Malware RSS Feed

Steganography in contemporary cyberattacks

Malware Alerts - Thu, 08/03/2017 - 05:00

Steganography is the practice of sending data in a concealed format so the very fact of sending the data is disguised. The word steganography is a combination of the Greek words στεγανός (steganos), meaning “covered, concealed, or protected”, and γράφειν (graphein) meaning “writing”.

Unlike cryptography, which conceals the contents of a secret message, steganography conceals the very fact that a message is communicated. The concept of steganography was first introduced in 1499, but the idea itself has existed since ancient times. There are stories of a method being used in the Roman Empire whereby a slave chosen to convey a secret message had his scalp shaved clean and a message was tattooed onto the skin. When the messenger’s hair grew back, he was dispatched on his mission. The receiver shaved the messenger’s scalp again and read the message.

In this article, the following definitions are used:

  • Payload: the information to be concealed and sent secretly, or the data covertly communicated;
  • Carrier (stego-container): any object where the payload is secretly embedded;
  • Stego-system: the methods and means used to create a concealed channel for communicating information;
  • Channel: the data communication channel via which the carrier is transferred;
  • Key: the key used to extract the payload from the carrier (not always applied).

Steganography was actively developed throughout the 20th century, as was steganalysis, or the practice of determining the fact that concealed information is being communicated within a carrier. (Basically, steganalysis is the practice of attacking stego-systems.) Today, however, a dangerous new trend is emerging: steganography is increasingly being used by actors creating malware and cyber-espionage tools. Most modern anti-malware solutions provide little, if any, protection from steganography, while any carrier in which a payload can be secretly carried poses a potential threat. It may contain data being exfiltrated by spyware, communication between a malicious program and its C&C, or new malware.

A variety of steganographic methods and algorithms have been scientifically developed and tested. A description of some of them is provided below.

  • In LSB steganography, the payload is encoded into and communicated in one or several least significant bits of the carrier. The smaller the number of bits used to carry the payload, the lower the impact on the original carrier signal.
  • Discrete cosine transform or DCT-based steganography is a sub-type of LSB steganography that is often applied on JPEG-format carriers (i.e., when JPEG images are used to carry the payload). In this method, the communicated data is secretly encoded into the DCT coefficients. With all other factors being equal, this method provides a somewhat lower data carrying capacity; one of the reasons for this is that the coefficient values of 0 and 1 cannot be altered, so no data can be encoded whenever the coefficients take on these values.
  • Palette-based image steganography is basically another sub-type of LSB steganography, in which the communicated data is encoded into least significant bits of the image palette rather than into those of the carrier. The obvious downside to this method is its low data carrying capacity.
  • Use of service fields in data formats. This is a relatively simple method, in which the payload is embedded into the service fields of the carrier’s headers. The downsides are, again, a low data carrying capacity and low payload protection: the embedded payload may be detected using regular image viewing software that can sometimes display the contents of the service fields.
  • Payload embedding is a method whereby the payload is encoded into the carrier and, upon delivery, is decoded using an algorithm known to both parties. Several payloads can be independently encoded into the same carrier provided that their embedding methods are orthogonal.
  • Wideband methods fall into the following types:
    • Pseudorandom sequence method, in which a secret carrier signal is modulated by a pseudorandom signal.
    • Frequency hopping method, in which the frequency of the carrier signal changes according to a specific pseudorandom law.
  • Overlay method – strictly speaking, this is not proper steganography, and is based on the fact that some data formats contain data size in a header, or the fact that the handler of such formats reads the file till it reaches the end-of-data marker. An example is the well-known RAR/JPEG method based on concatenating an image file, so that it is composed of a JPEG format section, followed by a RAR archive section. A JPEG viewer software program will read it till the boundary specified in the file’s header, while a RAR archiver tool will disregard everything prior to the RAR! signature that denotes the beginning of an archive. Therefore, if such a file is opened in an image file viewer, it will display the image, and if it is opened in a RAR archiver, it will display the contents of the RAR archive. The downside to this method is that the overlay added to the carrier segment can be easily identified by an analyst visually reviewing the file.

