Researchers from security vendor Damballa have identified malicious Internet traffic that they believe is generated by a new and elusive variant of the sophisticated TDL4 malware.
The new threat, which has been assigned the generic name DGAv14 until its true nature is clarified, has affected at least 250,000 unique victims so far, including 46 of the Fortune 500 companies, several government agencies, and ISPs, the Damballa researchers said in a research paper released Monday.
On July 8, Damballa sensors that operate on the networks of telecommunication operators and ISPs that partnered with the company detected a new pattern of DNS (Domain Name System) requests for non-existent domains. Such traffic suggests the presence on the network of computers infected with malware that uses a domain generation algorithm (DGA),
Some malware creators use DGAs in order to evade network-level domain blacklists and to make their command and control infrastructure more resilient against takedown attempts. Read more...
There's a war underway throughout our networks, with carriers and ISPs in the thick of it. But for fear of network disruptions or increased cost of service, many ISPs and carriers have shied away from securing the traffic that flows through their wires.
Network security and analytics firm Kindsight hopes to get ISPs more engaged on that front. Today, the company -- a subsidiary of Alcatel-Lucent rolls out its Kindsight Security Analytics platform, designed to help service providers analyze network traffic for malware and aggregate network security statistics. According to Kevin McNamee, security architect and director of Kindsight Security Labs, the platform provides insight into subscriber infections so Internet service providers and mobile operators can identify and mitigate malicious activity.
It's no surprise that malware on ISP and mobile networks is growing. What does raise an eyebrow is how many end users are infected at any given time and how high that percentage spikes during new outbreaks.
McNamee says, as measured by Kindsight Security Labs, approximately nine to 14 percent of home networks are infected on a typical day. The number of infected home users can spike to 30 percent during outbreaks. Mobile malware is also escalating, having increased 400 percent over a three-month period in late 2011.
"It's become increasingly difficult for home users, enterprises and ISPs to keep up with the threat," says McNamee. "Malware is getting better at shutting down anti-malware defenses during infection, and end users don't always have it running. What's needed is analysis of the network traffic to understand the extent and specific types of malware among subscribers so appropriate action can be taken."
Kindsight aims to catch malware such as spambots, banking Trojans and spyware based on the activity they create on the network. Kindsight works by deploying sensors that tap on the carrier network, including peering points, that analyze traffic using its own custom-developed sensors, as well as those it acquires from other security vendors. For botnets and mobile (as well as other forms of) malware, Kindsight also attempts to identify the command-and-control protocol used by these applications to "phone home" their reports on stolen data.
Analysts believe there is more carriers could do to keep their pipes cleaner. "It makes great sense for service providers to be performing monitoring," says Pete Lindstrom, research director at Spire Security. "For instance, looking for botnet command-and-control is clearly one area that is problematic, and which they have an ideal view for rapid identification.