Andrew Hay

the man, the myth, the blog

July 27, 2014
by Andrew Hay

Unveiling The Open Source Visualization Engine For Busy Hackers at Black Hat 2014

This year marks the first year in my security career that I get to speak at the Black Hat security conference – and I couldn’t be more excited. On Tuesday, August 6th at 2:15pm local time, I’ll be co-presenting Unveiling The Open Source Visualization Engine For Busy Hackers with Thibault Reuille. Here is the abstract for the talk:

The way a human efficiently digests information varies from person-to-person. Scientific studies have shown that some individuals learn better through the presentation of visual/spatial information compared to simply reading text. Why then do vendors expect customers to consume presented data following only the written word method as opposed to advanced graphical representations of the data? We believe this approach is dated.

To help the neglected visually inclined masses, we decided to create a free and Open Source engine to remove the complexity of creating advanced data visualizations. The ultimate goal of the project was to allow for the visualization of any loosely related data without having to endlessly reformat that data. For the visual/spatial learners, the engine will interpret their own data, whether it be a simple or complex system, and present the results in a way that their brains can understand.

Learning, for visual-spatial learners, takes place all at once, with large chunks of information grasped in intuitive leaps, rather than in the gradual accretion of isolated facts or small steps. For example, a visual-spatial learner can grasp all of the multiplication facts as a related set in a chart much easier and faster than memorizing each fact independently. We believe that some security practitioners might be able to better utilize their respective data sets if provided with an investigative model that their brains can understand.

During this presentation, we will show you how you can take any relational data set, quickly massage the format, and visualize the results. We will also share some observations and conclusions drawn from the results of the visualization that may not have appeared in simple text form. We have used this engine within OpenDNS to track CryptoLocker and CryptoDefense ransomware, Red October malware, and the Kelihos botnet. Additionally, specific Syrian Electronic Army (SEA) campaigns, carding sites, and even a map of the Internet via Autonomous Systems have been visualized using the engine.

Interesting data can also be isolated through the use of Python and JavaScript-based plugins that can be easily added to the engine’s framework. These plugins affect the way the data is visualized and allow analysts to make sense of their data as it relates to the question they’re trying to answer. The “big picture” model will help visually inclined incident responders, security analysts, and malware researchers visually stitch together complex data sets without needing a PhD in math or particle physics.

OpenGraphiti, what we’ve named the tool, will be made available the day of the presentation. Having used it at work (and for play) I can tell you that it’s going to blow your mind. See you in Vegas and I hope to see some of my readers at the talk :)

July 21, 2014
by Andrew Hay

New Tool: web2intel


Script to fetch malicious domain and URL lists from sites that publish RSS feeds or raw HTML pages.


To obtain the tool, please visit and download the associated files or simply run the following command at your command prompt:


Supported Lists


./web2intel.rb <option> <extras> 

For command syntax, please visit the GitHub repository.

Example 1 – Domains only

$ ./web2intel.rb --sucuri_iframe
#Title: Sucuri Research Labs Hidden iframes list
#2014-07-20 15:08:14 -0700
....list of domains....

Example 2 – Full URLs

$ ./web2intel.rb --sucuri_iframe --urls
#Title: Sucuri Research Labs Hidden iframes list
#2014-07-20 15:08:42 -0700
....list of URLs....


For any questions, bugs, or concerns, please use the GitHub issue submission system and/or reach out to @andrewsmhay on Twitter.

© Andrew Hay, 2014

May 1, 2014
by Andrew Hay

Research: Xerox Printers Beaconing Out To The Internet

4896710690_8cf5781412_b-241x300While conducting some research, I happened to notice a rather odd domain name that a particular server was beaconing out to. The domain in question was Initially, I figured that the domain could be malware or phishing related as the likelihood of Xerox Corporation using such a long domain was relatively low. Upon further investigation, the xeroxdiscoverysupernode3 domain wasn’t even registered. Could a piece of malware have been constructed to call out to this specific domain to download additional files? Why wouldn’t the malware author register the domain ahead of time if that was the plan?

As this domain ended in the number 3, I pondered the idea of there being a ’1′, ’2′, or maybe even a ’4′ numbered domain that followed this same pattern. It turned out that xeroxdiscoverysupernode1, xeroxdiscoverysupernode2, and xeroxdiscoverysupernode3 were actively being queried for within the OpenDNS global infrastructure. Not only were the domains being queried, but each was receiving roughly 2,000 queries per hour (as seen below).


The plot thickens…

The full post can be read here:

Photo Credit: via Compfight cc