{"id":42095,"date":"2018-04-10T04:00:00","date_gmt":"2018-04-10T08:00:00","guid":{"rendered":"https:\/\/stg.cira.ca\/blog\/weekly-web-security-warning-malware-queries-continue-upward-trend-2\/"},"modified":"2023-03-10T10:57:08","modified_gmt":"2023-03-10T15:57:08","slug":"weekly-web-security-warning-malware-queries-continue-upward-trend-2","status":"publish","type":"cira_news","link":"https:\/\/stg.cira.ca\/fr\/ressources\/nouvelles\/cybersecurite\/weekly-web-security-warning-malware-queries-continue-upward-trend-2\/","title":{"rendered":"Weekly web security warning \u2013 malware queries continue upward trend"},"content":{"rendered":"

Every week, we examine the top trends in malicious activity we have seen in Canada using data obtained through CIRA’s D-Zone DNS Firewall.<\/p>\n

<\/p>\n

Many of the top blocked domains this week are indicative of only a handful of infected IP addresses calling out many, many times, while others are more pervasive. Looking at widespread trends can help us analyze cybersecurity trends across Canada \u2013 at least among the 800,000 strong user base of D-Zone DNS Firewall<\/a>.<\/p>\n

If we look at the top five threats impacting the largest number of unique IP addresses (or customers) over the last 30 days, one common trend is malware on a network trying to call home. We see this frequently with first-time users of our DNS firewall<\/a> service who find malware that was already on their network. Another growing trend among hackers is to surreptitiously use corporate networks for bitcoin mining \u2026which I suppose many hackers could consider a \u201cvictimless\u201d crime, but I doubt IT managers would feel the same.<\/p>\n

Top ten blocked domains last week<\/h2>\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n

Domain Name<\/strong><\/p>\n<\/th>\n

\n

Threat Type<\/strong><\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

\n

superyou.zapto.org<\/p>\n<\/td>\n

\n

Spybot<\/p>\n<\/td>\n<\/tr>\n

\n

76236osm1.ru<\/p>\n<\/td>\n

\n

Trojan downloaders<\/p>\n<\/td>\n<\/tr>\n

\n

dzhacker15.no-ip.org<\/p>\n<\/td>\n

\n

Hworm<\/p>\n<\/td>\n<\/tr>\n

\n

dj1.jfrmt.net<\/p>\n<\/td>\n

\n

Morto<\/p>\n<\/td>\n<\/tr>\n

\n

api-restlet.com<\/p>\n<\/td>\n

\n

Xavier<\/p>\n<\/td>\n<\/tr>\n

\n

soplifan.ru<\/p>\n<\/td>\n

\n

Trojan downloaders<\/p>\n<\/td>\n<\/tr>\n

\n

diplicano.ru<\/p>\n<\/td>\n

\n

Trojan downloaders<\/p>\n<\/td>\n<\/tr>\n

\n

pumpmywallet.com<\/p>\n<\/td>\n

\n

Malware Call Home<\/p>\n<\/td>\n<\/tr>\n

\n

ns6.wowrack.com<\/p>\n<\/td>\n

\n

Mirai<\/p>\n<\/td>\n<\/tr>\n

\n

ns5.wowrack.com<\/p>\n<\/td>\n

\n

Mirai<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

Definitions of threat types<\/h2>\n

With all of these different types of threats being shown, we thought it would be helpful to provide a quick description of each. <\/p>\n

\n
Spybot<\/strong><\/dt>\n
A diverse family of worms that allow malicious actions on Windows computers.<\/dd>\n
Trojan downloaders<\/strong><\/dt>\n
Botnets that (can) wait for available connections to download malware of various types.<\/dd>\n
Hworm<\/strong><\/dt>\n
Microsoft Windows malware that gives an attacker control over the victim’s computer.<\/dd>\n
Morto<\/strong><\/dt>\n
A worm that spreads via RDP between Windows machines that have weak passwords \u2013 impacts older versions of Windows.<\/dd>\n
Xavier<\/strong><\/dt>\n
A Trojan Android ad library that steals and leaks a user’s information silently.<\/dd>\n
Malware Call Home<\/strong><\/dt>\n
Domains that are known to be accessed for post-infection communications.<\/dd>\n
Mara<\/strong><\/dt>\n
An IoT botnet that is used primarily to launch DDoS attacks. This block also includes variants (e.g. Persirai).<\/dd>\n<\/dl>\n

Top four threats in the last 30 days<\/h2>\n
\n
Malware Call Home<\/strong><\/dt>\n
Domains used for malware post-infection communications<\/dd>\n
Bitcoin Miner<\/strong><\/dt>\n
Any malware whose primary function is using victim computers’ CPUs and electricity to mine bitcoin.<\/dd>\n
Malware-Adware\/A<\/strong><\/dt>\n
Cluster of malware\/adware domains used by hijacked web browsers.<\/dd>\n
Suspected Malware<\/strong><\/dt>\n
Suspected malware\/botnet activity that is in the process of being classified.<\/dd>\n<\/dl>\n

Are things getting better or worse? Lets take a look at the total number of queries over a longer period of time.<\/p>\n

Total queries blocked<\/h2>\n
\n\"\"
\n

The total number of queries we are blocking \u2013 up until the last few weeks, there’s been in a steady-state.<\/p>\n<\/figcaption><\/figure>\n

Now to be clear, we aren’t normalizing data and as new customers use our service, the baseline increases but you can see that the last few weeks, malicious query traffic has really stepped up.<\/p>\n

Notably, when reviewing the chart, the huge spike was associated with an anonymizer (VPN) that got added to the block list for a very short time before the information was analyzed and rectified. Its prevalence is notable because it illustrates the pervasiveness of VPN technology among users in the educational sector. People using VPNs are often visiting sites associated with risky content and so many corporate users prefer to block anonymizers altogether.<\/p>\n","protected":false},"excerpt":{"rendered":"

Every week, we examine the top trends in malicious activity we have seen in Canada using data obtained through CIRA’s D-Zone DNS Firewall.<\/p>\n","protected":false},"featured_media":1949,"template":"","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"ngg_post_thumbnail":0,"slim_seo":{"title":"Weekly web security warning \u2013 malware queries continue upward trend - CIRA","description":"Every week, we examine the top trends in malicious activity we have seen in Canada using data obtained through CIRA's D-Zone DNS Firewall. Many of the top"},"footnotes":""},"topic":[1066],"class_list":["post-42095","cira_news","type-cira_news","status-publish","has-post-thumbnail","hentry","cira_news_type-cira-news-type-blogue","cira_topic-cira-topic-cybersecurite","cira_author-robwilliamson-fr"],"publishpress_future_workflow_manual_trigger":{"enabledWorkflows":[]},"_links":{"self":[{"href":"https:\/\/stg.cira.ca\/fr\/wp-json\/cira\/v1\/news\/42095","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stg.cira.ca\/fr\/wp-json\/cira\/v1\/news"}],"about":[{"href":"https:\/\/stg.cira.ca\/fr\/wp-json\/wp\/v2\/types\/cira_news"}],"version-history":[{"count":0,"href":"https:\/\/stg.cira.ca\/fr\/wp-json\/cira\/v1\/news\/42095\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/stg.cira.ca\/fr\/wp-json\/wp\/v2\/media\/1949"}],"wp:attachment":[{"href":"https:\/\/stg.cira.ca\/fr\/wp-json\/wp\/v2\/media?parent=42095"}],"wp:term":[{"taxonomy":"cira_topic","embeddable":true,"href":"https:\/\/stg.cira.ca\/fr\/wp-json\/cira\/v1\/topic?post=42095"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}