Enlarge (credit: Kaspersky Lab)

Eight days ago, the WCry ransomware worm attacked more than 200,000 computers in 150 countries. The outbreak prompted infected hospitals to turn away patients and shut down computers in banks and telecoms. Now that researchers have had time to analyze the self-replicating attack, they're learning details that shed new and sometimes surprising light on the world's biggest ransomware attack.

Chief among the revelations: more than 97 percent of infections hit computers running Windows 7, according to attacks seen by antivirus provider Kaspersky Lab. By contrast, infected Windows XP machines were practically non-existent, and those XP PCs that were compromised were likely manually infected by their owners for testing purposes. That's according to Costin Raiu, director of Kaspersky Lab's Global Research and Analysis Team, who spoke to Ars.

While the estimates are based only on computers that run Kaspersky software, as opposed to all computers on the Internet, there's little question Windows 7 was overwhelmingly affected by WCry, which is also known as "WannaCry" and "WannaCrypt." Security ratings firm BitSight found that 67 percent of infections hit Windows 7, Reuters reported.

Read 11 remaining paragraphs | Comments


Typosquatting has been used for years to lure victims You receive an email or visit an URL with a domain name which looks like the official one. Typosquatting is the art of swapping, replacing, adding or omitting some letters to make a domain looking like the official one. The problem is that the human brain will correct automatically what you see and you think that you visit the right site. I remember that the oldest example of typosquatting that I saw was mircosoft.com. Be honest, at the first time, you read microsoft.com right? This domain was registered in 1997 butit has been taken back by Microsoft for a while. Longer is your domain name, more you have available combinations of letters to generate fake domains. Sometimes its difficult to detect rogue domains due to the font used to display them. Anl looks like a 1 or a 0 looks like an O.

Yesterday, I found a nice phishing email related to DHL (the worldwide courier company). The message was classic: DHL claims that somebody passed by your home and nobody was present. But this time, it was not a simple phishing page trying to collect credentials, there was a link to a ZIP file. The archive contained a malicious HTA file that downloaded a PE file[1] and executed it. Lets put the malware aside and focus on the domain name that was used: dhll.com(with a double L).

A quick check reveals that this domain is hopefully owned by DHL (not DHL Express but the Deutsche Post DHL padding:5px 10px"> Domain Name: dhll.com Registry Domain ID: 123181256_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2016-09-23T04:00:10-0700 Creation Date: 2004-06-22T00:00:00-0700 Registrar Registration Expiration Date: 2017-06-22T00:00:00-0700 Registrar: MarkMonitor, Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.2083895740 Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited) Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited) Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited) Registry Registrant ID: Registrant Name: Deutsche Post AG Registrant Organization: Deutsche Post AG Registrant Street: Charles-de-Gaulle-Strasse 20 Registrant City: Bonn Registrant State/Province: - Registrant Postal Code: 53113 Registrant Country: DE Registrant Phone: +49.22818296701 Registrant Phone Ext: Registrant Fax: +49.22818296798 Registrant Fax Ext: Registrant Email: [email protected] Registry Admin ID:Admin Name: Domain Administrator Admin Organization: Deutsche Post AG Admin Street: Charles-de-Gaulle-Strasse 20 Admin City: Bon Admin State/Province: - Admin Postal Code: 53113 Admin Country: DE Admin Phone: +49.22818296701Admin Phone Ext: Admin Fax: +49.22818296798 Admin Fax Ext: Admin Email: [email protected] Registry Tech ID: Tech Name: Technical Administrator Tech Organization: DHL Tech Street: 8701 East Hartford Drive Tech City: Scottsdale Tech State/Province: AZ Tech Postal Code: 85255 Tech Country: US Tech Phone: +1.4089616666 Tech Phone Ext: Tech Fax: - Tech Fax Ext: Tech Email: [email protected] Name Server: ns4.dhl.com Name Server: ns6.dhl.com DNSSEC: unsigned

The zone dhll.com is also hosted on the DHL name servers. Thats a good point that DHL registered potentially malicious domains but... if you do this, dont only park the domain, go further and really use it! Its not because the domain has been registered by the official company that bad guys cannot abuse it to send spoofed emails.

First point: dhll.com or www.dhll.com donot resolve to an IP address. If you register such domains, create a website and make them pointto it and log whos visiting the fake page. You can display an awareness message or just redirect to the official site. This will also prevent your customers to land on a potentially malicious site and improve their experience with you.

The second point is related to the MX records. No MX records were defined for the dhll.com domain. Like with the web traffic, build a spam trap to collect all messages that are sent to [email protected] doing this, you will capturetraffic potentially interesting and you will be able to detect if the domain is used in a campaign (ex: you will catchall the non-delivery receipts in the spam trap.

