Every week, we examine the top trends in malicious activity we have seen in Canada using data obtained through CIRA’s D-Zone DNS Firewall.
This week’s big winner was a spambot using a random character .ru domain and unlike past weeks, the pattern was different. On the weekend, typically the usual number of blocked domains falls as users tend to be more offline, at least from the networked computers. However this week, there was a huge spike in the number of unique domains blocked that peaked at just over 4,900 on Saturday, May 5th. We aren’t charting this here, but traffic returned to more normal quieter weekend patterns on the 6th.
In terms of the rest of the top blocked domains, we see a couple of non-resolving domains like buysellstops.com and underpants.online that are using WHOIS privacy. We also see the usual cadre of randomized domains.
|
Domain |
Threat |
|
xdqzpbcgrvkj.ru |
Spambot |
|
76236osm1.ru |
Trojan downloaders |
|
buysellstops.com |
Malware Call Home |
|
superyou.zapto.org |
Spybot |
|
e51091eec8b619d50e44c8c29b7a0ee8.com |
Malware Call Home |
|
ns6.wowrack.com |
Mirai |
|
ns5.wowrack.com |
Mirai |
|
0x3h32haer.underpants.online |
Malware Call Home |
|
dj1.jfrmt.net |
Morto |
|
soplifan.ru |
Trojan downloaders |
And finally, we noted a spike in DNS amplification traffic this week that peaked on May 3rd.These are queries designed to get a response that is larger than the query and generally used for DDoS attacks on a third party.
On our end, we rate limit responses to these types of queries to sink them before they can cause slowdowns to ours, or the targets systems.
Rob brings over 20 years of experience in the technology industry writing, presenting and blogging on subjects as varied as software development tools, silicon reverse engineering, cyber-security and the DNS. An avid product marketer who takes the time to speak to IT professionals with the information and details they need for their jobs.
