Tracking Versatile Kelihos Domains

Previously, we discussed how we regularly monitor our DNS traffic for malicious fast flux domains [1][2]. One notable family of fast flux domains that we see every day are the “Kelihos” domains: A steady stream of DGA-like .ru domains (occasionally .com or .us), freshly registered, resolving to a single IP with a TTL of zero, and whose name servers are also fluxing with a TTL of zero. These domains have been covered numerous times recently [3][4] and been the subject ...

Discovering Malicious Domains Using Co-Occurrences

The infection chain for serving a single piece of malware is frequently made of many, constantly-changing domains. The security community finds thousands of new sites serving malware or acting as intermediaries every day.  Hosts used to control botnets are also constantly changing in order to be resilient to takedowns.

In this context, we need to discover and block new suspicious domains as soon as possible. In order to do so, we use different models, each of them capturing different sets of domains. Once we have evidence of a server ...

Fake PC Optimizer Scam Uncovered

Utilizing the power of the Umbrella Security Graph, our Labs Team is constantly on the lookout for any anomalies that could indicate potential threats. Recently, we’ve noticed several domains that appear to be search engines triggering a number of predictive models in the Security Graph.

These high-volume domains seemed to be stable, but a number of red flags quickly became apparent: demonstrated fast flux behavior, residence at low reputation IP subnets, and an alarmingly low secure rank. Although the software appeared legitimate, and ...

2nd Graphlab Workshop 2013

A few hundred researchers from academia and industry gathered on Monday, July 1 for the 2nd annual Graphlab Workshop at the Nikko hotel in downtown San Francisco. The event was a great success in acting as a venue to discuss challenges and opportunities the emerging large scale graph analytics community currently faces. The Umbrella Security Labs team was present at the event, and in this blog we share with you our take-aways.

GraphLab

The first talk was about a product we have ...