DNS reveals the top cyberthreats of 2012. And you guessed it ... no one is safe.

Our team at Nominum recently looked at the biggest threats to fixed networks at the DNS layer. Why the DNS layer? Because it is ubiquitous -- every network runs on it -- and it is the best option for protecting critical infrastructure.

We have broad insight at this layer because we provide DNS engines to more than 140 of the world's top service providers and process about 30% of the world's global traffic -- about 1 trillion DNS queries per day. All of these queries and clicks lead to data being produced, A LOT of data. The Nominum security lab analyzed that data across the globe to identify the top 10 bots of 2012. (A few month ago we did the same thing for mobile networks.)

Along with the bots, we saw that 2012 was marked by the continuous growth of sophisticated attacks in both fixed and mobile networks and most of these attacks were carried by malicious bots that were empowered with zero-day malware infection capability (previously unknown computer virus or other malware for which specific antivirus software signatures are not yet available). Furthermore, most modern bots are DNS-enabled and enjoy the Internet scalability.

[ IN THE NEWS: 5 years after major DNS flaw is discovered, few US companies have deployed long-term fix ]

The first table below shows the top 10 bots ranked by the degree of infection around the world. The top 10 global bots are a mix of modern bots and legacy bots. One modern bot, Ngrbot (a.k.a. Dorkbot), can hide its presence and hook to some system APIs as a rootkit. It's a multi-function bot, capable to perform a variety of malicious activities, such as collecting and stealing sensitive info (like usernames and passwords), disabling installed antivirus services and launching DDoS attacks.

And many legacy bots are still active in-wild, such as Conficker, Palevo/Butterfly, Virut, Zeus and Sality, despite many products and tools that were launched to shut them down.

We also found the top 10 regional bots and these lists are different from each other, the second table showing the top 10 regional bots for the geographic areas of Asia/Pacific, Europe/Middle East/Africa, and Latin America, respectively.

Some top regional bots did not make the global top bot list. For example, SpyEye was a top threat with higher infection rates than its competitor Zeus in the EMEA region, but Zeus was more popular in APAC and LATAM regions.

There were several high-profile bots not included in the regional top 10 bots lists, but widely spread in specific countries, such as Flamer, Shylock, TDSS, and DNSChanger. For Flamer, Iran was the main target of infection, but there were some significant outbreaks in Egypt and Saudi Arabia with a few victims in Thailand.

Another example is Shylock. It was a top active bot threat carrying out man-in-the-middle attacks against bank websites in the U.K., while TDSS remained active primarily in Denmark and New Zealand. DNSChanger continued to be viciously widespread with victims being found in many countries, everywhere from Argentina to Australia and Saudi Arabia to Thailand.

From that research, we put together the chart below to depict overall bot infection rates in different regions that suffered significant infection rates.

In 2012, we also observed some new tricks and technologies that have been widely adopted to help improve bots operational efficiency and resiliency.

  • Shylock started to inject fake contact phone numbers as a new social engineering trick to steal customers' sensitive information since people usually had more trust in living "customer service" personal.
  • DGA (Domain Generation Algorithm) technique gained more popularity among top bots, from Conficker to Ramnit, to create large amounts of random domain names to avoid detection.
  • Many newly registered domain names were involved with spamming activities. And like we have seen in their legitimate enterprise counterparts, more individuals designed it so their bots started moving their C&C (Command and Control) and other servers to the cloud.
  • We also noted that Android became a hot battlefield for mobile security and proved to be the system that attracted all top mobile-device-only bots.

In 2013, bot-related traffic through DNS queries will continue to be a primary source for such malicious activity as spam, distributed denial-of-service attacks, data and identity theft, and more. This type of online threat has grown almost hand-in-hand with the growth of the Internet.

As computers and mobile phones are infected, the malicious software running in the background communicates with their masters using the same DNS we all use to get to our favorite websites. Today's leading DNS providers can accommodate policies whereby lists of "bad" domains can be stored and prevented from being accessed or integrate other network based protective measures, but in the meantime, consumers will need to be smart about the links they click and the messages they open -- the next worst bot could be waiting.

Nominum is the worldwide leading provider of integrated subscriber, network and security solutions for network operators. Nominum is the provider of the N2 Platform that leverages more than 1 trillion DNS queries daily and enables the rapid development and seamless integration of applications that leverage DNS data. Nominum is a global organization headquartered in Redwood City, Calif.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags DNS securityFlamerVirutconfickerDorkbotSalitymalwaresocial engineeringPalevoman in the middle attacksNgrbotDNSChangerzeusbotnetssecurityddosShylockSpyEyeTDSS

More about APACNominum

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Craig Sprosts, vice president of platforms and applications at Nominum

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts