bad neighbourhoods internet redsocks malware detection

RedSocks Lab: Bad Hoods, detection of unknown threats

Bad Neighborhoods

Just as in the real world the internet also has “bad neighborhoods” whose streets are unsafe and where crime rates are higher than in other districts. Research into these internet neighborhoods can lead to better security solutions. For instance it has been discovered that the majority of the spam in the internet comes from just a couple of these bad neighborhoods. Cyber-attacks have also dramatically increased in severity and frequency leading to major data security breaches affecting hundreds of millions of customers worldwide.

RedSocks is continuously conducting research based on Big Data derived from neighborhoods on the Internet. Consequently this has enabled RedSocks to identify which neighborhoods are considered good or bad. This research and its results has proffered an incredible database filled with listings of Bad Hoods.

Large-Scale Malware Analysis

On a daily basis RedSocks lab automatically analyzes up to 350.000 new unique pieces of malware data. This allows RedSocks to closely track malicious trends and implement new methodologies such as the one used to compromise specific devices. Due to this effort RedSocks lab is capable of identifying new breeds of malware which and are then translated into new detection algorithms. Based on these algorithms new malicious indicators are integrated into the MTD via updates. Approximately 1.000.000 bad IPs are sent to the MTD appliance per hour — these are gathered in real-time by the RedSocks Malware Intelligence Team.

RedSocks has over 30 malware research labs continuously detecting new malicious destinations and Bad Hoods. As an example should the RedSocks Malware Intelligence Team detect a new IP-space it will track and trace the IP-space and the companies associated it. IP-spaces that are interesting for cyber criminals today will probably be interesting for cyber criminals tomorrow. These IP-spaces will be automatically designated and listed as a Bad Hood.

Bad Hoods on the Internet can originate from various different networks. Some of these networks include:

  • Dedicated subnets registered by cybercriminals. Occasionally, cyber criminals re-use their own subnets. Through monitoring these subnets, RedSocks is able to identify new systems without knowing specific malware samples that connect to these systems.
  • Subnets of Virtual Private Servers (VPS) / dedicated hosting providers in which little to no legitimate services occur. Traffic deriving or directed towards these servers are instantly suspicious. Sometimes bulletproof hosting providers facilitate cyber criminals by allowing them to use the server for malicious attacks.
  • Access networks with home users. For example, an access pool of a cable or DSL provider. Legitimate activities towards these networks are usually minimal and the traffic is filtered based upon malicious traffic such as backdoor traffic.

Bad Hoods In Practice

Identifying Bad Hoods online is extremely important and absolutely pivotal in detecting malicious traffic, files, and cyber criminals. In practice Bad Hood identification and detection has led to the detection of malicious attacks on numerous occasions. Below are a few examples in which malicious attacks were detected through the use of Bad Hoods.

  • Detection of Carbanak APT without indicators through re-using subnets which have been used with previous APT attacks;
  • Detection of unknown Hacking Team VPS systems through the re-use of their own subnets
  • Detection of new Point Of Sale systems such as Alina and JackPOS through the re-use of their own subnets in Ukraine and Lithuania
  • Detection of backdoor traffic towards C&C servers at home users through monitoring access to networks on default ports and commonly used ports of known backdoors

Bad Hoods will continue to play a significant role in malicious attacks on the Internet. Through our automatic detection of previously unknown bad hoods customers of RedSocks are instantly alerted when their network is communicating with these Bad Hoods. Consequently, the network administrator will be able to cut off all communications towards those bad hoods, which can prevent malicious files to be loaded onto your servers.

Back to overview