Every week, we examine the top trends in malicious activity we have seen in Canada using data obtained through CIRA’s D-Zone DNS Firewall.
With April now behind us, it feels like a good time to review the activity we tracked through D-Zone DNS Firewall in the past month. We’ll keep it short, simple and full of charts.
We added more than 5.6 million malicious domains to our block list over the last month, and blocked more than 1.9 million queries from user clicks on phishing sites through to botnets—and that’s only in Canada! This all goes to show that no matter how much security to have, users are often the weakest link (sorry).
Over the same period, we saw a steady weekly decline in DDoS queries. One interesting note: the charts clearly show how traffic dips over the weekend as systems are offline. No network, no one to respond to fake queries.
Over the past month, we saw five common malware threats appear most frequently, you can see them in the chart below. We monitored a very high percentage of customers experiencing malware call home events, and the number of users impacted by Trojan downloaders is also cause for concern if you are an IT manager.
|
Threat Name |
Description |
|
Malware Call Home |
Domains Used For Malware Post-Infection Communications |
|
Suspected Malware |
Suspected Malware/Botnet Activity That Is In The Process Of Being Classified. |
|
Malware-Adware/A |
Cluster Of Malware/Adware Domains Used By Hijacked Web Browsers. |
|
Mirai |
An IoT Botnet That Is Used Primarily To Launch DDoS Attacks. Also Includes Variants (E.G. Persirai). |
|
Trojan Downloaders |
Known Malware/Botnet Activity |
Another way to look at the scope of the threat is to rank them by queries per second (QPS) rather than only the client IP address. QPS provides a good look at the scope of each threat, which shows that some, like Necurs, are more persistent while others, such as DNS tunneling, are more a nuisance than an active hack that is trying to access data.
|
Threat Type |
QPS |
|
Malware Call Home |
0.27 |
|
Necurs |
0.13 |
|
DNS Tunneling |
0.12 |
|
Suspected Malware |
0.1 |
|
Trojan downloaders |
0.07 |
|
Spybot |
0.06 |
|
Morto |
0.05 |
|
Palevo |
0.02 |
|
Mirai |
0.02 |
|
DNS Traffic Amplification |
0.01 |
Finally, we can’t forget about the top 10 blocks of the week. Last week, we saw a lot of random character domains (likely algorithmically generated) and a few .ru domains mixed in for good measure.
|
Domain |
Threat |
|
dj1.jfrmt.net |
Morto |
|
76236osm1.ru |
Trojan downloaders |
|
superyou.zapto.org |
Spybot |
|
ns6.wowrack.com |
Mirai |
|
ns5.wowrack.com |
Mirai |
|
soplifan.ru |
Trojan downloaders |
|
diplicano.ru |
Trojan downloaders |
|
wqerveybrstyhcerveantbe.com |
Suspected Malware |
|
tvrstrynyvwstrtve.com |
Ramnit |
|
thg.ltn999.com |
Malware Call Home |
Rob a acquis plus de 20 ans d’expérience de la rédaction, de la présentation et du blogage à l’intention de l’industrie des technologies. Il aborde des thèmes aussi variés que les outils de développement de logiciels, l’ingénierie inverse de Silicon, la cybersécurité et le DNS. De fait, Rob est un spécialiste du marketing passionné qui s’adresse aux professionnelles et aux professionnels des TI en leur donnant les renseignements et les précisions dont ils ont besoin pour s’acquitter de leurs tâches.
