Weekly Web Security Warning: Something new to see, a ccTLD

Over the last seven days, we have seen a big change to the top 10 blocked domains of the week. Specifically for the first time a country-code TLD is featured – in this case .us. 

Over the last seven days, we have seen a big change to the top 10 domains blocked by D-Zone DNS Firewall. Specifically for the first time a country-code TLD is featured – in this case .us.  Country codes are not seen as frequently among blocked domains as they generally enforce stricter identification and ownership rules.

A quick review of WHOIS shows that these .us domains are all registered to the same registrant. This suggests that their servers may have been compromised OR that it is intentional. In the latter case we would think that the registrant is perhaps a pseudonym. Without speculating too much, what matters is that this particular set of domains is getting blocked for botnet activity that we still need to understand better and so we have categorized it as, “Other Botnet” which refers to malware/botnet activity that we have not yet definitively associated with a specific, well-studied malware/botnet type.

The other notable change this week is the first appearance of Morto—and it tops the list.  That said, this isn’t the threat that you may think it is. Morto is an oldie that spreads via remote desktop protocol (RDP) between windows machines with weak passwords. The URL is a more traditional (seemingly) randomly generated domain name. What this means is that this URL is not a threat that the typical IT manager needs to worry about. The very high query count we are seeing is the result of one IP address with (likely) multiple infections on their network. In this case, they are not a direct D-Zone DNS Firewall customer but benefit from its blocking because they are with an ISP that is using the DNS firewall to help keep malware off their network (and protect their customers).