This document discusses the ripple effect of malware and domain generation algorithms (DGAs). It provides an example of the Cryptolocker malware which uses DGAs to generate domain names for its command and control servers to evade detection. The presentation includes a demo of tracking DGA domains on the Umbrella security graph and shows IP addresses from November 7th that resolved DGA domains, illustrating the ongoing nature of the threat. It concludes by asking if there are any questions.

1. Ripple Effect
Algorithmic Threat
Intelligence & Containment
Ping @OpenDNS.com

2. Ping
Came from China
Was in U. of Arizona graduate school
Data mining, Machine learning
InfoSec

3. Agenda
DNS transactions
The Ripple Effect
Case study - Cryptolocker
Demo

4. More IP, AS intel, the present and the past?
What is this traffic spikes all about?

5. What are all these weird stuff that one was
requesting?

7. The Ripple Effect
The process of
searching the
newer and the
unknown,
… starting from the
seeding intelligence

10. Cryptolocker DGA
1. Infection
2. retrieve encryption key from CnC
3. encrypt data files
4. collect money!
IP CnC fails quickly
! DGA kicks in !

13. I don’t know the DGA!!!

14. https://sgraph.umbrella.com/domainview/name/xvaxsxbptmerjb.com/view

16. Demo
http://labs.umbrella.com/wpcontent/uploads/2013/09/cyl.gif
load https://sgraph.umbrella.
com/thibault/Web/?name=xvaxsxbptmerjb.com

17. The Algorithm

18. November 7th
144.76.192.130
95.59.26.43

19. Beyond Cryptolocker
https://sgraph.umbrella.com/domainview/name/o2i2394073g2oh2b34.com/view

21. QUESTIONS?