Our team at Nominum recently looked at the biggest threats to fixed networks at the DNS layer. Why the DNS layer? Because it is ubiquitous -- every network runs on it -- and it is the best option for protecting critical infrastructure.
We have broad insight at this layer because we provide DNS engines to more than 140 of the world's top service providers and process about 30% of the world's global traffic -- about 1 trillion DNS queries per day. All of these queries and clicks lead to data being produced, A LOT of data. The Nominum security lab analyzed that data across the globe to identify the top 10 bots of 2012. (A few month ago we did the same thing for mobile networks.)
Along with the bots, we saw that 2012 was marked by the continuous growth of sophisticated attacks in both fixed and mobile networks and most of these attacks were carried by malicious bots that were empowered with zero-day malware infection capability (previously unknown computer virus or other malware for which specific antivirus software signatures are not yet available). Furthermore, most modern bots are DNS-enabled and enjoy the Internet scalability.
The first table below shows the top 10 bots ranked by the degree of infection around the world. The top 10 global bots are a mix of modern bots and legacy bots. One modern bot, Ngrbot (a.k.a. Dorkbot), can hide its presence and hook to some system APIs as a rootkit. It's a multi-function bot, capable to perform a variety of malicious activities, such as collecting and stealing sensitive info (like usernames and passwords), disabling installed antivirus services and launching DDoS attacks.
We also found the top 10 regional bots and these lists are different from each other, the second table showing the top 10 regional bots for the geographic areas of Asia/Pacific, Europe/Middle East/Africa, and Latin America, respectively.
Some top regional bots did not make the global top bot list. For example, SpyEye was a top threat with higher infection rates than its competitor Zeus in the EMEA region, but Zeus was more popular in APAC and LATAM regions.
There were several high-profile bots not included in the regional top 10 bots lists, but widely spread in specific countries, such as Flamer, Shylock, TDSS, and DNSChanger. For Flamer, Iran was the main target of infection, but there were some significant outbreaks in Egypt and Saudi Arabia with a few victims in Thailand.
Another example is Shylock. It was a top active bot threat carrying out man-in-the-middle attacks against bank websites in the U.K., while TDSS remained active primarily in Denmark and New Zealand. DNSChanger continued to be viciously widespread with victims being found in many countries, everywhere from Argentina to Australia and Saudi Arabia to Thailand.
From that research, we put together the chart below to depict overall bot infection rates in different regions that suffered significant infection rates.
In 2012, we also observed some new tricks and technologies that have been widely adopted to help improve bots operational efficiency and resiliency.
- Shylock started to inject fake contact phone numbers as a new social engineering trick to steal customers' sensitive information since people usually had more trust in living "customer service" personal.
- DGA (Domain Generation Algorithm) technique gained more popularity among top bots, from Conficker to Ramnit, to create large amounts of random domain names to avoid detection.
- Many newly registered domain names were involved with spamming activities. And like we have seen in their legitimate enterprise counterparts, more individuals designed it so their bots started moving their C&C (Command and Control) and other servers to the cloud.
- We also noted that Android became a hot battlefield for mobile security and proved to be the system that attracted all top mobile-device-only bots.
In 2013, bot-related traffic through DNS queries will continue to be a primary source for such malicious activity as spam, distributed denial-of-service attacks, data and identity theft, and more. This type of online threat has grown almost hand-in-hand with the growth of the Internet.
As computers and mobile phones are infected, the malicious software running in the background communicates with their masters using the same DNS we all use to get to our favorite websites. Today's leading DNS providers can accommodate policies whereby lists of "bad" domains can be stored and prevented from being accessed or integrate other network based protective measures, but in the meantime, consumers will need to be smart about the links they click and the messages they open -- the next worst bot could be waiting.
Nominum is the worldwide leading provider of integrated subscriber, network and security solutions for network operators. Nominum is the provider of the N2 Platform that leverages more than 1 trillion DNS queries daily and enables the rapid development and seamless integration of applications that leverage DNS data. Nominum is a global organization headquartered in Redwood City, Calif.