As part of its ongoing quest to clean up the internet from malware and botnets, CenturyLink has renamed its threat research and operations division.
CenturyLink announced Thursday that it has rebranded its Threat Research Labs as Black Lotus Labs.
"We're pretty excited about the name change to Black Lotus Labs," said Mike Benjamin, head of Black Lotus Labs, in an interview with FierceTelecom. "In the threat intelligence world, we've done a lot of collaboration amongst groups and various companies. What we're trying to do in this community is build an identity for the threat intelligence at CenturyLink."
On a micro level, Benjamin said the new name gives Black Lotus Lab employees a sense of identity and pride in their organization. On a macro level, Benjamin said CenturyLink and Black Lotus Labs have a sense of commitment to help clean up the internet's threats.
"We have a requirement on ourselves that we need to clean up the internet," Benjamin said. "We need to keep it clean. We need to be working collaboratively with the rest of the internet community, data center community and application owners to be able to make sure that the internet is a clear place."
As an example of keeping the internet clean for CenturyLink customers and the internet at large is Black Lotus Labs' effort tracking and disrupting botnets such as Necurs, According to a Black Lotus Labs blog post, Necurs has gone through several evolutions since it was first discovered in 2012.
"Most people know Necurs as a spam botnet, and if you go read research over the years you will find a ton of information about the email it has delivered," Benjamin said. "When I say spam, I do mean both trying to sell things and get you to click on stuff from a lot of junk mail perspective as well as malspam. So it's trying to deliver ransomware to look for secondary payloads.
"That's how Necurs grew its name. That's how it gets all of its notoriety. Some of the other payloads that we have seen this deliver in more recent years is cryptomining."
Benjamin describes Necurs as the multitool of botnets, due to it evolving from operating as a spam botnet delivering banking trojans and ransomware to developing a proxy service, as well as cryptomining and DDoS capabilities.
Necurs has roughly 570,000 bots deployed around the globe, with about half located in the following countries, in order of prevalence: India, Indonesia, Vietnam, Turkey and Iran.
Necurs has the ability to go dark for a period of time to avoid detection. Starting in May of last year, Black Lotus Labs observed regular, sustained downtime of roughly two weeks, followed by roughly three weeks of activity for the three most active groups of bots comprising Necurs.
Necurs uses a domain generation algorithm (DGA) to hide its operations and avoid takedown. Black Lotus Labs said that DGA was a double-edged sword. Because the DGA domains Necurs uses are known in advance, security researchers can use methods like sinkholing DGA domains and analyzing DNS and network traffic to enumerate bots and command and control (C2) infrastructure.
"The work that we did was helping to identify for the industry more about how it works as well as the tracking methodology," Benjamin said. We're able to describe, through the tracking, how it utilizes domain generation algorithm callbacks. When it can't reach its normal infrastructure, it has a predefined algorithm in the code, then it tries to generate a domain name and go look up the domain name and then reach out to it and say, 'What are my commands? What are my other command and control?'
"We've been able to reverse engineer that algorithm to be able to watch what it is resolving at that point in time, sinkhole it and collect the data of what the affected hosts are doing when they fall back."
After tracking Necurs, CenturyLink took steps to mitigate the risk to its customers, in addition to notifying other network owners of potentially infected devices to help protect the internet.
"What we're typically doing is informing them of what time stamps and IP addresses they need to go investigate, and then advising them to take this very standard antivirus malware cleanup procedures that they no doubt have in place within their own environments to clean it up," Benjamin said. "I think probably the most interesting takeaway from this blog is that the depth of information that can be gleaned from a very long lasting and sophisticated botnet through the use of network visibility, DNS analytics and security work.
"It's bringing our highly skilled team together with our DNS powers and with the global network visibility we have that allows us to share this with rest of the security community as well as those are infected by this malware. The more we can communicate, share and educate people on how it works, the larger the impact we can create on cleaning it up."