Each day millions of Internet requests are made to dynamically changing Cryptolocker domains. And it only takes one successful connection from a malware-infected system to the botnet controller for your files to end up encrypted and held for ransom. So how does Cryptolocker actually work? What is the best way to block it? And what implications does this have for security methods going forward? In this webcast, you will learn: -What steps are involved in a Cryptolocker attack -How Domain Generation Algorithms enable it to evade most threat detection methods -Why leveraging our global intelligence has been effective in containing Cryptolocker -What you can do to avoid becoming a victim

1. CONTAINING
CRYPTOLOCKER
How Predictive Analytics
Combat Emerging Threats
OpenDNS Confidential

2. AGENDA
1
CYBER ATTACKS & THREATS
multiple stages, varying tactics
2
CRYPTOLOCKER IN-DEPTH
how it works, what can stop it
3
WHY SECURITY FALLS BEHIND
how OpenDNS contained Cryptolocker, why we stay ahead
#2
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential

3. CYBER ATTACKS
AND THREATS
OpenDNS Confidential

4. CYBER-ATTACKS ARE MULTI-STAGE
A BUSINESS MAY OBSERVE
UP TO FIVE STAGES
1 2 3 4 5
RECON
& PREP
#4
Ÿ
LURE
USER
11-Dec-13 Ÿ OpenDNS Confidential
INFECT
SYSTEM
PHONE
HOME
BREACH
NETWORK
REALIZE
MOTIVE
MOVE DATA
& MONEY

5. LURE & INFECTION
MULTIPLE ATTACK VECTORS
EMAIL ONLY
SociallyEngineered
Content
Links in
Forums or
Search
Engines
(business
sender)
Malicious
Attachment
(ZIP and/or
EXE falsely
labeled as PDF)
#5
Ÿ
WEB ONLY
11-Dec-13 Ÿ OpenDNS Confidential
Malware
Drop Host
(often exploits
browser or plug-in
vulnerabilities)
EMAIL TO WEB
FalselyLabeled
Web Link
Compromised
Web Site
Compromised
Web Site
(Javascript
redirection)
(Javascript
redirection)
Malware
Drop Host
(often exploits
browser or plug-in
vulnerabilities)

6. PHONE HOME (to CnCs)
INCREASING SOPHISICATION
STATIC
FAST FLUX
23.4.34.55
23.4.24.1
23.4.24.1
DGA
(domain generation algorithm)
44.6.11.8
23.4.34.55
44.6.11.8
87.32.4.21
129.3.6.3
83.56.21.1
34.4.2.110
bad.com
#6
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential
34.4.2.110
bad.com
129.3.6.3
23.4.24.1
34.4.2.110
bad.com?
baa.ru?
bid.cn

7. BREACH & MOTIVE
MOST BREACHES YOU DON’T SEE
DISRUPTS
YOUR BUSINESS
HIJACKS
YOUR INFRASTRUCTURE
MANIPULATES
YOUR DATA
Pay the
Ransom
to Unlock
the Data
Locks You Out
of Your Data on
Your Network
#7
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential
Attacks Other
Businesses Using
Your Reputation
Cyber-Criminals and
Nation States Obtain
Your Knowledge

8. CRYPTOLOCKER
IN-DEPTH
OpenDNS Confidential

9. BUSINESSES OFTEN MISS SEEING THE THIRD STAGE
IT IS TARGETING BUSINESSES
EMAIL-ONLY
1 VECTOR
#9
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential
2 FAKE
EXECUTABLE
DGA-BASED
3 PHONE HOME
4 ENCRYPT
DATA
COLLECT
5 RANSOM

10. SECURITY REQUIRES VISIBILITY, INTELLIGENCE AND ENFORCEMENT
WHICH SOLUTIONS CAN STOP IT?
EMAIL-ONLY
1 VECTOR
Firewalls or
Gateways
2 FAKE
EXECUTABLE
Endpoint
Protections
DGA-BASED
3 PHONE HOME
Firewalls,
Gateways
or Endpoint
Protections
BLOCK WHAT IS KNOWN TO BE MALICIOUS:
• by appearance
• by origin
• by behavior
#10
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential
4 ENCRYPT
DATA
Encryption or
DB Security
COLLECT
5 RANSOM
Data
Archiving

