Category: Security Research

S4 Incident Responder and Researcher Conference: Agenda


As a follow up to our previous post, the agenda for the S4 Incident Responder and Researcher Conference, being held at OpenDNS HQ on September 18th, 2014, is now finalized.

Training Sessions


Time TitlePresenter
8:00Breakfast and coffee (first talk 9AM SHARP!)n/a
9:00 – 11:00Malware Analysis for Incident RespondersLenny ZeltserThe SANS Institute
11:00 – 13:00Using Bro*Anthony KaszaOpenDNS
13:00 – 15:00Using MolochScott Floyd, Salesforce
15:00 – 17:00IR 2.0 : Elastic Search, Logstash, Kibana (ELK)The folks at Elastic Search


Note: Lunch will be provided and available during the Bro session.


Evening Talks


Time TitlePresenter
17:00 – 17:20Measuring the IQ of your Threat Intelligence FeedsAlex PintoMLSec Project
17:30 – 17:50FastResponder: New Open Source weapon to detect and understand a large scale compromiseSébastien LarinierGuillaume Arcas, and Olivier Zheng, Sekoia
18:00 – 18:20Threat intelligence for Incident RespondersSam LilesCyberforensics Laboratory at Purdue
18:30 – 18:50Building Your Own DFIR SidekickScott J RobertsGitHub
19:00 – 19:20GRR and Rekall: State of the UnionElizabeth Schweinsberg and Kristinn Gudjonsson, Google
19:30 – 22:00Networking, drinks, and conversationn/a


S4 Incident Responder and Researcher Conference Details


Who: Incident Responders, Security Researchers, Security Analysts
What: S4 (San Francisco Security Series): Incident Responder and Researcher Conference
When: September 18, 2014 (registration starts at 8:30 AM. First training at 9:00AM)
Where: OpenDNS HQ, 135 Bluxome St., San Francisco, CA 94107
Price: Free
Food and Drinks: Provided
Free and reliable WiFi: Provided
Event Hashtag: #s4con
OpenDNS Twitter Account:


Please reserve soon as space is limited. Again, the registration link can be found here:

We look forward to seeing you!

The post S4 Incident Responder and Researcher Conference: Agenda appeared first on OpenDNS Security Labs.

New Git Repositories That I’m Following

github-8-xxlEvery now and then I star a Git repo that looks interesting, has a tool I want to try later, or is something immediately useful. Most times, however, I tend to star them and forget about them. In reviewing some of my more recent ‘stars’, I thought it might be useful to share them with my readers.

[list icon=”chevron-sign-right”]harelba/q[/list]

q is a command line tool that allows direct execution of SQL-like queries on CSVs/TSVs (and any other tabular text files). q treats ordinary files as database tables, and supports all SQL constructs, such as WHERE, GROUP BY, JOINs etc. It supports automatic column name and column type detection, and provides full support for multiple encodings.

[list icon=”chevron-sign-right”]wmetcalf/buildcuckoo-trusty[/list]

A dumb set of scripts for building a cuckoo rig

[list icon=”chevron-sign-right”]ChrisTruncer/EyeWitness[/list]

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.

Inspiration came from Tim Tomes’s PeepingTom Script. I just wanted to change some things, and then it became a thought exercise to write it myself.

EyeWitness is designed to run on Kali Linux. It will auto detect the file you give it with the -f flag as either being a text file with URLs on each new line, nmap xml output, or nessus xml output. The -t (timeout) flag is completely optional, and lets you provide the max time to wait when trying to render and screenshot a web page. The –open flag, which is optional, will open the URL in a new tab within iceweasel.

[list icon=”chevron-sign-right”]packetloop/packetpig[/list]

An Open Source Big Data Security Analytics tool that analyses pcap files using Apache Pig.

[list icon=”chevron-sign-right”]cure53/Flashbang[/list]

This tool is an open-source Flash-security helper with a very specific purpose: Find the flashVars of a naked SWF and display them, so a security tester can start hacking away without decompiling the code.

Flashbang is built upon Mozilla’s Shumway project. It runs in the browser but has a bunch of requirements to work properly.

[list icon=”chevron-sign-right”]technoskald/maltrieve[/list]

A tool to retrieve malware directly from the source for security researchers.

[list icon=”chevron-sign-right”]guelfoweb/peframe[/list]

PEframe is a open source tool to perform static analysis on (Portable Executable) malware. It’s released under GPL v2. JSON output and SQlite database support are been introduced since version 4.0.

[list icon=”chevron-sign-right”]holman/spark[/list]

Shell script to create spark lines in your shell – e.g. ▁▂▃▅▇

[list icon=”chevron-sign-right”]mlsecproject/combine[/list]

Combine gathers OSINT Threat Intelligence Feeds

[list icon=”chevron-sign-right”]mlsecproject/tiq-test[/list]

Threat Intelligence Quotient Test – Code and data repository for the statistical analysis of TI feeds

[list icon=”chevron-sign-right”]CIRCL/AIL-framework[/list]

AIL is a modular framework to analyze potential information leak from unstructured data source like pastes from Pastebin or similar services. AIL framework is flexible and can be extended to support other functionalities to mine sensitive information.

Gameover ZeuS Switches From P2P to DGA

Though Operation Tovar succeeded in temporarily cutting communication between Gameover ZeuS (GoZeus) and its command and control infrastructure, it appears now that GoZeus has migrated from using peer-to-peer communications to domain generation algorithms (DGAs).

According to research by our friends over at Malcovery, a “new trojan based heavily on the GameOver Zeus binary…was distributed as the attachment to three spam email templates.” In the report, several domains were identified as being the destination of the infected malware’s communications. The most active of the DGAs was one that we at OpenDNS identified on the day it was registered – cfs50p1je5ljdfs3p7n17odtuw[dot]biz.


As you can see, the traffic to the domain starts off with a small number of queries (10) on Thursday, July 10 at around 15:00 UTC. A larger jump to 884 queries doesn’t happen until Friday, July 11 at around 6:00 UTC. At peak (on Friday, July 11th at 10:00 UTC) we see a spike of 10,042 queries for cfs50p1je5ljdfs3p7n17odtuw[dot]biz.

The domain in question is associated with a number of IP addresses (as seen below) and have a very low TTL.

Screenshot 2014-07-11 08.35.23

Three of the IP addresses have also been identified by OpenDNS Labs over the past week as being malicious. All of the IP addresses associated with the domain are located within the Ukraine.

The name server (NS) associated with the domain is also highly suspicious. The IP range is associated with AS 3462 and is hosted in Taiwan (TW) – quite the distance from the hosting location in the Ukraine. The IP address is also associated with suspicious name servers for a number of Russian (.ru) servers.  A quick scan of some of the other domains hosted by the IP shows a handful of DGAs and Russian (.ru, .su), Kazakhstan (.kz), and Indian (.in) ccTLDs.


One last nugget of intel is some of the scoring that OpenDNS assigns to the domain, its associated IPs, and related ASNs.

Screenshot 2014-07-11 08.48.23

Hopefully this information has helped you better understand the methodologies employed by GoZeus users. Using OpenDNS Investigate, we were able to derive additional intelligence from our global DNS data and shed some additional light on the communication channels.

All OpenDNS users are already protected against the identified domains in the Malcovery report. Should you have any additional questions, please do not hesitate to reach out to us.

Additional Refernces:

The post Gameover ZeuS Switches From P2P to DGA appeared first on OpenDNS Security Labs.

Scroll to top