Finally, addan SPF[2] record for the domain. This will reduce the amount of spam and phishing campaigns.

To conclude, registering domain names derived from your companys name is the first step but dont just park them and use them for hunting and awareness!

A quick reminder about the tool dnstwist[3] which is helpful padding:5px 10px"> # docker run -it --rm jrottenberg/dnstwist --ssdeep --mxcheck --geoip dhl.com _ _ _ _ __| |_ __ ___| |___ _(_)___| |_ / _` | _ \/ __| __\ \ /\ / / / __| __| | (_| | | | \__ \ |_ \ V V /| \__ \ |_ \__,_|_| |_|___/\__| \_/\_/ |_|___/\__| {1.01} Fetching content from: http://dhl.com ... 200 OK (396.3 Kbytes) Processing 56 domain variants ................ 48 hits (85%) Original* dhl.com States NS:ns4.dhl.com MX:mx1.dhl.iphmx.com SSDEEP:100% Bitsquatting ehl.com NS:pdns03.domaincontrol.com MX:smtp.secureserver.net Bitsquatting fhl.com - Bitsquatting lhl.com - Bitsquatting thl.com States NS:dns1.name-services.com MX:us-smtp-inbound-1.mimecast.com Bitsquatting dil.com States NS:ns1.sedoparking.com MX:localhost Bitsquatting djl.com Kong NS:ns1.monikerdns.net Bitsquatting dll.com States NS:ns43.domaincontrol.com MX:smtp.secureserver.net Bitsquatting dxl.com States NS:ns59.worldnic.com SPYING-MX:dxl-com.mail.protection.outlook.com Bitsquatting dhm.com States NS:ns19.worldnic.com MX:dhm.com Bitsquatting dhn.com NS:pdns07.domaincontrol.com MX:smtp.secureserver.net Bitsquatting dhh.com NS:dns1.iidns.com Bitsquatting dhd.com NS:ns-west.cerf.net MX:dhd-com.mail.protection.outlook.com Homoglyph bhl.com States NS:ns79.worldnic.com SPYING-MX:bhl-com.mail.protection.outlook.com Homoglyph dhi.com States NS:ns10.dnsmadeeasy.com Homoglyph clhl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Homoglyph dlhl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Homoglyph dihl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Homoglyph dh1.com Islands NS:ns43.worldnic.com SPYING-MX:p.webcom.ctmail.com Hyphenation d-hl.com States 2400:cb00:2048:1::6818:7c86 NS:fiona.ns.cloudflare.com MX:mx1.emailowl.com Hyphenation dh-l.com States NS:ns1.sedoparking.com MX:localhost Insertion duhl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dhul.com NS:ns1.dominioabsoluto.com Insertion djhl.com NS:f1g1ns1.dnspod.net Insertion dhjl.com - Insertion dnhl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dhnl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dbhl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dhbl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dghl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dhgl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dyhl.com NS:dns17.hichina.com MX:mxbiz1.qq.com Insertion dhyl.com - Omission dl.com NS:ns1.gridhost.com SPYING-MX:mail.b-io.co Omission dh.com States NS:a5-67.akam.net SPYING-MX:mx1.dhltd.iphmx.com Omission hl.com States NS:ns57.domaincontrol.com MX:mail0.hl.com Repetition ddhl.com Kong NS:ns11.domaincontrol.com SPYING-MX:ddhl-com.mail.protection.outlook.com Repetition dhll.com - Repetition dhhl.com States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Replacement rhl.com States NS:ns1.hungerhost.com MX:mx.spamexperts.com Replacement chl.com NS:nameserver.ttec.com MX:smtp2.mx.ttec.com Replacement xhl.com States NS:ns1.uniregistrymarket.link Replacement shl.com States NS:eu-sdns-01.shl.com SPYING-MX:mxa-0016ba01.gslb.pphosted.com Replacement dul.com NS:pdns01.domaincontrol.com MX:smtp.secureserver.net Replacement dnl.com - Replacement dbl.com States NS:ns53.worldnic.com SPYING-MX:p.webcom.ctmail.com Replacement dgl.com NS:ns62.downtownhost.com MX:dgl.com Replacement dyl.com States NS:ns-1768.awsdns-29.co.uk MX:mail.dyl.com Replacement dhk.com States NS:ns1.dhk.com MX:dhk.com.us.emailservice.io Replacement dho.com States NS:ns1bqx.name.com Replacement dhp.com States NS:dhp.com MX:mailhub.dhp.com Subdomain d.hl.com - Subdomain dh.l.com - Transposition hdl.com States NS:ns1.systemdns.com MX:aspmx.l.google.com Transposition dlh.com NS:ns1.ascio.net SPYING-MX:mail.dlh.com Various wwwdhl.com States NS:ns.deutschepost.de


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Internet Storm Center Infocon Status