There are more malware command and control (C&C) servers in the US than China, only scant malware in porn and few instances of multiple malware infections on single computers, according to research.
The findings were generated by a malware sandbox run for 18 months by Sourcefire’s 25-seat vulnerability research team (VRT). It analysed 5 million samples, equating to 2Tb of traffic of which 90 per cent was HTTP. Each malware sample was run for 200 seconds to enable more instances of new malware to be examined.
In a presentation at the Ruxcon security conference in Melbourne, Kirk used sandbox data to take aim at reportedly sophisticated malware campaigns made popular by large malware research companies.
He said the NightDragon research, and other similar operations like ShadyRAT, were “lame”.
Anti-malware companies had claimed those operations had involved coordinated data theft against government agencies and large businesses.
But he added that the so-called advanced persistent threats (APTs) which they encapsulate should be taken seriously.
The first busted myth was that most malicious traffic was sent to malicious servers. Kirk’s sandbox found the traffic was sent to 115,836 unique Alexa whitelisted domains and 178,331 unique domains that were not listed.
Of those, some 12.3 million DNS queries were sent to whitelisted domains and 3.5 million queries were sent to those not listed.
“That’s a ratio of 4:1 – maybe you can say its click fraud, DDoS, malware hiding itself, I don’t have the answer,” Kirk said.
He said Sourcefire had blocked an advertising domain to which seemingly malicious traffic was sent, but days later it received complaints from the domain owner and the block was determined to be a false positive.
Similar cases were noted in which malware was pointing to servers including stats.norton.com.
“I couldn’t say why malicious binaries were contacting Norton, maybe it’s the kind of tin-foil hat of AV companies releasing malware in the field,” Kirk joked.
He said the need to keep a whitelist of legitimate servers was a pressing concern for the industry.
Another prevailing myth busted was that most C&C servers were based in China, Russia and Brazil.
“Far and away the leading country for hosting malicious servers is the United States. Even if you combine the triangle of evil of China, Russia and Brazil, that still falls well short."
This could be supported by news of a recent raid of servers located in the US that was found to be used in a massive advertising fraud campaign by a now defunct Ukrainian business.
Of the 125,267 non-whitelisted IP addresses recorded, 41.4 per cent were located in the US. China came in at a “distant second” with 11.7 per cent of malicious domains.
Fourteen of the top 20 countries hosting C&C servers were “undisputedly First World countries with good law enforcement systems”. Australia held twentieth spot.
Further research found 46.7 percent of monitored domains were carried over two distinct AS paths linked to two US providers SecureHosting and SoftLayer Technologies. “SoftLayer hosts thousands all over world so it is understandably hard to keep track of malicious domains.”
APNIC had 5875 hosts over 202 paths which Kirk said was in line with information on threats in the region.
Many other persistent domains were recorded including irc.zief.pl which had existed for more than 577 days. Kirk called on the industry to help take down the malicious Poland-based domain ilo.brenz.pl.
Kirk’s research also found that domains linked to porn registered an “astonishingly small percentage of total malicious domains”. Only 0.0002 percent contained ‘f**k’ and similar results were found for other keywords.
“What we have found is that malware is about economics; words like ‘cash’, ‘money’ and ‘free’ – filename counts go up when you start to offer something. And that if you pop a box it’s just easier to drop someone else’s malware on it and be done.”