11. DISCOVERING WHAT IS MALICIOUS IS A COLLECT AND REACT APPROACH
IF IT’S NOT KNOWN, THEN…
COLLECT
ANALYZE
REACT
• block new
appearances
• block new
origins
• block new
behaviors
time 0
#11
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential
time 1-N
time N

12. MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD
Variant G
Variant H
Variant C
Variant A
Variant E
Variant F
Variant K
NEW DGA
Variant B
Variant I
#12
Ÿ
Variant D
11-Dec-13 Ÿ OpenDNS Confidential
Variant J

13. MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD
Variant A
#13
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential

14. MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD
Variant G
Variant C
Variant A
Variant E
Variant F
Variant B
Variant D
#14
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential

15. MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD
Variant G
Variant H
Variant C
Variant A
Variant E
Variant F
Variant K
NEW DGA
Variant B
Variant I
#15
Ÿ
Variant D
11-Dec-13 Ÿ OpenDNS Confidential
Variant J

16. MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD
Variant G
Variant H
Variant C
Variant A
Variant E
Variant F
Variant K
NEW DGA
Variant B
Variant I
#16
Ÿ
Variant D
11-Dec-13 Ÿ OpenDNS Confidential
Variant J

17. WHAT IS A BETTER APPROACH?
DISCOVER WHERE MALICIOUS ACTIVITY
WILL ORIGINATE, BEFORE IT HAPPENS
OBSERVE
PREDICT
DGA-based phone home activity
time 0
#17
Ÿ
future DGA domains
time 1
11-Dec-13 Ÿ OpenDNS Confidential

18. TO OBSERVE YOU NEED SITUATIONAL AWARENESS AND GLOBAL INTELLIGENCE
#18
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential

19. TO OBSERVE YOU NEED SITUATIONAL AWARENESS AND GLOBAL INTELLIGENCE
Live Internet Activity
#19
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential

20. TO OBSERVE YOU NEED SITUATIONAL AWARENESS AND GLOBAL INTELLIGENCE
#20
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential

21. OBSERVING CRYPTOLOCKER’S DGA-BASED PHONE ACTIVITY ACTIVITY
24-Oct
28.7M
24.6M
Unknown
Co-Occurring
DNS Requests
#21
Ÿ
19.1M
22.3M
18.1M
28-Oct
29-Oct
lcynqebqetamnmb.net
27-Oct
dblekuaonugn.biz
26-Oct
ljllkfudrvggepm.com
ixslpslobkddytp.info
25-Oct
ohjvagaptmlffn.info
23-Oct
byeixyixhmse.biz
22-Oct
dctqynvenluf.biz
21-Oct
ftamfiaivpdw.biz
20-Oct
shocdnhyfmdfsoj.co.uk
lfdicecqjetfqrm.com
Known
Domains
Blocked
paspmnbspwijo.ru
DAY
FOR EVERY 1 KNOWN DOMAIN PER DAY,
999 MORE DOMAINS OBSERVED
30-Oct
26.9M
21.7M
19.6M
17.6M
20.1M
7.3M
20-Oct
11-Dec-13 Ÿ OpenDNS Confidential
21-Oct
22-Oct
23-Oct
24-Oct
25-Oct
26-Oct
27-Oct
28-Oct
29-Oct
30-Oct

22. PREDICTING CRYPTOLOCKER’S DGA-BASED PHONE HOME ACTIVITY
ONE OF THOSE 999 CO-OCCURRING
DOMAINS WILL BECOME ACTIVE NEXT
CRYPTOLOCKER
KNOWN DOMAINS
tctggapprqfatc.biz
uauuqfmmuwemsj.ru
psnineovwogkvx.org
#22
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential
ALL CO-OCCURRENCES INCLUDING NEWLY
DISCOVERED CRYPTOLOCKER DOMAINS T-1 T+1
uwelwphpjsemxsn.info (2100), google.com (800),
arjddblgbsumi.biz (575), danvawrrcgrwo.com (300),
facebook.co.uk (266), frjpjcapmnvdo.ru (34)

23. OBTAIN VISIBILITY, INTELLIGENCE AND ENFORCEMENT OF STAGE 3
STOP THE ATTACK’S “KILL CHAIN”
EMAIL-ONLY
1 VECTOR
2 FAKE
EXECUTABLE
DGA-BASED
3 PHONE HOME
4 ENCRYPT
DATA
At the Gateway and
on the Endpoint*
(*because it will not always
be behind the gateway)
#23
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential
COLLECT
5 RANSOM

24. WHY SECURITY
FALLS BEHIND
OpenDNS Confidential

25. THE PERFECT STORM HAS FORMED
INCOMPLETE
ENFORCEMENT
On-Network
Web Traffic
Roaming
Users &
Remote
Offices
#25
Ÿ
Non-Web
Protocols
& Ports
11-Dec-13 Ÿ OpenDNS Confidential
LIMITED
VISIBILITY
Samples
Collected by
On-Premises
Appliances
Targeted
Attacks
Emerging
Threats
REACTIVE
INTELLIGENCE
Similar
Appearance
Different
Behavior
Unknown
Origin

26. WANTED: SECURITY FOR THE WAY THE WORLD WORKS TODAY
EVERYWHERE
ENFORCEMENT
#26
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential
GLOBAL
VISIBILITY
PREDICTIVE
INTELLIGENCE

27. GLOBAL VISIBILITY
ENFORCEMENT
UMBRELLA
INTELLIGENCE
SECURITY GRAPH
PREDICTIVE SECURITY

28. WHAT MAKES OPENDNS’S SECURITY UNIQUE
THE ONLY CLOUD-DELIVERED
AND DNS-BASED
SECURITY SOLUTION
80M+
100K+
#28
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential
REQUESTS TO ADVANCED
MALWARE, BOTNET & PHISHING
THREATS BLOCKED DAILY
NEW THREAT ORIGINS
DISCOVERED OR PREDICTED DAILY

29. UMBRELLA LEVERAGES OPENDNS’S FOUNDATIONS
THE WORLD’S LARGEST
INTERNET SECURITY NETWORK
" 50M+ ACTIVE USERS DAILY
" 21 DATA CENTER LOCATIONS
" 1500+ BGP PEERING SESSIONS
" 50B+ REQUESTS DAILY
" 160+ COUNTRIES W/USERS
" ZERO NET NEW LATENCY
EUROPE, MIDDLE
EAST & AFRICA
AMERICAS
#29
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential
ASIA-PACIFIC

30. EVERYWHERE.
#30
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential
TOTAL
NEW
NEW
TOTAL
NEW
for 1,000s of our
customers daily.
TOTAL
OPENDNS IS
PREDICTING &
CONTAINING
CRYPTOLOCKER
TOTAL
USER CLIENTS ATTEMPTING TO PHONE HOME TO CRYPTOLOCKER’S CnCs

31. CUSTOMERS PROTECTED BEFORE TRADITIONAL SECURITY APPROACHES
OPENDNS PREDICTED
CRYPTOLOCKER’S DGA
before others could reverse engineer it
#31
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential

32. OPENDNS WILL HELP YOUR BUSINESS
We Predict,
Prevent And Contain
Emerging Threats
BEFORE THE INFECTION
OR BREACH HAPPENS
#32
Ÿ
11-Dec-13 Ÿ OpenDNS Confidential

33. FOR A FREE INSTANT TRIAL,
VISIT WWW.UMBRELLA.COM OR
EMAIL SALES@OPENDNS.COM
FOR TECHNICAL QUESTIONS,
EMAIL ME BARRY@OPENDNS.COM
OpenDNS Confidential