Monitoring malicious domains on the Internet in real time for forensics purposes
In times of Bullet Proof hosting and Fast Flux Networks, in which cybercriminals are constantly advocate of researchers (private and / or government), techniques of "diversion" of security actions are continuously employed. One of the most notorious and efficient is the change of address hosting malicious content. In this sense, increasingly are needed technical research and active monitoring. The presentation will be on this new need, continuous and active monitoring characteristics of malicious servers where the contents are hosted in order to accumulate evidence that is illuminating in the response to the incident. This technique of monitoring DNS will be extensively explained, taking into account the operating assumptions that contribute to the operational security (OPSEC), intelligence and reconnaissance and research as indicators geolocation. Besides the technical, will be presented by the author tool EvilWatcher, written by the author and using different modes of operation in his eagerness to reach the previously mentioned goal. Technical details will be widely exploited. The purpose of EvilWatcher is to perform an active monitoring of malicious hosts, which can generate a wealth of information for users (police forces / expert), this information is provided to the host geolocation, ASN, other DNS records that exist in the malicious domain, as well as anoma them behaviors found in each host detected. With time of use which can be identified by ASN and "local" a malicious content has been hosted, including generating statistics and intelligence base.
Director of Technology and Research in the Prevention NS, independent researcher. Speaker at many events like H2HC, bsides, YSTS, CNASI, SegInfo, ValeSec among others. Professor in the the Postgraduate Course in Computer Forensics at Mackenzie University. Founder of staysafe Podcast Member of the Cloud Security Alliance Brazil (CSA)