Passive DNS (DNSDB) is nowadays a fundamental investigative tool that helps security researchers, malware analysts, and incident responders correlate between numerous indicators to identify attacks and track malicious activities on the internet. It is built by consolidating the authoritative DNS traffic into a persistent indexed historical database. In this talk, we present "Marauder", a novel threat detection system applied on our DNSDB as well as on the live streaming authoritative DNS traffic. The system allows for a rapid, parallel scanning of suspicious hotspots in the IP space and discovers new malicious domains and IPs. We will describe various attack domains detected by this system, such as trojan CnCs, Exploit kit domains, botnets, etc.
Senior security researcher at OpenDNS, Dhia Mahjoub works on research and development problems involving DNS, security, big data analysis, and networks. Dhia holds a PhD in Computer Science from Southern Methodist University, Dallas with a specialty in graph theory applied on Wireless Sensor Networks. He has a background in Computer Networks and wrote sniffers and port scanners among other things. Dhia presented at BSides NOLA, APWG eCrime, BSides Raleigh, BotConf, BSides San Francisco, ISOI 13 and will be talking at the upcoming BSides NOLA. He is also member of the non-profit security research group MalwareMustDie helping track botnets and other malicious sources on the Internet.