Evolution is the Name of the Game


The following is a Q&A with Daniel Smith, an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.

Botnets have been getting all the attention since the beginning of 2017, but what other attack vectors are proving popular this year? 

Botnets certainly received a great deal of fanfare after the launch of Mirai in 2016. One reason why was due to two new attack vectors launched by Mirai: GRE floods and DNS water torture attacks. Both of these attack vectors combined with the sheer volume produced by an IoT botnet has proven a challenge to mitigate.

Generic routing encapsulation (GRE) is a tunneling protocol developed by Cisco. GRE mainly encapsulates data packets and routes them through the tunnel to a destination network that de- encapsulates the payload packets. Sending many GRE packets with large amount of encapsulated data may lead to resource consumption once the victim will try to de-encapsulate them until exhaustion.

A DNS water torture attack sends a pre-crafted DNS query to the service provider’s DNS server. The malicious DNS query contains random string concatenated previous to the victim’s domain. The DNS server will attempt to get an answer from the authoritative nameserver repeatedly with no success. Sending different false strings with the victims’ domain name will eventually increase the DNS server’s CPU utilization, making it unreachable.

Ransom denial-of-service (RDoS) attacks have become popular thanks to financially motivated criminals, in addition to hacktivist groups. Most RDoS groups will request between $1,000 – $10,000 dollars on average and the penalty for missing payment is typically much larger. RDoS is a growing concern as it gains popularity. In 2016, Radware witnessed an exponential increase in the number of ransom threats companies have received from these types of criminals.

Another big reason for its rise is due to the large monetary gain for little to no investment. For example, thanks to DDoS-as-a-service programs that are available on the Darknet, a hacker could launch an attack for as little as $20 for a twenty-minute, 1Gbps attack. In addition, opening a bitcoin account and sending an extortion email costs nothing. Distributing enough ransom letters typically generates at least a few individuals/organizations that are willing to pay. Some groups don’t even follow through with the attack. Inside the ransom note they claim they will attack leveraging a popular attack vector, such as Mirai, and the victim (aware of the potential damage) will pay. For all these reasons, many opportunists have emerged in 2016/17 looking to spread fear and extort victims for monetary gain.

[You might also like: The Evolution of the Dark Web]

Is ransomware’s evolution responsible for its recent resurgence?

Yes it is. Ransomware was first introduced 25 years ago. Traditionally, ransomware is a type of malware that restricts access to user data by encrypting the files on an infected computer and demanding payment for the decryption key. Just like in RDoS, the attacker simply distributes a largescale phishing campaign in hopes someone will click on the malicious attachment or link.

Recently, the idea has evolved and now relies on cryptocurrency as its main form of payment. Ransomware authors are still using malware to encrypt critical data, making it unusable until the user complies by paying a ransom. What has also changed is the delivery method.

With the WannaCry attack, the attack did not send out a phishing campaign, but rather used scanners to identify devices that were vulnerable to MS17-010, a Microsoft security update that patched remote code execution vulnerabilities in Microsoft’s SMB services. Once a computer was infected, a worm replicated itself across the device’s network, targeting other computers. This attack represents an evolution in ransomware attacks: they can now leverage recently disclosed exploits and default credentials to infect a device similarly to the way IoT botnets spread.

Not only are authors looking for new delivery methods, they are also looking for new methods to cash in. The latest threat that Radware’s research is witnessing are hackers offering user-friendly attack services; i.e. Ransomware as a Service (RaaS). A novice user can access the Darknet and find several RaaS offerings. Potential criminals can pay a small fee to have access to customizable ransomware platforms. RaaS providers charge a fee for access to the source code, or take a percentage of any profits that are generated. Some even offer ransomware free of charge.

Expert skills are no longer required to hold victims’ information hostage. Satan is the name of one service that automates the process by allowing users to specify the ransom amount, various multipliers and the actual creation of the ransom note, completely free of charge. At the end of the process, a user is left with a malicious .exe file that they can send to their victims.

[You might also like: Internet Censorship / Open Internet]

Between the Darknet going mainstream, the U.S. government repealing certain privacy rules that prevent broadband providers from selling personal data, and the vulnerability of IoT devices, are you seeing data privacy becoming a bigger concern?

Data privacy is a big concern and it’s becoming bigger. The average user is unaware of their digital footprint, how large it is, and how far back it dates. Online privacy is a two-front battle. You have the service providers and the online services that have the ability to harvest data about individuals for marketing or law enforcement purposes. Then there are the criminals who hack these providers and services to either sell the data or target an individual directly.

In 2016, 117 million accounts from LinkedIn were leaked, 360 million from MySpace, 68 million from Tumblr and 127 million from Badoo. These leaks alone compromised over half a billion emails and usernames. This represents a gold mine for hackers who keep databases so they can conduct malicious activity.

Fraud has always been a big business for hackers. Ultimately, users must take steps to insure their own privacy from both providers and criminals. Users must understand how they connect to the Internet, which data they are comfortable disclosing, such as life events they share on social media. An individual might take steps to keep their image or location disclosed, but when a friend posts a tagged picture on Instagram with that individual in the background, this unintentional disclosure becomes data that can be used against that person.

Once an individual has a better understanding of what information they are exposing, they can incorporate VPN, security settings and become aware of their surroundings to prevent further information from being exposed.

Users should always be alert for phishing emails and should monitor credit and bank statements, keep their personal devices updated, create strong passwords and use two-factor authentications when possible. File sharing services should be disabled and always verify any company that you’re conducting business with. If personal data is stored on a personal computer, consider encrypted file storage and data backup. And never reuse passwords.

Download “When the Bots Come Marching In, a Closer Look at Evolving Threats from Botnets, Web Scraping & IoT Zombies” to learn more.

Download Now


  1. So who do we contact if we not only are victims but also know and have device’s that has direct software, information linking directly to a group that’s invalves the threats and attacks? What if we have a device that was apart of some of the first attacks back in 2013, what if not only do we know of the group but can provide names,locations,etc?
    As you know 95% of the local law enforcement agencies have no true understanding of the different areas of attacks. In fact after I became a victim of such crimes and law enforcement didn’t understand or provide assistance nor would someone of the company’s that provide access or where being used for a pathway for access I’ve spent the last 4yrs tracking and locating the group that targeted me. Even learning areas of attack and how these groups move the money gained. Your company or this article is right in some area however your missing the largest and main parts of crimes taking place. You see companies like your self only react to attacks that you learn of way after the attck. Why is anyone,company or agencies getting ahead or making major arrest? I can tell you why, your not putting or using the resources that you have. Meaning no matter if you have the top IT, Engineering, Hackers,etc working on the problem you still need one component….
    Think about what I just stated this message and I hope some will contact me. Not only will I give you the information on the component I will for free show you. I have no interest in making a profit nor do I wish to be in any spotlight, just so you understand. So here you go let’s see if your company truly believes in the information you providing. Thank you for your time and keep up the good work. The email below is my direct email.


Please enter your comment!
Please enter your name here