Category: Security Tools

OpenDNS Security Labs at BSides Las Vegas, Black Hat, and Defcon

trinityIt’s that time of year where security folks descend upon the desert of Las Vegas for what many call “Security Summer Camp” or, in some circles, “Hacker Summer Camp”. We, of course, mean the Holey Trinity (see what we did there?) of Security BSides Las Vegas, Black Hat, and Defcon.

Security Analysts Kevin Bottomley and Josh Pyorre will be attending BSides Las Vegas to see a number of great talks including one from OpenDNS Engineering’s Andrew Hess entitled Advancing Internet Security Research with Big Data and Graph Databases. In the talk, Hess will provide an overview of OpenDNS’s threat intelligence database system and focus on how it has influenced security research at OpenDNS. This is the system that we, the OpenDNS Security Labs team, relies on for both data ingestion from our resolvers and serves as the repository for our threat model results….hopefully he doesn’t give away too many secrets about how the cyber-sausage is made.

OpenDNS will also have a booth at the Mandalay Bay Resort and Casino for Black Hat USA 2015. Why not stop by booth 753 to catch up with the OpenDNS Security Labs team, watch a demo of our products, snag a fancy t-shirt, and enter to win an Apple Watch? Dr. Dhia Mahjoub, Sr. Security Researcher, Anthony Kasza, Security Researcher, Andrew Hay, Director of Research, and Dan Hubbard, CTO will be at the booth throughout the day. If you happen to drop by and the person you’re looking for is not there, please leave a business card, written note, or verbal message and we’ll try and sync up with you. You can also meet with Dhia, Andrew, or Dan by scheduling a one-on-one meeting through our scheduling form. We have a meeting room off the show floor so private conversations are welcomed (and encouraged).

You should also plan on attending Dan Hubbard and Andree Toonk’s presentation entitled BGP Stream on Thursday, August 6th, from 12:10-1:00pm in South Seas IJ. In the presentation, Dan and Andree will talk about their methodology and tool—conceived during a recent OpenDNS Hack-a-thon—that can be used to monitor BGP ASN hijacks, historical relationships, and geographic locations of announcing Internet routers. This “alert system for the Internet” is described on our OpenDNS blog, found here. You can, and should, also follow the dedicated Twitter account @bgpstream.

Finally, you may have already started to notice complaints about the long wait times for a taxi at McCarran International Airport.

Vegas needs @Uber so bad. Standing in cab line. About one cab showing up every 2 minutes.

— Chris Eng (@chriseng) August 3, 2015

Why not skip the line and jump on the OpenDNS Limo? We’re picking up from the Las Vegas airport Tuesday & Wednesday every 30 minutes. Just follow signs. We will make sure you get the details if you sign up here. Please note, the limo runs Tuesday (5am to 10pm) and Wednesday (5am to 1pm) and only travels between McCarran and the Mandalay Bay Resort and Casino. If you’re lucky enough to be arriving between 8am and 10am on Wednesday, Andrew Hay will regale you with tales of security from his adventures on the tropical island of Bermuda and of a far away and magical land…called Canada.

The OpenDNS Security Labs team will also be headed to Defcon to learn about some of the cutting edge research our peers have published – some responsibly, some not as responsibly. Dhia, Andrew, Kevin, Josh, and Anthony will be joined by Thibault Reuille, Sr. Security Researcher. Hopefully we’ll get a chance to connect at one of these amazing venues, at a party, or while waiting in a long line for food or a taxi.

We should be easy to spot as we’ll likely be wearing the t-shirts that get us noticed wherever we go. See you there!


The post OpenDNS Security Labs at BSides Las Vegas, Black Hat, and Defcon appeared first on OpenDNS Security Labs.

Fessleak before It Was Cool

4086743445_ffec2b56da_mOpenDNS has received numerous questions about the Invincea “Fessleak” report. We have been tracking this “actor”, who went by the name of Michael Zont, for several months, and saw a major uptick in previous weeks. The name “Fessleak” actually comes from the actor’s email address (fessleak@qip[.]ru) used to register the domains.

OpenDNS first became aware of malicious activity around this registrant in April 2014 starting with the creation of prosoknf[.]com, and began an active monitoring campaign to identify, and block, any domains registered by “Fessleak”. Using various techniques such as WhoIs monitoring, the OpenDNS Investigate tool, and our Spike Detection Algorithm (SDA), we were able to keep pace with the deployment of nefarious websites with almost real-time speed, including the sites in the aforementioned report.

Sites we were first monitoring appeared mainly geared towards the hosting of more common types of malware and exploit kits such as Angler, Kovter, and Rig (ex: prosoknf[.]com). More recently, we noticed a shift into forms of malvertising (ex: tunim[.]net and podin[.]net), with the most recent iterations hosting Flash ‘zero day’ exploits (ex: retilio[.]net). These domains were used for a short amount of time, usually in the way of just a few hours, and then discarded, showing no signs of re-use later.

All sites monitored were hosted on Peer1 Networks (AS 13768) and registered under PDR LTD.

Example Traffic Patterns

The following images provide some insight into the traffic patterns of domains we were tracking during this campaign.


Screenshot 2015-02-19 06.42.46


Screenshot 2015-02-19 06.44.39


Screenshot 2015-02-19 06.46.06

Screenshot 2015-02-19 06.47.13

Screenshot 2015-02-19 06.48.10

Screenshot 2015-02-19 06.49.02

Screenshot 2015-02-19 06.50.02

Screenshot 2015-02-19 06.50.59

Screenshot 2015-02-19 06.52.13The complete list of domains tracked during this campaign are shown below. All of the following link to the respective OpenDNS Investigate analysis for each tracked domain. These allow customers can view the full analysis of the campaign information:

The following image is a screenshot of the Fessleak domains as graphed in OpenGraphiti.
Screenshot 2015-02-19 08.15.58

Towards the end of 2014 we noticed, on average, two domains registered every 1-2 days. However, since the Invincea report came out, the actor has not registered any new domains using this email address.

Photo source:

The post Fessleak before It Was Cool appeared first on OpenDNS Security Labs.

Scroll to top