Sprouting like mushrooms
Monday, March 30, 2020
Open this link in a separate tab before you continue reading—we'll get back to it later. For now, let's see why domain names are important for cybercriminals.
Nowadays, malware is designed to generate a profit. Criminals don't just spread malicious programs—they also control them by issuing them commands. The programs, in turn, relay stolen information to the attackers' servers, which, among other things, can even store the decryption keys needed to recover encrypted data.
Of course, one can control malware from a PC, but that entails the risk of being exposed quickly. And keeping stolen assets on a home computer is not a very good idea. This is where servers come into play. Attackers can compromise someone else's servers, register their own domain name and rent a server from an unscrupulous company (one that will ignore the demands of law enforcement agencies and copyright owners).
Determining what server address a trojan is using to communicate with attackers is easy—and it’s also easy to block access to the address. For example, you can do this by adding a rule for your corporate firewall. That's why attackers must always have a pool of available servers. And, in this regard, using compromised servers is inconvenient because there aren’t many of them and they can't be increased in number indefinitely with a high probability of success.
Because of this, criminals resort to DGA (Domain Generation Algorithms) to generate and register large numbers of new domain names. Malicious programs are equipped with routines that enable them to switch to new domain names should the current one get blocked.
In the past, hackers used hardcoded lists of malicious domain names. But security researchers can easily acquire lists of this kind and start blocking or even shut down the respective sites. If malware generates new domain names, the researchers will have a harder time predicting or determining which domain names will be in use. To accomplish this, they will have to understand how the generation algorithm works, but those routines can be rather complex.
Bringing down sites that are being used as rendezvous points by malware equipped with DGA routines is difficult because information security agencies have to negotiate each bogus site’s shutdown with service providers, one after another. Many DGA routines are designed to produce hundreds or even thousands of new domain names. And some of these domain names are only used during a limited period of time. In this situation, blocking and shutting down sites with DGA-generated domain names quickly turns into a game of whack-a-mole and sometimes accomplishes nothing.
This is just one example of how attackers use domain names. Now, many people are talking about coronavirus scams. And this means that fraudsters will be using domain names for this, too.
Now let's go back to the link we opened a while ago. Perhaps, you have just loaded the webpage. So just take a look at the screenshot showing what this issue's author could see while this issue was being written.
Count the domain names containing 'corona' or other similar words. We hope that you understand that many of them are not created to protect people from the infection.
-
@dustyfresh
has tracked 3,600 covid-related sites from MAr 14 to Mar 15 -
@RiskIQ
is seeing from 13k to 35k new coronavirus-related domains daily
Impressive!
The Anti-virus Times recommends
As the number of coronavirus cases grows, fraudsters become more active, too. Information about new fraud schemes appears daily. Stay vigilant and use Parental Control— manually blocking access to so many bogus sites is next to impossible.
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.
Comments
Niuxin
02:47:28 2020-04-02
Toma
21:21:21 2020-03-30
Dmur
21:16:11 2020-03-30
EvgenyZ
21:06:01 2020-03-30
Пaвeл
20:58:25 2020-03-30
Неуёмный Обыватель
20:49:10 2020-03-30
Masha
20:08:07 2020-03-30
Татьяна
19:46:04 2020-03-30