Skip to main content
  • Cybersecurity

Weekly web security warning – April in review

Every week, we examine the top trends in malicious activity we have seen in Canada using data obtained through CIRA's D-Zone DNS Firewall.
By Rob Williamson
Marketing Manager

Every week, we examine the top trends in malicious activity we have seen in Canada using data obtained through CIRA’s D-Zone DNS Firewall.

With April now behind us, it feels like a good time to review the activity we tracked through D-Zone DNS Firewall in the past month. We’ll keep it short, simple and full of charts.

We added more than 5.6 million malicious domains to our block list over the last month, and blocked more than 1.9 million queries from user clicks on phishing sites through to botnets—and that’s only in Canada! This all goes to show that no matter how much security to have, users are often the weakest link (sorry).

Over the same period, we saw a steady weekly decline in DDoS queries. One interesting note: the charts clearly show how traffic dips over the weekend as systems are offline. No network, no one to respond to fake queries.   

 

Over the past month, we saw five common malware threats appear most frequently, you can see them in the chart below. We monitored a very high percentage of customers experiencing malware call home events, and the number of users impacted by Trojan downloaders is also cause for concern if you are an IT manager.

Threat Name

Description

Malware Call Home

Domains Used For Malware Post-Infection Communications

Suspected Malware

Suspected Malware/Botnet Activity That Is In The Process Of Being Classified.

Malware-Adware/A

Cluster Of Malware/Adware Domains Used By Hijacked Web Browsers.

Mirai

An IoT Botnet That Is Used Primarily To Launch DDoS Attacks. Also Includes Variants (E.G. Persirai).

Trojan Downloaders

Known Malware/Botnet Activity

Another way to look at the scope of the threat is to rank them by queries per second (QPS) rather than only the client IP address. QPS provides a good look at the scope of each threat, which shows that some, like Necurs, are more persistent while others, such as DNS tunneling, are more a nuisance than an active hack that is trying to access data.

Threat Type

QPS

Malware Call Home

0.27

Necurs

0.13

DNS Tunneling

0.12

Suspected Malware

0.1

Trojan downloaders

0.07

Spybot

0.06

Morto

0.05

Palevo

0.02

Mirai

0.02

DNS Traffic Amplification

0.01

Finally, we can’t forget about the top 10 blocks of the week. Last week, we saw a lot of random character domains (likely algorithmically generated) and a few .ru domains mixed in for good measure.   

Domain

Threat

dj1.jfrmt.net

Morto

76236osm1.ru

Trojan downloaders

superyou.zapto.org

Spybot

ns6.wowrack.com

Mirai

ns5.wowrack.com

Mirai

soplifan.ru

Trojan downloaders

diplicano.ru

Trojan downloaders

wqerveybrstyhcerveantbe.com

Suspected Malware

tvrstrynyvwstrtve.com

Ramnit

thg.ltn999.com

Malware Call Home

About the author
Rob Williamson

Rob brings over 20 years of experience in the technology industry writing, presenting and blogging on subjects as varied as software development tools, silicon reverse engineering, cyber-security and the DNS. An avid product marketer who takes the time to speak to IT professionals with the information and details they need for their jobs.

Loading…