Tracking Versatile Kelihos Domains

Previously, we discussed how we regularly monitor our DNS traffic for malicious fast flux domains [1][2]. One notable family of fast flux domains that we see every day are the “Kelihos” domains: A steady stream of DGA-like .ru domains (occasionally .com or .us), freshly registered, resolving to a single IP with a TTL of zero, and whose name servers are also fluxing with a TTL of zero. These domains have been covered numerous times recently [3][4] and been the subject ...

Discovering Malicious Domains Using Co-Occurrences

The infection chain for serving a single piece of malware is frequently made of many, constantly-changing domains. The security community finds thousands of new sites serving malware or acting as intermediaries every day.  Hosts used to control botnets are also constantly changing in order to be resilient to takedowns.

In this context, we need to discover and block new suspicious domains as soon as possible. In order to do so, we use different models, each of them capturing different sets of domains. Once we have evidence of a server ...

Fake PC Optimizer Scam Uncovered

Utilizing the power of the Umbrella Security Graph, our Labs Team is constantly on the lookout for any anomalies that could indicate potential threats. Recently, we’ve noticed several domains that appear to be search engines triggering a number of predictive models in the Security Graph.

These high-volume domains seemed to be stable, but a number of red flags quickly became apparent: demonstrated fast flux behavior, residence at low reputation IP subnets, and an alarmingly low secure rank. Although the software appeared legitimate, and ...

Massive Algorithmic Discovery and Beyond

Today’s blog is a fun story of how Umbrella Security Lab researchers uncovered a massive rogue PC fix campaign, relying on both algorithmic big data crunching models, sandboxing and field investigations (including an anonymous phone call to the rogue PC fix service under a customer name of  Virgilio Calabrese).

The storyline

As Umbrella Security Lab often demos, patterns emerge when you possess the right data and weave them altogether. This can be done despite attackers’ efforts to randomize traffic, injecting noises to ...