Malware as Performance Art? OpenDNS Shows the Dangerous “Dance” of Cryptolocker

Linda Musthaler
By | November 25, 2013

Posted in: Network Security Trends

By now practically every information security professional and thousands of unfortunate victims are aware of CryptoLocker, the dangerous malware that encrypts all of a victim’s files and holds them for ransom. Security experts say it’s relatively easy to remove the malware itself but the damage is done when entire file systems cannot be decrypted without the key that is held by the perpetrators. CryptoLocker has been called “evolutionary” as malware goes and it has been highly successful in its mission to get money for the attackers, so we are likely to see more attacks of this nature in the future.

OpenDNS is one company that has been able to recognize and block CryptoLocker from infecting its customers. OpenDNS operates a DNS lookup service that simply blocks traffic attempting to go to nefarious sites. The company uses predictive analytics to understand what sites to block.

In doing its initial analysis on a malware campaign that had yet to be identified as CryptoLocker, OpenDNS used a home grown visualization tool to observe the relationships among the DNS records and how the attacks progress. The must-see result is something OpenDNS calls “The Ripple Effect” but I call it a “dance” of sorts. See what happens when OpenDNS plots the malware’s relationships and sets the activity to music.

OpenDNS CTO Dan Hubbard explained how his company was able to detect CryptoLocker so quickly. “There are two components that helped us put a finger on this particular malware,” said Hubbard. “We have a generic algorithm that allows us to look at the makeup of a domain to understand if it is created by a computer in real-time or by a human. This is referred to as a domain generation algorithm, or DGA. CryptoLocker uses a DGA to create new domains all the time—literally a thousand domains every day.”

“From there we looked at our traffic for all these unknown computer generated domains and we observed that the clients were all going to other domains that were similar,” said Hubbard. “Let’s say we had 50 people going to one domain that is a questionable domain but all 50 were also going to another set of the same 20, 30, 50 or 100 domains that are related to that same original domain. This is what we’re showing in our visualization video. You can see the lookups of all the clients going to all the different domains to get the encryption keys to encrypt the data on victims’ PCs.”

In other words, this isn’t normal behavior and it can only be considered suspicious. The makeup of the malware domain is not something that a human or an enterprise would ever register. And the traffic of the users going to the original domain and all the subsequent domains that OpenDNS predicted is not a regular pattern. Hubbard explains, “Users don’t go to 1,000 domains within one and a half seconds subsequently over and over and over again in different locations all around the world in real-time. And then to have another human somewhere else on the planet doing that exact same behavior—that just doesn’t happen in good situations. That’s a key indicator of malware.”

Yes, it’s malware and it’s really ugly in what it does, but the visualization created by OpenDNS is almost performance art.

You May Also Be Interested In: