Weekly Web Security Warning: A return to normalcy in a quiet week

Every week, we examine the top trends in malicious activity we have seen in Canada using data obtained through CIRA’s D-Zone DNS Firewall.

In the world of cybersecurity, one must always be on guard. That said, some weeks are quieter than others. Last week was one of those.

The top domain blocked last week by D-Zone DNS Firewall comes courtesy of our good friend Morto, again. It appears to be the result of one infected IP address attempting to call out repeatedly and not a threat that needs to be worried about by the typical IT manager because (unless something has changed) it infects older operating systems via RDP. We do wonder about the impact on network performance for this unfortunate user though.

The second domain is a member of the Spybot family of malicious code that attempts to do various actions on a Windows computer. This can include modifying the registry and can be used to scan the network, steal passwords, visit websites, restrict access and act as a keystroke logger. It is a huge family of malware. While we this URL associated with several customer IP so it is worth paying attention to this domain.

Rounding out the top ten we have the usual suspects of Mirai, Botnets, and malware on customer’s networks and attempting to call home. Like last week, there were four country code TLDs (.us) with the rest being a more traditional set of seemingly random domains, and a .xyz. What is most interesting is that for two weeks straight, .us domains registered to the same individual are being used – but this week some of the names that made the top ten are different than last.