Vulnerabilities / Threats
06:59 AM
Connect Directly
Repost This

OpenDNS Offers Security Researchers Free Service For Tracking Cybercrime, Cyberespionage

Red October, PayPal phishing campaign connection discovered via new OpenDNS service for researchers

KASPERSKY ANALYST SUMMIT -- San Juan, Puerto Rico -- An OpenDNS executive here today will announce that the DNS and security service provider is offering security researchers free access to its Internet and DNS traffic data and analysis. The idea is to provide researchers with a more global view of malware, botnets, and advanced threats rather than just a snapshot or slice of the activity.

Dan Hubbard, CTO at OpenDNS, says the so-called Umbrella Security Graphic project is for security researchers, investigators, and educators to help them identify new information on existing attacks, as well as to discover new attacks. "It's based on our massive amount of data: It's the intersection of the big-data and data-mining movement in security," he says. Researchers can apply data with the project's contextual search engines and visualization, he says.

"Security research over the years has been manually driven," he says. "It's designed to help identify new information on existing attacks, attacks they didn't know about, and forensics on attacks and victims combined with other data attributed to the attacks."

Hubbard says the goal is more predictive security intelligence rather than always chasing after the bad guys.

OpenDNS used its Umbrella Security Graph to connect the dots in at least one aspect of the Red October targeted attacks revealed by Kaspersky Lab last month: "Some locations hosting the [Red October] command-and-control were also hosting a PayPal phish," Hubbard says. It's unclear whether the same group was behind both campaigns, but the find was yet another example of the intersection between traditional cybercrime and cyberespionage, he says.

"They've taken the code and repackaged it in some way," says Hubbard, who will demonstrate here today how the tool can find locations, domains, and other characteristics of Red October.

OpenDNS's Umbrella Security Graph is based on the DNS service provider's global network of 45 billion daily DNS query requests from some 50 million users worldwide. "It allows us to query data in very large and massive [volumes], and to combine it with algorithms and technologies that identify the attacks and then connect them together," he says.

Researchers must be authorized, vetted, and authenticated to use the free service, which is closed to the general public, he says. "Researchers can connect to our platform and query it like a search engine to look around for attacks," Hubbard says.

Harnessing a more global view of attacks is the Holy Grail for researchers today. A group of researchers from Northeastern University, Symantec Research Labs, Eurecom, and UC Santa Barbara recently built a prototype system for detecting botnets on a large scale and for finding previously unknown botnet C&C servers. The tool spots botnet activity over the Internet as a whole, rather than just within an organization, according to the group of researchers.

Aside from the Red October find, Hubbard also will demonstrate here how OpenDNS researchers used Umbrella Security Graph for drill down into the recently discovered Linux backdoor attack, and to inspect a botnet.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web