In this article, we will only review methods of concealing information in image-type carriers and in network communication. The application of steganography is, however, much wider than these two areas.

Recently, we have seen steganography used in the following malware programs and cyberespionage tools:

  • Microcin (AKA six little monkeys);
  • NetTraveler;
  • Zberp;
  • Enfal (its new loader called Zero.T);
  • Shamoon;
  • KinS;
  • ZeusVM;
  • Triton (Fibbit).

So why are malware authors increasingly using steganography in their creations? We see three main reasons for this:

  • It helps them conceal not just the data itself but the fact that data is being uploaded and downloaded;
  • It helps bypass DPI systems, which is relevant for corporate systems;
  • Use of steganography may help bypass security checks by anti-APT products, as the latter cannot process all image files (corporate networks contain too many of them, and the analysis algorithms are rather expensive).

For the end user, detecting a payload within a carrier may be a non-trivial task. As an example, let’s review the two images below. One is an empty carrier, and the other is a carrier with a payload. We will use the standard test image Lenna.

Lenna.bmp Lenna_stego.bmp

Both images are 786 486 bytes; however, the right-hand image contains the first 10 chapters of Nabokov’s novel Lolita.

Take a good look at these two images. Can you see any difference? They are identical in both size and appearance. However, one of them is a carrier containing an embedded message.

The problems are obvious:

  • Steganography is now very popular with malware and spyware writers;
  • Anti-malware tools generally, and perimeter security tools specifically, can do very little with payload-filled carriers. Such carriers are very difficult to detect, as they look like regular image files (or other types of files);
  • All steganography detection programs today are essentially proof-of-concept, and their logic cannot be implemented in commercial security tools because they are slow, have fairly low detection rates, and sometimes even contain errors in the math (we have seen some instances where this was the case).

A list was provided above (though it does not claim to be complete) of malicious programs that use steganography to conceal their communication. Let’s review one specific case from that list, the malicious loader Zero.T.

We detected this loader in late 2016, though our colleagues from Proofpoint were first to publish a description.

We named it Zero.T because of this string in its executable code (in the path leading to the project’s PBD file):

We will not dwell here on how the malicious loader penetrates the victim system and remains there, but will note that it loads a payload in the form of Bitmap files:

Then it processes them in a particular way to obtain malicious modules:

On the face of it, these three BMP files appear to be images:

However, they are more than just regular images; they are payload-filled carriers. In each of them, several (the algorithm allows for variability) least significant bits are replaced by the payload.

So, is there a way to determine whether an image is carrying a malicious payload or not? Yes, there are several ways of doing so, the simplest being a visual attack. It is based on forming new images from the source image, containing the least significant bits of different color planes.

Let’s see how this works using the Steve Jobs photo as a sample image.

We apply a visual attack to this image and construct new images from the separate significant bits in the appropriate order:

In the second and the third images, high entropy (high data density) areas are apparent – these contain the embedded payload.

Sounds simple, right? Yes and no. It’s simple in that an analyst – and even an average user – can easily see the embedded data; it’s difficult in that this sort of analysis is not easy to automate. Fortunately, scientists have long since developed a number of methods for detecting carriers with payloads, based on an image’s statistical characteristics. However, all of them are based on the assumption that the encoded payload has high entropy. This is true in most cases: since the container’s capacity is limited, the payload is compressed and/or encrypted before encoding, thus increasing its entropy.

However, our real-life example, the malicious loader Zero.T, does not compress its malicious modules before encoding. Instead, it increases the number of least significant bits it uses, which can be 1, 2 or 4. Yes, using a larger number of least significant bits introduces visual artefacts into the carrier image, which a regular user can detect visually. But we are talking about automatic analysis. So, the question we have to answer is: are statistical methods suitable for detecting embedded payloads with low levels of entropy?

Statistical methods of analysis: histogram method

This method was suggested in 2000 by Andreas Westfeld and Andreas Pfitzmann, and is also known as the chi-squared method. Below we give a brief overview.

The entire image raster is analyzed. For each color, the number of dots possessing that color is counted within the raster. (For simplicity, we are dealing with an image with one color plane.) This method assumes that the number of pixels possessing two adjacent colors (i.e. colors different only by one least significant bit) differs substantially for a regular image that does not contain an embedded payload (see Figure A below). For a carrier image with a payload, the number of pixels possessing these colors is similar (see Figure B).

Figure A. An empty carrier Figure B. A filled carrier.

The above is an easy way to visually represent this algorithm.

Strictly speaking, the algorithm consists of the following steps that must be executed sequentially:

  • The expected occurrence frequency for the pixels of color i in a payload-embedded image is calculated as follows:
  • The measured frequency of the occurrence of a pixel of specific color is determined as:
  • The chi-squared criterion for k-1 degrees of freedom is calculated as:
  • P is the probability that the distributions ni and ni* are equal under these conditions. It is calculated by integrating the density function:

Naturally, we have tested whether this method is suitable for detecting filled stego-containers. Here are the results.

Original image Visual attack image Chi-squared attack, 10 zones

The threshold values of the chi-squared distribution for p=0.95 and p=0.99 are 101.9705929 and 92.88655838 respectively. Thus, for the zones where the calculated chi-squared values are lower than the threshold, we can accept the original hypothesis “adjacent colors have similar frequency distributions, therefore we are dealing with a carrier image with a payload”.

Indeed, if we look at the visual attack images, we can clearly see that these zones contain an embedded payload. Thus, this method works for high-entropy payloads.

Statistical methods of analysis: RS method

Another statistical method of detecting payload carriers was suggested by Jessica Fridrich, Miroslav Goljan and Andreas Pfitzmann in 2001. It is called the RS method, where RS stands for ‘regular/singular’.

The analyzed image is divided into a set of pixel groups. A special flipping procedure is then applied for each group. Based on the values of the discriminant function before and after the flipping procedure is applied, all groups are divided into regular, singular and unusable groups.

This algorithm is based on the assumption that the number of regular and singular pixel groups must be approximately equal in the original image and in the image after flipping is applied. If the numbers of these groups change appreciably after flipping is applied, this indicates that the analyzed image is a carrier with a payload.

The algorithm consists of the following steps:

  • The original image is divided into groups of n pixels (x1, …, xn).
  • The so-called discriminant function is defined which assigns to each group of pixels G = (x1, …, xn) a real number f(x1, …, xn) ∈
  • The discriminant function for the groups of pixels (x1, …, xn) can be defined as follows:
  • Then we define the flipping function which has the following properties:

Depending on the discriminant function’s values prior to and after flipping is applied, all groups of pixels are divided into regular, singular and unusable groups:

We have put this method to the test as well, and obtained the following results. We used the same empty and payload-embedded carriers as in the previous test.

Original image Visual attack image Chi-squared attack, 10 zones

Note that this attack method does not pass the binary verdict in terms of “whether this specific carrier contains an embedded payload or not”; rather, it determines the approximate length of the embedded payload (as a percentage).

As can be seen from the results above, this method returned a verdict for the empty message that it was filled less than 1% with payload, and for the payload-embedded carrier it returned a verdict that it was about 44% filled. Obviously, these results are slightly off. Let’s look at the filled container: from the visual attack it follows that more than 50% of the container is filled, while the RS attack tells us that 44% of the container is filled. Therefore, we can apply this method if we establish a certain “trigger threshold”: our experiments showed that 10% is a sufficient threshold of reliability. If the RS attack claims that more than 10% of the container is full, you can trust this verdict and mark the container as full.

Now it’s time to test these two methods in real-world conditions, on the Zero.T carriers in which the payload has regular entropy.

We ran the appropriate tests and here are the results:

Original image Chi-squared attack RS attack

As we see, a chi-squared attack is not applicable on low entropy images – it yields unsatisfactory or inaccurate results. However, the RS attack worked well: in both cases, it detected a hidden payload in the image. However, what do we do if automatic analysis methods show there is no payload, but we still suspect there might be one?

In that case, we can apply specific procedures that have been developed for specific malware families to extract the payload. For the aforementioned Zero.T loader, we have written our own embedded payload extraction tool. Its operation can be schematically presented as follows.

+ =

Obviously, if we get a valid result (in this specific case, an executable file), then the source image has an embedded payload in it.

Is DNS tunneling also steganography?

Can we consider use of a DNS tunnel a subtype of steganography? Yes, definitely. For starters, let’s recap on how a DNS tunnel works.

From a user computer in a closed network, a request is sent to resolve a domain, for example the domain wL8nd3DdINcGYAAj7Hh0H56a8nd3DdINcGYAlFDHBurWzMt[.]imbadguy[.]com to an IP address. (In this URL, the second-level domain name is not meaningful.) The local DNS server forwards this request to an external DNS server. The latter, in turn, does not know the third-level domain name, so it passes this request forward. Thus, this DNS request follows a chain of redirections from one DNS server to another, and reaches the DNS server of the domain imbadguy[.]com.

Instead of resolving a DNS request at the DNS server, threat actors can extract the information they require from the received domain name by decoding its first part. For example, information about the user’s system can be transmitted in this way. In response, a threat actor’s DNS server also sends some information in a decoded format, putting it into the third- or higher-level domain name.

This means the attacker has 255 characters in reserve for each DNS resolution, up to 63 characters for subdomains. 63 characters’ worth of data is sent in each DNS request, and 63 characters are sent back in response, and so on. This makes it a decent data communications channel! Most importantly, it is concealed communication, as an unaided eye cannot see that any extra data is being communicated.

To specialists who are familiar with network protocols and, in particular, with DNS tunneling, a traffic dump containing this sort of communication will look quite suspicious – it will contain too many long domains that get successfully resolved. In this specific case, we are looking at the real-life example of traffic generated by the Trojan Backdoor.Win32.Denis, which uses a DNS tunnel as a concealed channel to communicate with its C&C.

A DNS tunnel can be detected with the help of any popular intrusion detection (IDS) tool such as Snort, Suiricata or BRO IDS. This can be done using various methods. For example, one obvious idea is to use the fact that domain names sent for DNS resolution are much longer than usual during tunneling. There are quite a few variations on this theme on the Internet:

alert udp any any -> any 53 (msg:”Large DNS Query, possible cover channel”; content:”|01 00 00 01 00 00 00 00 00 00|”; depth:10; offset:2; dsize:>40; sid:1235467;)

There is also this rather primitive approach:

Alert udp $HOME_NET and -> any 53 (msg: “Large DNS Query”; dsize: >100; sid:1234567;)

There is plenty of room for experimenting here, trying to find a balance between the number of false positives and detecting instances of actual DNS tunneling.

Apart from suspiciously long domain names, what other factors may be useful? Well, anomalous syntax of domain names is another factor. All of us have some idea of what typical domain names look like – they usually contain letters and numbers. But if a domain name contains Base64 characters, it will look pretty suspicious, won’t it? If this sort of domain name is also quite long, then it is clearly worth a closer look.

Many more such anomalies can be described. Regular expressions are of great help in detecting them.

We would like to note that even such a basic approach to detecting DNS tunnels works very well. We applied several of these rules for intrusion detection to the stream of malware samples sent to Kaspersky Lab for analysis, and detected several new, previously unknown backdoors that used DNS tunnels as a covert channel for C&C communication.

Conclusions

We are seeing a strong upward trend in malware developers using steganography for different purposes, including for concealing C&C communication and for downloading malicious modules. This is an effective approach considering payload detection tools are probabilistic and expensive, meaning most security solutions cannot afford to process all the objects that may contain steganography payloads.

However, effective solutions do exist – they are based on combinations of different methods of analysis, prompt pre-detections, analysis of meta-data of the potential payload carrier, etc. Today, such solutions are implemented in Kaspersky Lab’s Anti-Targeted Attack solution (KATA). With KATA deployed, an information security officer can promptly find out about a possible targeted attack on the protected perimeter and/or the fact that data is being exfiltrated.

Anti-Virus

SANS Tip of the Day - Thu, 08/03/2017 - 01:00
Make sure you have anti-virus software installed on your computer and that it is automatically updating. However, keep in mind that no anti-virus can catch all malware; your computer can still be infected. That is why it's so important you use common sense and be wary of any messages that seem odd or suspicious.

DDoS attacks in Q2 2017

Malware Alerts - Tue, 08/01/2017 - 05:00

News Overview

The second quarter of 2017 saw DDoS attacks being more and more frequently used as a tool for political struggle. The Qatar crisis was accompanied by an attack on the website of Al Jazeera, the largest news network in the area, Le Monde and Le Figaro websites were targeted in the heat of the presidential election in France, and in Great Britain they recalled a year-old incident with the Brexit voter registration website where some citizens were excluded from the referendum because of the continuous attacks on the website.

Quite a significant event took place in the USA: the Federal Communications Commission (FCC) revealed plans for abolishing the principle of net neutrality, legislatively mandated two years before. The public comment system of the Commission website was rendered inoperative for about a day and eventually was completely disabled as a result of a massive attack. The reason for the crash remained unclear: it was either an invasion of the opponents of net neutrality, who were flooding the system with identical comments, or, on the contrary, an attack launched by the supporters of net neutrality, who tried to prevent their adversaries from flooding the FCC website with fake comments.

And yet, money remains the driving force of DDoS attacks. The growing interest in cryptocurrencies led to an increase in their exchange-value in the second quarter of 2017, which in turn drew the attention of cybercriminals. The largest bitcoin exchange, Bitfinex underwent an attack at the same time as the trading of a new IOT-currency IOTA was launched. Somewhat earlier the BTC-E exchange stated that its services were slowed down because of a powerful DDoS attack. Apparently, this way cybercriminals attempt to manipulate the currency rates, which can be quite easily achieved considering the high volatility of cryptocurrencies.

Owners of DDoS botnets do not limit themselves to renting out their computing powers. At the end of June, there was registered a large-scale attempt of extortion under threat of a DDoS attack. The group that calls itself Armada Collective demanded about $315,000 from seven South Korean banks in exchange for not disrupting their online services. According to a Radware report, this was not the first case of extortion through a DDoS attack initiated by this group.

With growing financial losses from DDoS attacks law enforcement agencies begin to take the attack initiators more seriously. In April 2017 in Great Britain, a young man was sentenced to two years in prison for a series of attacks, which he had carried out five years before while still being a student. The man had created the Titanium Stresser botnet and traded its services on a darknet, thus yielding a profit of approximately £386,000.

There were not many technical innovations in DDoS attacks in the second quarter; however, news concerning a new DDoS-attack vector deserves attention. Researchers from Corero Network Security reported that they had registered more than 400 attacks with the help of misconfigured LDAP servers. The largest attack volume was at 33 Gb/s. As amplified reflection was used in that case, the organization of such attacks requires relatively few resources.

The most infamous attack of the second quarter became a DDoS attack on Skype servers. Many users of the messenger all over the world experienced connectivity problems. The responsibility for the campaign was claimed by CyberTeam, but its motives remain unknown.

Quarter Trends Ransom DDoS

The trend of extorting money under threat of DDoS attacks is becoming more prominent during this quarter. This approach was dubbed “ransom DDoS”, or “RDoS”. Cybercriminals send a message to a victim company demanding a ransom of 5 to 200 bitcoins. In case of nonpayment, they promise to organize a DDoS attack on an essential web resource of the victim. Such messages are often accompanied by short-term attacks which serve as demonstration of the attacker’s power. The victim is chosen carefully. Usually, the victim is a company which would suffer substantial losses if their resources are unavailable.

There is another method as opposed to the above-mentioned one: hoping to gain revenue quickly and without much effort cybercriminals contact a great number of companies by sending out ransom messages with threats of launching a DDoS attack, not taking into account the specifics of these companies’ operation. In most cases, they do not launch a demonstrative attack. Paying the ransom would create a certain reputation for a company and provoke further attacks of other cybercriminal groups.

It should be noted that these groups now are more and more represented not by well-coordinated hacker professional teams but by beginners who do not even possess the skills to launch a DDoS attack and only have the means for a “demonstrative attack”. Those who fall victim to this scheme are companies that for one reason or another have no resources to organize security for their services yet capable of parting with available funds in order to pay the ransom.

