Light Dark
April 28, 2016 By David Strom 2 min read
Advanced Threats
X-Force

It isn’t any surprise that most of malware is hosted by American domains and U.S. Internet providers. But according to the recent “Q4 Infoblox DNS Threat Index,” the underlying infrastructure of most malware sits in either the U.S. or Germany even though attackers live elsewhere.

The findings should be taken with a grain of salt since Infoblox’s business is protected Domain Name System (DNS) services. Still, these results are worth a closer look.

A Lesson in Geography

Cybercriminals make use of DNS services for their malicious activities. They can hijack legitimate domains or create batches of new ones that closely resemble real ones (such as googel.com) to collect ransomware, launch phishing and denial-of-service (DOS) attacks and execute other activities such as domain shadowing.

Infoblox collected data from Internet providers, government agencies and network operators to categorize malicious DNS activities. According to this information, the U.S. hosted 72 percent of malware-related domains, while Germany hosted 20 percent.

“Hosting infrastructure in the U.S. is very easy to penetrate and put to malicious use,” the report said. “Just because a domain is hosted in the U.S. or Germany does not make it safe.”

DNS Threats Get More Dangerous

One of the issues identified in the report is that Internet providers are slow to respond to takedown requests from law enforcement.

In the past, the company saw a boom/bust cycle in its DNS threat index. Its theory was that criminals used the quieter times to collect information and prepare new attacks. However, the index kept increasing to reach near-record levels in the last quarter of 2015.

“This may indicate a new phase of sustained and simultaneous plant/harvest efforts, pushing the index into uncharted territory,” the report stated.

Another possible reason for this increase in the threat index is a growing number of exploit kits in use, such as Angler and the rise of an older kit called RIG that has gotten more popular lately. These kits make it easier to target new victims and implement new techniques to spread malware from attackers who are less skilled.

“This indicates that as exploit kits are updated, we may see the reappearance of past threats in a new guise in coming years,” Infoblox warned. “Exploit kits and other malware can be developed in one country, sold in another and used in a third to launch attacks through systems hosted in a fourth.”

A Simple Takeaway

The moral of the report? Understand what these exploits can do. Security leaders must make sure their domains and DNS servers are properly protected and monitored for abuse. It’s also a good idea to invest in threat protection solutions that can identify advanced threats before they become a massive problem.

 |  |  | 
David Strom
Security Evangelist

More from Advanced Threats
May 24, 2024

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

May 16, 2024

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

May 2, 2024

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature