Arbor Threat Intelligence

Arbor's Security Engineering & Response Team (ASERT) Blog
image description

Mirai IoT Botnet Description and DDoS Attack Mitigation

Authors:  Roland Dobbins & Steinthor Bjarnason Since its inception in August of 2016, the Mirai ‘Internet-of-Things’ (IoT) botnet, comprised largely of internet-enabled digital video recorders (DVRs), surveillance cameras, and other Internet-enabled embedded devices, has been utilized by attackers to launch multiple high-profile, high-impact DDoS attacks against various Internet properties and […]

Read more

TrickBot Banker Insights

A new banking trojan, TrickBot, has seemingly risen from the ashes left behind by the November 2015 takedown of Dyreza/Dyre infrastructure and the arrests of threat actors identified by Russian authorities. Dyreza was used to target customers of over 1000 U.S. and U.K. banks and other […]

Read more

On DNS and DDoS

The global DNS infrastructure provides the critical function of mapping seeming random sets of numbers in IP addresses (like 1.1.1.1) to a name that an Internet consumer may recognize (like www.myfavoritestore.com).   To scale to a global level, the DNS system was designed as a multi-level reference network that would allow any user on the Internet to query a set of servers that will iteratively find where a specific domain is owned and get the name to IP address mapping from that location.  To accomplish this, it is made up of root servers controlling top level domains such as .com, .gov, and .org, Global Top Level Domains (TLDs) controlling regional domains such as .br, .fr and .uk, authoritative servers controlling specific domains such as myfavoritestore.com and a very large group of recursive resolvers that end user systems connect to.  A query from a user for a domain name would be sent to a recursive resolver and that resolver would work with the root, GTLD and varying levels of authoritative servers to track down the DNS authoritative server responsible for the domain from which it would receive a DNS reply.  This is a very high level and simplified representation of the most common way that DNS is used.

Read more

The Great DGA of Sphinx

This post takes a quick look at Sphinx’s domain generation algorithm (DGA). Sphinx, another Zeus-based banking trojan variant, has been around circa August 2015. The DGA domains are used as a backup mechanism for when the primary hardcoded command and control (C2) servers go down. […]

Read more

Panda Banker’s Future DGA

Since we last visited the Panda Bankers at the malware zoo, two new versions have emerged: 2.2.6 and 2.2.7. While sifting through the encrypted strings of the latest version, two interesting ones stood out: dgaconfigs DGA, download “%S”. Tracing the first one through the code […]

Read more

The Mad Max DGA

This post describes a domain generation algorithm (DGA) used by the “Mad Max” malware family. Mad Max is a targeted trojan, and we plan to post a follow-up article that documents our findings regarding the features of the Mad Max malware itself. But for now we will focus on the reversing of its DGA, since we were unable to find any other published research on this topic.

Read more