is a valuable activity that doesn't necessarily consume lots of hours.