• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Spotlight

Fast Predictive Detection of Malware domains: A New System presented at BSides Raleigh 2013

By Dhia Mahjoub
Posted on November 7, 2013
Updated on July 16, 2020

Share

FacebookTweetLinkedIn

Threat prediction systems are now critically important to face the ever-growing breadth and complexity of online attacks. Three weeks ago, I attended BSides Raleigh and presented a fast predictive detection system for malware domains that leverages network reputation and our passive DNS database. This new system has helped mitigate several threats over the past few months, such as Fast flux botnet domains, Cryptolocker CnCs, Exploit kit domains, and other ransomware domains.

Attending the conference

It was great to be a part of BSides Raleigh and spend some time in the city. All of the talks were very informative, and everyone showed a high level of knowledge and intellectual curiosity, which contributed to the success of the conference. Another memorable thing about the event was the very cool T-Shirt design:

bsidestshirt

Before I describe my presentation, let me go over some of the other great talks. In the opening session, Advanced Evasion Techniques—Pwning the Next Generation Security Products, David Kennedy described elaborate techniques to evade current enterprise security products. He discussed how to:

  • Profile a target organization “without sending a single packet to them” (using social networks, Project Sonar shared data, search engines, etc).
  • Find out what defensive capabilities they have in place.
  • Get an attack around their preventive measures (e.g. next generation firewalls, web application firewalls, application allowing, IDS, vulnerability assessment tools, SIEM, AV, egress filtering, etc.).

Dave kept his presentation interesting with fascinating live demos of the tools he uses:

  • Torpedo (a tool that he wrote but has not released yet) used with Burp to profile Web Application Firewalls.
  • Recon-ng used with jigsaw.com, for organization reconnaissance and info gathering (there is a tool for enumerating information about a company’s employees also called jigsaw).
  • The harvester: another info gathering tool (part of Backtrack) used for instance to elicit email naming schemes of target organizations.
  • The Social Engineer Toolkit (SET).

Set-Box_2

Dave also discussed how to craft targeted emails that trigger emotional responses in their recipients in order to penetrate the organization via social engineering. He described how to clone a site to harvest username/passwords and how to obfuscate and sign the attached payloads using a throw-away certificate to abuse trust and get the victim to run the payload.

In Malware Automation, Chris Elisan discussed the current state of malware, and described the tools an attacker can use to automatically build an army of armored malware. This arsenal consists of:

  • DiY kits (ex: SpyEye, Zeus); kits that can generate an infinite number of malware samples.
  • Armoring tools (that use time and date to generate a nearly infinite number of samples).
    • Packers (e.g. UPX).
    • Crypters (e.g. PFE CX, or online services such as indetectables.net).
    • Joiners/binders.
  • AV-scanners for quality assurance purposes (on-premise, or in the cloud).

Chris demo’ed the Zeus Crimeware kit and the Saw crypter and showed how they can generate new unique malware samples en masse, and on the fly.

In Bending and Twisting Networks, Paul Coggin went over various advanced strategies and techniques to attack/penetrate network infrastructures, monitor, and exfiltrate data flows. These methods exploit protocols, device features, and network trust relationships (e.g. SNMP, IP routing policies, GRE tunnels, ERSPAN, DLSw, L2TP, Lawful intercept feature, OSPF, BGP, etc). Paul also discussed several approaches to mitigate these attack vectors.

My presentation

When it was my turn, I discussed a predictive fast detection system of malware domains that I built leveraging network reputation and our DNS database (DNSDB). The slides of the talk are available here.

bsides-raleigh-talk-front-slide

This system consists of two components:

  • An IP reputation component that carefully builds a watchlist of high risk IPs to monitor, and
  • A detection component that performs inverse lookups against the DNSDB to instantly detect new malicious domains that resolve to the IPs in the watchlist.

Both components run on a constant basis. Furthermore, in the background, the DNSDB is also constantly fed with the authoritative traffic coming from our resolvers. This traffic is first cleaned and deduplicated, then added to the indexed DNSDB.

Over the past months, this system has been monitoring and detecting several threats such as:

  • Domains serving various Exploit kits: BlackHole, Neutrino, NuclearPack, Angler, Magnitude, Styx, etc.
  • CnC domains for trojans such as Sality, Caphaw.
  • CnC domains for ransomware such as CryptoLocker, Reveton, Urausy.
  • Domains serving browser-based ransomware (browlock).

Early detection of initial Cryptolocker CnC domains

cryptolocker

Cryptolocker, the now infamous ransomware, emerged in early September of this year. The very first two CnCs spotted in the wild (xeogrhxquuubt,com and qaaepodedahnslq,org) were picked up by our detection system as soon as they hit our traffic and a few hours before they were published in the security community. We think that this ensured the initial low infection rate for Umbrella users. We further used other models to track down Cryptolocker DGA CnCs and mitigate the threat for our customers.

Predicting the emergence of Exploit kit and malware domains

The detection system also regularly helps predict patterns of how malicious domains use the network infrastructure.

One example was NuclearPack domains that were initially spotted on 142.4.194.0 on Oct 28th [details here]. We predicted that the Exploit kit domains would soon shift to the next IPs, and that was confirmed the next day [details here].

We also used the system to spot a malware campaign in its early stage: we discovered on Nov 1st that an initial range of 55 IPs in the range 62.122.73.200-254 were all loaded with rogue software payloads, and only 8 IPs were hosting live domains at the moment of discovery. We predicted that new domains would emerge on the remaining IPs [details here]. This has been confirmed, and currently there are 22 IPs hosting domains and serving the malware payloads. The campaign is still ongoing—we predict the full range of 55 IPs to be used for domain hosting and malware serving.

Conclusion

Security is a complex endeavor, and the various talks at BSides Raleigh showed once more that different layers and strategies must be deployed to protect valuable assets of the individual and enterprise alike. The human element is also important, as a lot of current attacks combine social engineering with technical exploitation.

This new predictive detection system for malware domains is an early detection layer in a defense-in-depth approach to security. It’s now a key part of the arsenal of models we use to detect malicious domains at the earliest stage so we can protect our customers from the avalanche of online threats.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella