Reports on Malware Infections in Country IE

Objective

Source of Information

In regard to the following reports, CSIRT-IE's primary focus are computer devices in the State,  which were identified after they had successfully established a communication channel with a sinkhole that is monitored by malware researchers and analysts.  The act of establishing a communication channel with a sinkhole normally indicates a computer device is infected with malware and is actually a bot in a botnet.  The computer device may be used for malicious activities including Distributed Denial-of-Service (DDoS) Reflection/Amplification attack against a third party.  CSIRT-IE seeks to inform the owners of these computers devices, through their respective Internet Service Providers (ISP),  based upon the IP address of the affected computer device and to provide advice and recommendations on the measures required to mitigate the malware infection and to reduce the threat posed by the botnet of which it is a member of.

Malware infections

Most malware is pre-programmed with an autonomous command in an attempt to set up communications with a command and control server (C&C server or C2 server), after it has successfully infected a host.   Contained within the malicious code of the malware are lists of fully qualified domain names (FQDN) and IP addresses, registered by the cyber criminals, to function as their C&C servers.   The malware will cycle through this 'phone book' sending out timed beacons until it establishes a communication channel with a C&C server.  Once the communications channel is established, C&C servers will send instruction sets to the malware, for example, to download additional malicious code such as rootkits and remote access tools, or to transmit information harvested from the compromised host.

A sinkhole is a computer used by malware researchers and analysts, to collect information on compromised hosts.  This computer masquerades as one of the C&C servers.  DNS requests,  from the compromised host, for this C&C server, are re-directed, in cooperation with the domain registrars, to the sinkhole computer, where they can be analysed.  As the domain names do not serve any legitimate purpose,  any connection to them is an indicator that the host sending the request has been compromised.  Researchers can identify the IP address of the compromised host and the malware with which it has been infected with.

The Computer Emergency Response Team for federal agencies in Germany (CERT-Bund) receives log data from several operators of sinkholes.  Information on the IP addresses of compromised hosts in the State is provided to CSIRT-IE by CERT-Bund.

The Avalanche Botnet

On the 30 Nov 2016, after more than four years of investigation led by the Luneburg police force and the public prosecutor’s office in Verden, Germany working closely with investigators and prosecutors from more than thirty (30) countries, Europol, Eurojust, the FBI, the United States Attorney’s Office for the Western District of Pennsylvania, the Department of Justice into the Avalanche Botnet.   The German Federal Office for Information Security (BSI) and the Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE) analysed over 130 terabytes of captured data and identified the server structure of the botnet after which a campaign to dismantle an international cyber criminal infrastructure platform known as 'Avalanche' was initiated.

In the campaign to dismantle the Avalanche botnet infrastructure, so called 'sinkhole servers' controlled by law enforcement and IT security companies were installed.  Network traffic between infected computers and the Avalanche botnet is redirected to the sinkhole servers and the IP addresses of infected computers are identified.

Information on the IP addresses of compromised hosts in the State is provided to CSIRT-IE by its German counterpart, CERT-Bund.