Vulnerabilities / Threats
06:59 AM
Connect Directly

OpenDNS Offers Security Researchers Free Service For Tracking Cybercrime, Cyberespionage

Red October, PayPal phishing campaign connection discovered via new OpenDNS service for researchers

KASPERSKY ANALYST SUMMIT -- San Juan, Puerto Rico -- An OpenDNS executive here today will announce that the DNS and security service provider is offering security researchers free access to its Internet and DNS traffic data and analysis. The idea is to provide researchers with a more global view of malware, botnets, and advanced threats rather than just a snapshot or slice of the activity.

Dan Hubbard, CTO at OpenDNS, says the so-called Umbrella Security Graphic project is for security researchers, investigators, and educators to help them identify new information on existing attacks, as well as to discover new attacks. "It's based on our massive amount of data: It's the intersection of the big-data and data-mining movement in security," he says. Researchers can apply data with the project's contextual search engines and visualization, he says.

"Security research over the years has been manually driven," he says. "It's designed to help identify new information on existing attacks, attacks they didn't know about, and forensics on attacks and victims combined with other data attributed to the attacks."

Hubbard says the goal is more predictive security intelligence rather than always chasing after the bad guys.

OpenDNS used its Umbrella Security Graph to connect the dots in at least one aspect of the Red October targeted attacks revealed by Kaspersky Lab last month: "Some locations hosting the [Red October] command-and-control were also hosting a PayPal phish," Hubbard says. It's unclear whether the same group was behind both campaigns, but the find was yet another example of the intersection between traditional cybercrime and cyberespionage, he says.

"They've taken the code and repackaged it in some way," says Hubbard, who will demonstrate here today how the tool can find locations, domains, and other characteristics of Red October.

OpenDNS's Umbrella Security Graph is based on the DNS service provider's global network of 45 billion daily DNS query requests from some 50 million users worldwide. "It allows us to query data in very large and massive [volumes], and to combine it with algorithms and technologies that identify the attacks and then connect them together," he says.

Researchers must be authorized, vetted, and authenticated to use the free service, which is closed to the general public, he says. "Researchers can connect to our platform and query it like a search engine to look around for attacks," Hubbard says.

Harnessing a more global view of attacks is the Holy Grail for researchers today. A group of researchers from Northeastern University, Symantec Research Labs, Eurecom, and UC Santa Barbara recently built a prototype system for detecting botnets on a large scale and for finding previously unknown botnet C&C servers. The tool spots botnet activity over the Internet as a whole, rather than just within an organization, according to the group of researchers.

Aside from the Red October find, Hubbard also will demonstrate here how OpenDNS researchers used Umbrella Security Graph for drill down into the recently discovered Linux backdoor attack, and to inspect a botnet.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.