Skip Links

DNS reveals the top cyberthreats of 2012. And you guessed it ... no one is safe.

By Craig Sprosts, vice president of platforms and applications at Nominum, special to Network World
February 22, 2013 05:21 PM ET

Network World - Our team at Nominum recently looked at the biggest threats to fixed networks at the DNS layer. Why the DNS layer? Because it is ubiquitous -- every network runs on it -- and it is the best option for protecting critical infrastructure.

We have broad insight at this layer because we provide DNS engines to more than 140 of the world's top service providers and process about 30% of the world's global traffic -- about 1 trillion DNS queries per day. All of these queries and clicks lead to data being produced, A LOT of data. The Nominum security lab analyzed that data across the globe to identify the top 10 bots of 2012. (A few month ago we did the same thing for mobile networks.)

Along with the bots, we saw that 2012 was marked by the continuous growth of sophisticated attacks in both fixed and mobile networks and most of these attacks were carried by malicious bots that were empowered with zero-day malware infection capability (previously unknown computer virus or other malware for which specific antivirus software signatures are not yet available). Furthermore, most modern bots are DNS-enabled and enjoy the Internet scalability.

[ IN THE NEWS: 5 years after major DNS flaw is discovered, few US companies have deployed long-term fix ]

The first table below shows the top 10 bots ranked by the degree of infection around the world. The top 10 global bots are a mix of modern bots and legacy bots. One modern bot, Ngrbot (a.k.a. Dorkbot), can hide its presence and hook to some system APIs as a rootkit. It's a multi-function bot, capable to perform a variety of malicious activities, such as collecting and stealing sensitive info (like usernames and passwords), disabling installed antivirus services and launching DDoS attacks.

And many legacy bots are still active in-wild, such as Conficker, Palevo/Butterfly, Virut, Zeus and Sality, despite many products and tools that were launched to shut them down.

We also found the top 10 regional bots and these lists are different from each other, the second table showing the top 10 regional bots for the geographic areas of Asia/Pacific, Europe/Middle East/Africa, and Latin America, respectively.

Some top regional bots did not make the global top bot list. For example, SpyEye was a top threat with higher infection rates than its competitor Zeus in the EMEA region, but Zeus was more popular in APAC and LATAM regions.

There were several high-profile bots not included in the regional top 10 bots lists, but widely spread in specific countries, such as Flamer, Shylock, TDSS, and DNSChanger. For Flamer, Iran was the main target of infection, but there were some significant outbreaks in Egypt and Saudi Arabia with a few victims in Thailand.

Another example is Shylock. It was a top active bot threat carrying out man-in-the-middle attacks against bank websites in the U.K., while TDSS remained active primarily in Denmark and New Zealand. DNSChanger continued to be viciously widespread with victims being found in many countries, everywhere from Argentina to Australia and Saudi Arabia to Thailand.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News