Akamai Diversity

The Akamai Blog

Predicting Dynamic Malware Threats

We just released a new whitepaper outlining the upcoming types of cyberthreats and malicious activity affecting digital consumers, and how organizations and operators can address them. Below is an excerpt.

As the number of Internet-connected devices continues to explode, malware threats are growing. Malicious code authors are becoming more sophisticated to evade detection, employing techniques such as adaptive computer code and changing command/control server locations. Fresh approaches to online consumer protection are required to tackle these increasing cyberthreats.

The Internet of Things (IoT) is bringing cyberthreats to more devices and, potentially, home information. As attackers adapt malware to IoT, it will introduce new challenges to consumers and service providers. The primary focus of IoT to date has been on innovation, not security. "No one wants to build security into their devices, because no one is going to pay more for a secure device," said Bo Rotoni, Co-Director of the Institute for Information Security and Privacy at Georgia Tech University1.

The Rise of Dynamic Cyberthreats
Limitations of traditional security approach detecting "zero-day" malware threats-- those threats that arrive before developers have time to release a patch--are well documented. For example, one report showed anti-virus software only detected 51 percent of zero-day malware samples as threats2. These evolving web-based threats leave consumers vulnerable. Kaspersky Labs reported widespread presence of the Locky ransomware virus in Q1 2016, with infections in 114 countries3 --while the virus continues to spread. Locky is known for changing continuously, making it difficult to deter. (See our related blog post on Locky here).

Although malware developers go to great lengths to obscure their exploits, most rely on the Domain Name System (DNS) because it is readily available in every service provider network. The presence of malicious DNS queries thus signals the presence of malicious activity. Nominum, now part of Akamai, Data Science has a unique vantage point as it processes more than 100 billion DNS queries daily, in real time, using data shared by customers over our global network. This enables Nominum to identify attacks that are not published elsewhere or before they are made public through other research.

Malware and DNS
Computers and other devices become infected with malicious software in a variety of ways. Social engineering, or tricking users into activating an exploit, is increasingly prevalent. Infected devices are used for different purposes--many of which have a visible impact on consumers--such as locking up computer files until a ransom is paid, stealing personal information and selling it or using it to gain access to financial assets. Malware can also be used to attack provider systems directly (DDoS) or to send spam. Malware inside provider networks is typically controlled remotely and goes from dormant to active instantly and unpredictably. Rapid response is critical.

The DNS is a distributed naming system for computers, services, or any resource connected to the Internet or private network. It translates human-friendly domain names (e.g. www.nominum.com) to numeric IP addresses used to route network traffic. DNS is used in all facets of the Internet such as web browsing, setting up cellular and VoIP calls, routing email, retrieving application updates and connecting/managing devices on IoT.

As a highly robust, reliable and ubiquitous Internet protocol, DNS provides criminals and profiteers with a ubiquitous platform to launch and manage a wide range of exploits. DNS data analysis can reveal these malicious activities--including the infamous DNS tunneling and DNS-based DDoS attacks--to serve as an efficient and effective "early warning system" for identifying malicious network activity in near real time.

Nominum Data Science research from mid-2015 shows interesting trends that are covered in this paper.

New domains generated per hour
New domain names strongly correlate with malicious activity. Hundreds of thousands of new names may appear each day and are candidates for further analysis.

New Domain Names graph

1 https://www.lastline.com/labsblog/antivirus-isnt-dead-it-just-cant-keep-up/
2 Lastline Labs, 2014 https://www.lastline.com/labsblog/antivirus-isnt-dead-it-just-cant-keep-up/
3 Kaspersky Labs SecureList IT threat evolution in Q1 2016 https://securelist.com/analysis/quarterly-malware-reports/74640/it-threat-evolution-in-q1-2016/