SambaCry

There is yet another important event of the quarter, which is the discovery of a vulnerability in the Samba network software. The vulnerability allows cybercriminals to execute code remotely on devices running Linux and Unix. Samba is a software suite that allows addressing network disks and printers and runs on a majority of Unix-like operating systems, such as Linux, POSIX-compatible Solaris and Mac OS X Server and various BSD OSes.

According to the Samba company, “all versions of Samba from 3.5.0 onwards have a remote code-execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it”.

The total number of devices with the vulnerable software reaches over 500,000, roughly estimated. This means that cybercriminals can use the devices to create botnets with the goal of carrying out large-scale DDoS attacks.

Statistics for botnet-assisted DDoS attacks Methodology

Kaspersky Lab has extensive experience of combating cyber threats, including DDoS attacks of various complexity types and ranges. The experts of the company have been tracking the actions of botnets by using the DDoS Intelligence system.

Being part of the Kaspersky DDoS Prevention solution, the DDoS Intelligence system is intended to intercept and analyze commands sent to bots from command-and-control servers and requires neither infecting any user devices nor the actual execution of cybercriminals’ commands.

This report contains DDoS Intelligence statistics for the second quarter of 2017.

In the context of this report, it is assumed that an incident is a separate (single) DDoS-attack if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this incident is considered as two attacks. Also, bot requests originating from different botnets but directed at one resource count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers that were used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

It is important to note that DDoS Intelligence statistics are limited only to those botnets that have been detected and analyzed by Kaspersky Lab. It should also be noted that botnets are just one of the tools for performing DDoS attacks; thus, the data presented in this report do not cover every single DDoS attack occurred during the indicated period.

Q2 summary
  • The resources in 86 countries were attacked in Q2 2017, 14 countries increase over the Q1 2017.
  • Just as in Q1, almost one-half of the attacks (47.42%) were aimed at the targets in China.
  • China, South Korea, and the USA remained leaders by both the number of attacks and the number of targets. According to the number of reported C&C servers, the same countries are in the TOP 3; but South Korea took the first place this time.
  • The long-term DDoS attacks made it back in Q2. The record duration was 277 hours, which was a 131% increase compared to Q1. At the same time, the share of the attacks that lasted less than 50 hours remained practically unchanged (99.7% in Q2 vs. 99.8% in Q1).
  • There was a considerable drop in the share of attacks over TCP (down to 18.2% from 26.6%) and ICPM (down to 7.3% from 8.2%). This caused a rise in the percentage of SYN floods and attacks over UDP and HTTP.
  • Linux botnets recovered from the decline of their share in Q1. Those botnets were responsible for 51.23% of attacks in Q2 compared to 43.40% in Q1.
Geography of attacks

DDoS attacks were registered in 86 countries in Q2, where the largest number of the attacks were aimed at China (58.07% of all of the attacks), which is 3 p.p. higher compared to the previous quarter. South Korea went down from 22.41% to 14.17% and retained second place nonetheless, while the USA rose from 11.37% up to 14.03%, almost catching up with South Korea.

The top 10 accounted for 94.60% of attacks and included Italy (0.94%) and Netherlands (0.84%), pushing down Vietnam and Denmark in Q2. Russia (1.60%) lost 0.37 p.p., moving down from fourth to sixth place, while Great Britain went up from 0.77% to 1.38%, a rise from seventh to fifth place.

Distribution of DDoS attacks by country, Q1 2017 vs. Q2 2017

95.3% of the attacks were aimed at targets in the countries of top 10 in Q2 2017.

Distribution of unique DDoS-attack targets by country, Q1 2017 vs. Q2 2017

China maintained its leading position in distribution by number of targets: 47.42% of them were located in the territory of the country, a fall of 0.36 p.p. compared to Q1. At the same time, the USA pushed down South Korea by going up from third to second place. Respectively, the USA rose to 18.63% (vs. 13.80% in Q1), while South Korea went from 26.57% down to 16.37%.

The share of targets located in the territory of Russia dropped from 1.55% in Q1 to 1.33% in Q2, pushing Russia down from fifth to seventh place. Vietnam and Denmark left the top 10 and were replaced by Italy (1.35%) and Australia (0.97%).

Dynamics of the number of DDoS attacks

The number of attacks per day ranged from 131 (April 17) to 904 (April 13) in Q2 2017. The peak numbers were registered on April 24 (581), May 7 (609), June 10 (614), and June 16 (621). A relative downturn was registered on April 14 (192), May 31 (240), and June 23 (281).

Dynamics of the number of DDoS attacks in Q2 2017*
*Since DDoS attacks may continuously last for several days, one attack may be counted several times in the timeline, i.e., once per day.

Monday stayed as the quietest day for DDoS attacks (11.74% of all of the attacks) in Q2 2017, while Sunday became the busiest day (15.57%) on account of the activity slacking on Saturday, a fall from 16.05% in Q1 to 14.39% in Q2. Thursday became the second busiest day, coming right behind Sunday (15.39%).

Distribution of DDoS attacks by day of the week

Types and duration of DDoS attacks

SYN floods partially recovered their positions lost during the previous quarter, rising from 48.07% to 53.26% in Q2 2017. There was an increase of percentage for both UDP attacks (from 8.71% up to 11.91%) and HTTP attacks (from 8.43% up to 9.38%). At the same time, the share of TCP DDoS attacks plummeted from 26.62% down to 18.18%, while the popularity of ICMP attacks slightly decreased from 8.17% down to 7.27% (out of all of the registered attacks).

Distribution of DDoS attacks by type

Long-term attacks made it back to the statistics in Q2 2017: 0.07% of the attacks lasted more than 100 hours, while the record attack continued for 277 hours, 157 hours longer than the record of the previous quarter. At the same time, the share of attacks that lasted 4 hours or less increased from 82.21% in Q1 to 85.93% in Q2. Thus, the percentage of attacks lasting from 5 to 49 hours decreased.

Distribution of DDoS attacks by duration (hours)

C&C servers and botnet types

The top 3 countries with the greatest number of detected C&C servers was slightly changed in Q2: China retained the third place with its 7.74%, ousting Netherlands, which moved down to fourth place despite an increase from 3.51% to 4.76%. South Korea kept its leading position and saw a fall from 66.49% down to 49.11%, while the USA still retained the second place (16.07%). The top 3 countries accounted for 72.92% of C&C servers in total.

The top 10 included Canada and Denmark (each at 0.89%), ousting Romania and Great Britain in Q2. Compared to Q1 2017, there was a significant decrease in the shares of Hong Kong (down to 1.19% from 1.89%) and Russia (down to 2.68% from 3.24%).

Distribution of botnet C&C servers by country in Q2 2017

Distribution by operating system became almost balanced in Q2: the share of Linux-based botnets comprised 51.23%; accordingly, Windows-based botnets comprised 48.77%.

Correlation between Windows- and Linux-based botnet attacks

Conclusions

There were no particular changes in the statistics of the second quarter of 2017 when compared to the previous quarter. As before about one half of DDoS attacks still originated in China, also in China was one half of the detected attack targets.

The second quarter quite clearly showed that the DDoS-attack threat is perceived rather seriously. Some companies were prepared to pay cybercriminals literally after their first demand without waiting for the attack itself. This set off a whole new wave of fraud involving money extortion under threat of a DDoS attack, also known as “ransom DDoS”. The gravity of the situation can be seen in the cybercriminals’ frequent disregard for demonstrating their capabilities; instead, the fraudsters would just send out ransom messages directed at a large pool of addresses. Certainly, the “entry threshold” for ransom DDoS is extremely low, fraudsters need neither significant resources nor technical skills or knowledge.

Ransomware

SANS Tip of the Day - Tue, 08/01/2017 - 01:00
Ransomware is a special type of malware. Once it infected your computer, it encrypts all of your files and demands you pay a ransome if you want your files back. Be suspicious of any emails trying to trick you into opening infected attachments or click on malicious links, common sense is your best defense. In addition. backups are often the only way you can recover from ransomware.