Meet Francesco, a Member of the Umbrella Labs Security Community

We’re searching for smart, passionate Internet security experts to join the Umbrella Labs Security Community. Members of the Umbrella Labs Security Community are on the front lines of Internet security, as they’re able to submit malicious and potentially malicious domains for community review and discussion. The community is made up of security researchers, IT technicians and software engineers from all around the globe who hold a strong dedication for keeping the Internet safe and secure.  For more information about how ...

Discovery of New Malicious Domains Using Authoritative Name Server Traffic

Authoritative DNS Overview  

Each day, OpenDNS handles an average of 40 billion recursive DNS queries that are efficiently directed to our 13 worldwide datacenters. Each data center hosts tens of DNS resolvers. When a resolver receives a recursive DNS query, it first checks if it has an answer in its cache, and replies with that answer. If there’s no answer in the cache, or if the answer has expired, then it issues a DNS upstream query to the authoritative name servers ...

The role of country code top-level domains (ccTLDs) in malware classification

Last week we posted an examination of whether the location of where a domain is hosted increases its likelihood to be malicious. Indeed, we confirmed that some countries are hosting a significantly higher ratio of malicious sites than clean sites. But rather than rest on a superficial assumption based on the geography of where a domain is hosted, we wanted to more deeply explore the relationship between geography, ccTLDs and malicious domains.

Unlike generic top-level domains (.com, .net) that most anyone can buy, an Internet ...


Kaspersky Labs recently reported on an attack they are calling “Red October”. The report included details on the attack dynamics, including details on what they are referring to as the attackers’ advanced cyber espionage network. After reviewing the report we realized that we had already classified the vast majority of the hosts, thus protecting Umbrella customers. We then performed some additional research on the hosts included. 

One of the more powerful tools we have is our own internal search engine that allows ...

Java 0 Day Exploit (CVE-2013-0422) Distribution Domains

Security researchers disclosed a new Java vulnerability yesterday. Kaffeine’s report is known to be the first alarm. A number of the most popular Web exploit tools, including BlackHole Exploit Kit (BH) and Cool Exploit Kit (Cool EK) are known to be including the latest Java exploit.

Four domains distributing this exploit were first disclosed in Kaffeine’s report.





(added today) lapy[.]pl

(added today) jtmtir[.]eu

The traffic to the above sites demonstrates a high spike for a single hour (06 am UTC time). We hypothesize ...