NXDOMAIN is the return code when a DNS lookup fails to resolve the requested domain to an IP address. This can happen for many reasons. Usually, it is just a user mistyping an address– google.xom. However, if you search your logs for NXDOMAIN, and look at the domains for which DNS lookups failed, you may be surprised at what you find.
One interesting thing that may come up are requests to various random-looking “.onion” domains. Dot onion is not a valid, routable top-level domain, but it is used by Tor clients to route requests onto the Tor network. Seeing these requests in your DNS data indicates that a device either has a Tor client installed, or that there is some malicious software on a device that is trying to find a Tor entry point.
Either case calls for action, and locating the IP address associated with the “.onion” requests can help you track down the device in question. Search on the IP address, and in the first few records returned, you are likely to find a successful login event from Active Directory logs. This will give you the user of the implicated machine. Once you’ve located the device, it would be wise to do a full malware scan on it.
Securolytics will automatically scan DNS records for suspicious domain requests. Keep malware off your network, and keep your data safe with Securoltyics.
There is a new kind of ransomware floating around on the internet and it’s nasty.
The ransomware detected earlier this year dubbed ‘Bart’ has taken a whole new approach to complicating your life. With previous builds of ransomware, one of the first actions it took was to look for what’s called a key server. This is where it would get the encryption keys to encrypt the files on the affected machine. This means that you had two chances to stop the ransomware from encrypting the files. The first is to stop the infection of the malware in the first place and the second is to stop the malware from communicating with the key server so it can’t do its job. Finding and blocking attempted communication with the key server gave engineers a chance to find and clean the infected machine before it could do any damage. This new ransomware strategy cuts your detection and mitigation chances in half, because it operates without a key server at all!
Bart locally generates its encrypted keys and encrypts your files in a password protected ZIP file. It then uploads the key directly to the payment server where it chargers the user 3 bitcoins (Almost $2000) for the decryption key. Bart’s primary delivery mechanism to date has been through wide scale spam campaigns. The spam contains an intermediary loader called RockLoader to then install Bart on the target.
With the increasing sophistication of malware, it’s more important than ever to incorporate Zero day advanced threat protection into your security strategy. Securolytics ATP is purpose built to detect and stop these types of threats through email and web vectors while keeping you informed. Simply search through your logs for the keyword ‘ransomware’ to see any attempts to contact or communicate with any domain associated with known ransomware.
Many organizations use content filtering software to block inappropriate web sites. However, the threats on today’s Internet have changed. The Internet remains the primary vector used to deliver viruses and malware and it remains the primary vector used for downloading pirated content. According to the American Bar Association, employers may be liable “for allowing or failing to prevent employees from using their technology to engage in illegal activity.”
Are your employees putting your brand at risk?
Securolytics can tell you exactly who and what is putting your brand at risk. Search for any of the following terms (*torrent*, *tracker*, *popcorn-time*) and you will immediately see if anyone on our network is using a peer-to-peer client to share files.