Red October, PayPal phishing campaign connection discovered via new OpenDNS service for researchers

Dark Reading Staff, Dark Reading

February 5, 2013

3 Min Read

KASPERSKY ANALYST SUMMIT -- San Juan, Puerto Rico -- An OpenDNS executive here today will announce that the DNS and security service provider is offering security researchers free access to its Internet and DNS traffic data and analysis. The idea is to provide researchers with a more global view of malware, botnets, and advanced threats rather than just a snapshot or slice of the activity.

Dan Hubbard, CTO at OpenDNS, says the so-called Umbrella Security Graphic project is for security researchers, investigators, and educators to help them identify new information on existing attacks, as well as to discover new attacks. "It's based on our massive amount of data: It's the intersection of the big-data and data-mining movement in security," he says. Researchers can apply data with the project's contextual search engines and visualization, he says.

"Security research over the years has been manually driven," he says. "It's designed to help identify new information on existing attacks, attacks they didn't know about, and forensics on attacks and victims combined with other data attributed to the attacks."

Hubbard says the goal is more predictive security intelligence rather than always chasing after the bad guys.

OpenDNS used its Umbrella Security Graph to connect the dots in at least one aspect of the Red October targeted attacks revealed by Kaspersky Lab last month: "Some locations hosting the [Red October] command-and-control were also hosting a PayPal phish," Hubbard says. It's unclear whether the same group was behind both campaigns, but the find was yet another example of the intersection between traditional cybercrime and cyberespionage, he says.

"They've taken the code and repackaged it in some way," says Hubbard, who will demonstrate here today how the tool can find locations, domains, and other characteristics of Red October.

OpenDNS's Umbrella Security Graph is based on the DNS service provider's global network of 45 billion daily DNS query requests from some 50 million users worldwide. "It allows us to query data in very large and massive [volumes], and to combine it with algorithms and technologies that identify the attacks and then connect them together," he says.

Researchers must be authorized, vetted, and authenticated to use the free service, which is closed to the general public, he says. "Researchers can connect to our platform and query it like a search engine to look around for attacks," Hubbard says.

Harnessing a more global view of attacks is the Holy Grail for researchers today. A group of researchers from Northeastern University, Symantec Research Labs, Eurecom, and UC Santa Barbara recently built a prototype system for detecting botnets on a large scale and for finding previously unknown botnet C&C servers. The tool spots botnet activity over the Internet as a whole, rather than just within an organization, according to the group of researchers.

Aside from the Red October find, Hubbard also will demonstrate here how OpenDNS researchers used Umbrella Security Graph for drill down into the recently discovered Linux backdoor attack, and to inspect a botnet.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights