No time to Spy: Uncovering Domains Distributing SpyNote Malware

Well, while people are trickling in, um, can I guess show hands? Who is this first? Besides, >> awesome. Great. Besides a great conference, um, as will become evident during my talk, I care a lot about the security community and where we all get together and share, you know, our experiences and, you know, younger people, industry come in and kind of learn what's going on and hopefully stick around. Um, I'll be speaking at Bside San Francisco in a couple weeks. So um I'm fortunate enough that my company domain tools is very supportive and gives me travel budget so I can submit to all these conferences and if I get accepted uh attend sometimes or even not like as a

matter of fact my talk for besides uh Seattle was weight listed and I'm like hey that's actually kind of best case scenario because you still get all those speaker privileges but you don't have to do anything but on Tuesday they're like hey you're off the wait list. I was like, "Okay, I guess I got to make slides now." But yeah, I don't particularly like to give the same talk more than once. I feel like a fresh audience deserves fresh content. Um, because of the work that I do, um, we have a lot of research that we publish and so there's always something good to do. So, I don't think I'm going to have this talk again anywhere else,

but um, I'll be talking about I soon in San Francisco. So, going to be a little bit more spicy. Um, but yeah, welcome. Thanks everybody. My name is Dana Schwabby. Um, I am the domain tools head of investigations, but I'm also their CISO. Please don't hold that against me. Um, I'm fairly technical. I've been doing this for 25 years. I came up through front lines in the sock security engineer and then just kind of uh worked my way up. I worked in state and federal government, higher education, and for the last 10 years about private industry. I uh left higher ed, still have a very soft spot for it. University of Washington. Go dogs. Uh oh, wow. Okay.

Okay. We got a bunch of cougars in the house. What? All right. Um who who here is from the greater Seattle area, if you don't mind. All right. Cool. Cool. So, you at least know Udub. Um, uh, who here would say they traveled the furthest to get here? >> All right. Well, how far? >> I was in London. >> All right. Okay. Okay. That's pretty good. All right. Yeah, this the nice thing about Bites, I think the uh barrier to entry is reasonably low, which is a good thing. Um, and you know, they they have them all around the world. I'm going to be at Bites Las Vegas in the summer. I still want to go

to besides Camber one of these days which is like arguably the coolest one. It's also the furthest one away but that's that travel budget is a little bit of a different issue. Um anyway so oh my head looks kind of squished there. I should have fixed that. Um anyway so the the program that I run when I don't run the security program at domain tools you know the boring compliance and make sure we don't ideally don't get hacked and our stuff doesn't get stolen. that sort of thing. That's that is a full-time job, but I have a great team, some of which are here. Shout out. Um, so I don't have to do it all by myself.

And so about 14 months or so ago, I was like, what else is there that we could do? And so, uh, a former colleague of mine, she's no longer with the company, but, uh, you know, shout out to Karen, um, and I kind of got together at a company meeting. We're like, hey, we we care about community. Um, we have a lot of connections, you know, the vend diagram of our like circles that we ran in, even though she works in marketing. Don't hold that against her. Um, and mine were actually pretty close. And we're like, what can we do about this? And so we formed this uh program called Domain Tools Investigations, uh, DTI, which is fun because the

previous speaker was referencing DTI a lot. I'm like, wait, wait, are we talking about? No. Yeah. And so uh we we put together this program on a shoestring uh and ran it in 2025 to kind of prove things. We had to sign up for some KPIs because it's corporate and we're private equity owned. So you know have to show that you're actually getting some return on investment. And uh over the last year we did 45 CFP so call for papers and I think a little over half were accepted and I did about half of those. Um but the big thing is that I wanted the company to invest in the community by sponsoring uh events

etc in order to like get our name out there but I did not want to do it by pushing product and this is it's all going to make sense why am I talking about this when this is a talk about spy node but it's all going to make sense I think um so basically we are uh going out there and supporting the community and showing up in places where practitioners gather and the research that we're publishing on average about one new piece a week uh sometimes you know two or three a month um but it is product agnostic this is so important nobody likes a thinly veiled sales pitch disguised as research that's so a lot of the research that we've

published has very little to do with DNS. I'm a DNS nerd. Um, I've been doing DNS research and the mechanics of it professionally for a little over 10 years, but even before that, you know, DNS is very relevant. When I worked at University of Washington, you know, it's about half a million devices on network 15 16 years ago. Uh, it was a big place. It was a good place to learn. Absolutely. If you want an entry- level job, try to find one at a university. It's going to be the wild wild west. You're going to learn a lot and then you can go into private industry and like triple your money. So the pieces that we put out and this was

a fight internally because our go to market organization is definitely like well but what's in it for us and I'm like relevancy going out there putting our name out there. We published a three-piece series last year on the great firewall based on the leaks that came out. And yeah, other people have published about that too, but we took a different angle and we basically broke it down highly technical and you know, as somebody who has worked in government before and national security, etc. We had some suspicions on how this thing works, but these leaks actually substantiate a lot of them. And some some of the parts were like, whoa, wait, what? They're doing this how? So,

it was it's very interesting. And this was one of our best and most wellreceived pieces. Has nothing to do DNS. My company does not sell anything that can protect you against the great firewall. So um but yet we published it and it got our name out there and so in that case uh we support it. So this uh spino um uh research that we did um has some DNS components and we'll talk about that but it's just an interesting piece and it's pretty insidious malware and so it's worth uh having to talk about. So what is it? It's a it's an Android rat. It only targets Android. So if you have an iPhone for that you're fine. Um but

there's other other stuff that's targeting your iPhone. So, don't get by the way, if you're um traveling, highly recommend lockdown mode on on iOS. It's a really good thing. It's throtted some things, not just from the actual bad guys, but anyway, if you're traveling across the border, enable lockdown mode. I highly recommend it. Um so, if you have an Android, the ecosystem is a little bit more loose than um on on the iOS side. And there's a lot of benefits to that. And I have both. I have a primarily use an iPhone, but you got to be up to date on both sides. So, I have an Android as well, and we play around with that a lot. And

so, Spy Node basically is a a remote access Trojan that has evolved over the last 10ish or so years, and it's pretty insidious. Once it's on your device, it's very difficult to get to get rid of it. It's persistent. So, even a reboot or restart of the device isn't going to get rid of it. you might have to do a factory reset on it, but you have to know in the first place that you have it. Um, it is being used fairly targeted, so the average person in this room probably is not going to get uh targeted by that, but you you just never know. It can record uh the screen uh turn on the

camera, record audio, uh like the whole the whole shebang. Um, it can emulate and steal uh 2FA codes uh on device. So, you know, you're doing your regular stuff and you're logging into your work or your bank account or something and there's a 2FA thing, it'll steal that and before you know it, that stuff is, you know, gone and the bad guys are using it. So, it's it's pretty complicated and sophisticated malware as these things go. And so it's um being used by APS uh primarily, but it's also has some cyber crime components. So it's been literally around for about 10 years, but it's certainly gone through an evolution. So in 2016, it was like uh

there's a .NET tool that was leaked and had some uh APKs and that's how it kind of started. Uh I think the biggest change was about 2021 the cipherat area um where it's being attributed to this guy um this person we don't know but we're pretty sure um and from then on it kind of made a pivot into banking because money and then uh in the last couple years it's sort of been in the modern campaigns where um APS various of them used in a very targeted manner to either um you know target dissident or you know any opponents that they want to get uh after. And the way it's being deployed is through fake uh Google Play Store

pages. So there's a couple different ways you can get APKs on Androids. Um the Google Play Store is the official way, but it is by design able to sideloadad or get packages from different um distribution sites. Um a lot of people like that, but of course you have to be much more discerning to figure out what it is that you're actually installing on your device. So we identified couple dozen or so fake sites. um they all copy the CSS and the HTML from the real Google Play Store and they use typically new domains that they register for that purpose, try to push it to you through a link or some other lure and when you go through and uh install you

know Google Chrome but not the real thing or various other ones they have um dating sites uh some video editing stuff. It's it really runs the gamut and it's not hard to um copy the legit page from the Google Play Store and then uh embed basically malicious content on that. So the evolution and attribution is interesting on this because um the accessibility features which most modern devices have and they are important um I have fairly bad vision so like I use a lot of the uh um accessibility features but it uses them for example to uh read the screen and ship that off in real time if that's what the uh attacker wants and then it

can do the 2FA and key logging as I mentioned before. So, Google authenticator codes, etc., it steals them in real time, ships them off. And this is all over a real-time connection uh over the network. Um the modern uh spode versions have some antalysis stuff, you know, offiscation. Um it turns out it's actually not that hard to reverse engineer. That's not my area of expertise. I have a team of researchers, but I've talked with them, so I feel like I can speak to it even though I've not done the work myself on that part. So the original developer uh EVLF also known as cipherat um and there's historically this was sold as basically uh malware as a service you had to be in

various telegram telegram channels you can buy uh the pack or also source code was leaked at one point or another. So there's been a lot of different you know forks of it but the current stuff that's out there is pretty sophisticated and uh pretty solid. um the AP groups that we've observed and also through collaboration with some of our research partners figured out. Um it's uh oil rig which is AP34. It's Iranian stuff. They're a little busy right now, so probably not too much of that going on this very minute, but they're pretty good at it. Uh Patbear APC 37, which is the Syrian Electronic Army. um they've used it for watering hole attacks and uh mainly you know

targeting uh the Islamic State which is their you know sworn enemies and then oil alpha which is a pro pro- Houthy group so Yemen Arabian Peninsula and they're targeting media and u you know international humanitarian things because they want to disrupt the uh work that they're doing by targeting people in there and making their life a living hell. So let's talk a little bit about you know I work for domain tools we deal with domains by the way who here has heard of domain tools just you know been around for 25 years so you know people people typically think of us as the who is people yes we have historical uh who is ownership records going back to 2000

but really um we've pivoted sort of into that's a pun um we've pivoted into um active and passive DNS and I'll show a little bit of that it's not I don't sell anything it's not a vendor pitch. I just really love our data. The nice thing about working for a company like this, I have unfettered access to all of the data, which a lot of our customers have to pay a lot of money for. So, that's really nice. And sometimes, you know, there might be a, you know, a Saturday and I get like a fishing message or something. I was like, this isn't actually half bad. Like, my mom probably would have fallen for this. So, I'm

like, let's see what we can figure out. And like three hours later, like deep down the rabbit hole, I was like, I almost got them. Yeah. Anyway, so newly registered versus newly active domains. So we track domain life cycle. So if you go out to, you know, your favorite insert registar here and you get your my new awesome awesomed domain.com um we detect a registration of a new domain within about five minutes. Let's just be generous, give or take. Uh and then we'll collect the ownership information if it's available. although you know with GDPR who is all that kind of stuff has gotten um more complicated also now there's RDAP which is what's supposed to replace who is we've got

that covered we collected but I don't think who is is ever going to completely go away because you know I mean tnet is still technically a thing on the internet even though you're not supposed to use it anymore so you know internet has a hard time killing off old things that people are used to but so it used to be that especially for malware distribution or fishing uh bad guys would register domains in batches uh and then turn and burn in 24 hours. So they might pre-register a bunch of them but you use it it gets identified it gets classified as malicious it gets added to block lists and then it's done and so you basically have the first 24 hours of

a new domain showing up uh to do your bad work and then you have to abandon it. So you build your infrastructure ideally bulletproof and then just you know reuse new domains because that's what we blocking on is on the domain level. Very few blocking on the internet actually happens on the IP uh layer because uh virtual hosting you might block this IP and all of a sudden 20,000 domains hosted by GoDaddy are unavailable to your enterprise. That doesn't scale. So it's really on a per uh domain basis where that makes sense. Well, the the thread actors have figured out that it's somewhat expensive even though there's a lot of automation now and AI can

certainly help with that, but like just by continuously registering new domains and burning them um is is kind of tedious. And so they've kind of rediscovered the sort of old domains that have been laid dormant for a while. whether they've been previously registered and they fell out of registration, but because of tools like, you know, domain tools, you can figure out that it's been around since 2002 and then it like in 2015 it went away. So, if I can re-register that, chances are there's still going to be some residual trust associated with that domain because it has previously been seen and it was previously fine. Um, and a lot of like the huristics tools will check how

new is this domain, how likely is this to be a threat? And so by using older domains that have at least been around for a while, this is the newly active. They've been either dormant or they, you know, fell out of registration and and the threat actor will pick it up right away. And so you're coasting on the reputation previously of uh those domains. That's what we call newly active domains. So we have a way of detecting those as well. Um, and so we we're seeing a shift where the newly registered domains were king for a long time and now it kind of seems to be coasting more into like trying to reuse previous assets.

So in this research um we infected some devices deliberately with spy node and then ran it in an emulator and you know did the sandboxing and recorded all this stuff like a lot of work and again most of my colleagues did this work um but they kept me informed on it and we like you know discussed like hey what what could that mean but you know I'm I'm unfortunately I don't get to sit there in the lab much anymore and like do all the stuff hands-on as much as I would love to do it. Um so there's some commonalities for the current version of spy node the delivery domains they seem to favor about two registars named silo and zet

technology. So when you look at the ownership information of the domains you can at least see who the registar is that does typically does not get reducted. Um they seem to prefer a couple of hosting providers vulture and light node. Um if you're at all in thread hunting those will be familiar names. there not the most savory. Um SSL TLS uh is pretty much table stakes now but let's encrypt has made it so easy to just automate that. So they prefer let's encrypt and they use the R10 or the R11 uh certificate uh versions. So you can kind of identify that we for example capture uh certificate information for any uh second level domain that we uh

scan and discover. So we index that index that and so you can search AC um a bunch of different um you know metadata off that and you can make correlations uh between different domains and then name servers they seem to like uh DNS owl and zinc cache which uh is related to the u registar up there and then there's a couple prominent IPs that showed up where most of the CNC was calling back to. So these are all the sort of facts that we discovered just by um analysis of the malware in a sandbox and see what it was doing. Um we also looked at some of the fake uh Google Play Store pages and just did an

uh on screen content analysis and like you know source code. I hate that but that's what it's sometimes called. Show me the page source. It's not really source code but anyway um when you look at the on-page content you find some commonalities there as well. Um the structure of the site typically is like index index download html uh and then has some uh ID values on it and then in the HTML code itself you find these patterns. So if you have access to something like showdan or uh some of the other URL scan you can actually do searches for these patterns and you can identify other domains that do similar things. Um, so the anatomy of a delivery site.

This is a fake site which they basically just copied the Google u Play Store HTML and CSS. Very believable. But the install button is the key. That is not the real install button. Of course, now if you pay attention, if you pay attention, you could of course see that the URL is not the Google Play Store or something else. But of course, browsers are so helpful and want to maximize your screen capacity that the second you go there, that goes away because who cares about the URL, it's the on-page content that you want to see. Oh, and it's got a TLS certificate. It must be secure. So, everything is fine with this. No, it's not. So, when you click on the installed

button, all hell breaks loose. This is the code which is visible uh in the page content and basically um it creates a hidden iframe and it pulls in a JavaScript URI that triggers the Chrome APK which is fake which is the first stage of the dropper and then um nice little graphic. So Android user goes to the fake website, clicks on uh the install and that's a dropper. So it's a multi-stage malware. the dropper gets downloaded. But in this case, social engineering remains a key makeorb breakak thing for for these things because Android still tries to kind of uh protect the user. But of course, the social engineering aspect makes it so like no, just do this, click on this,

and it'll be totally fine. That's totally normal. So you got to, you know, this is a fake popup saying, oh yeah, Google needs additional data. Confirm. then the the Chrome popup will say in settings and you basically are being asked to acknowledge and override the controls that there are and unfortunately a large share of people are being targeted with that are doing that. So back to this um once uh the user opens the AP uh the app to confirm it then pulls in a second APK that's encrypted and it can uh on the fly generate the decryption key which is as from the manifest. It does some calculations. Um, by the way, we've published a report on this on our

website. If you are like super into the nerdy details, you can look it up there. I'm going to skip that here. But basically, it's encrypted uh with as it uh figures out the key, decrypts it, and then the spy node APK gets installed and it loads a bunch of stuff and then reaches out to the um command and control server and you know, game over. So the initial dropper um that decrypts the payload. Um we so we we've once we decrypted the uh the manifest and all of the included files in the APK, we kind of just did a basic analysis and see what it does. Um the C2 logic logic is kind of your command

and control logic is kind of interesting. Um, there's a DEX file in there that has the actual logic in there and it's able to basically pre-calculate what the current domains are uh that it will reach out and connect to. Um, it's dynamically loaded which makes updating uh the software on the fly much easier for the uh thread actor. And then it has a method to select a domain from a predefined list. Uh which is quite clever because again they don't want to bother having pre-staged a 100 or a thousand domains just in case one gets locked. So they dynamically update it as needed and it's typically a small number of um domains that a particular

installation of the malware uh will try to reach out to for uh C2. Once it's made an established a connection to the command and control server, they can push updates, say, "Hey, for the next iteration, go to those domains, etc." That's that's kind of like, you know, you know, the old botnet days. Similar idea, just much more refined and much more elegant in my opinion. So, small plug for um actually our shirts. I'm I'm wearing one from last year. Says, "Looks like you're getting ready to make some pizza. Would you like to put glue on that? Remember when uh at one point I think it was Gemini or something recommended putting glue on pizza because it scraped Reddit and

misunderstood what the actual joke was. So um because we also got to have a little bit of fun when we're doing all of this. We typically for every event come out with a new shirt. This is one of them that's probably going to be um for RSA um mean girls. You get in loser we're going shopping. Get in loser we're going thrunting. thrunting, meaning thread hunting. Uh, sorry. Um, anyway, uh, so we have about four or five more shirts, uh, that I'm not going to tease here, but if you're going to be at other conferences and, uh, you know, you see I'm there, come find me. I usually carry a few of them around and hand them out. Uh, it's just

a fun little thing to do. Um, so we one of them is going to be like, uh, you know me, get down with MCP. Uh, so that's a pretty good one. Um, let's talk a little about about passive DNS. Who here in the room would say they understand regular DNS to the like above the average user? You know, consider yourself a semi-expert. Cool. Yeah, DNS powers everything. Your your device in your pocket makes thousands of DNS calls every day. Uh, humans are terrible at remembering numbers, but uh domains is fairly well to remember, but computers hate domains. So there needs to be a translation mechanism from domain to basically IP address. Uh that's well understood. It's been around

for over 40 years now. It was invented by Dr. Paul Makapitris. Uh who I had the fortune of having on my board at the last company. Uh had a lot of interesting dinner conversations with that guy. Super smart. He works for Thread Stop now. Um anyway, so when it was originally designed, it did not address certain uh use cases and so uh regular DNS is super good at going from a domain to an IP address. So possibly, you know, a CNAME to another domain, but it basically ends up with an IP address nine out of 10 times. So that's that's really great. However, what regular DNS is terrible at is going from an IP address back to a potential

domain. Now, you might say like, wait, there are pointer records, ptrs, yeah, they do exist. However, the vast majority of IPs on internet do not have them. IPv4, some of them do, but IPv6, forget it. There's hardly any pointer records being defined because they're not required. Also, the forward and the reverse do not have to match. So if you go to google.com, microsoft.com, you get an IP address. If you were to be able to look up the reverse for that IP address, chances are you're going to get something like, you know, server1.infra whatever blah blah blah. There's no direct correlation to the actual domain that it was linked when you did the fir uh first look up from domain to IP. So

um the only exception to that I will say is probably mail servers. Um, somebody had a talk yesterday and, you know, mentioned SPF and all that kind of stuff. When email works, it's great, but spam is quickly kind of making that um, harder and harder to use. Those of us of a certain age um, grew up with email and probably will never give it up, but you know, the Gen Z and Gen Alpha certainly, they're like, "Email? What's that?" So, it's going to be a rude awakening when they enter the word work workforce when old folks like me be like, "Hey, I sent you an email." And they're like, "Wait, what? Can't you just slack me?" Like,

okay. Anyway, so mail servers uh and a very rudimentary defense is basically, oh, mail is coming from, you know, MX1 domain.com. It's going to look up that IP address and then it's going to do a reverse lookup and it better have a point of record set that points at the exact same thing or else it's going to get flagged higher problematic um as potential spam because when a thread actor puts up a malicious mail server to crank out a bunch of spam, they typically don't have control over the zone the ARPA zone that the IP is in and so they can't set the reverse uh record for that. So the only exception on the internet where a lot of

pointer records are present is when it comes to mail service. But in this grand scheme of thing, that's still a small percentage. Anyway, so in the mid 2000s, a guy named Floren Rhymer, uh, German guy, uh, which by the way, if you haven't picked up by now from my accent, um, I'm not a native English speaker. I have a German accent that was mentioned in the talk before as well. Um, but uh there is so much recorded uh versions of my voice out there. If somebody wanted to deep fake me and like you know call my team, they would probably get away with it. But anyway, so Froenrimer came up with the idea, you know what, what if we captured

the exchange between a recursive DNS server and the authority server and we recorded both sides of the question and we shoved it into some kind of database and made it queryable. And so passive DNS was born. Um, normally when you do DNS lookups, um, your computer obviously does it automatically. And let's assume, uh, do DO are not in play. Let's go with the old school just regular DNS. So your ISP at home, your mobile phone provider, your employer, your university, etc. They will when you connect to their network not only will they give you an IP address typically dynamically assigned DHCP but the other thing that they have to give you a wet gateway but

that's you know TCP IP but the the only other thing that they have to give you is a way to communicate with a DNS server and that has to be given as an IP address because you have a chicken in the egg problem if they give you the name server as a name how do you look up what the IP is for that that doesn't work so you know for example Comcast is very prevalent exfinity uh in these parts So their DNS servers are 75757575 and 75757676. Um we all know about Quad 8, Google's open recursor on the internet. There's also quad 9 which is nonprofit and they give you a little bit extra protection.

Big fan of that. There's also quad one which we shall not talk about cloud fair. Anyway, you're given this information when your computer connects to the network. Typically, those are called recursive resolvers. And so, what happens when you go to, you know, my awesomenewsite.com. It's going to go the recursive servers are like, "Okay, let me let me check. Do I have this in my cache in my memory?" No. Okay. I'm going to go out to the rootname server and say, "Hey, do you know about this domain?" And the root server says, "No, but I can tell you who is authoritative for the com tldd." Okay, I'm going to talk to the tldd name server. So in this case for com and it's

like hey what's the IP address for this domain and it's going to say I don't really know but I know who's authoritative for that domain so I'm going to send you there and then finally the recursive DNS server will go to the authoritative name server for the URL or for the domain that you're looking up uh and it says oh here's the IP address have a good day um it will also give you something called a TTL value a time to live it's something that the administrator of that DNS zone has set for how long in seconds that record is supposed to be good before it has to be refreshed. When the internet breaks, nine out of 10

times it's DNS. It might be AWS, it might be Microsoft, but it's really DNS. Um, big oops happen when a critical infrastructure piece uh has a very long TTL. So, you have a a thing that gets looked up all the time. And so, the TTL might be a day, seven days, something crazy long. like average TTL is like 30 minutes, 60 minutes, something like that. The longer you make it, the more resilient you are because even if like the DNS infrastructure like for the lookups aren't there. If your recursive server still has that cached in its memory, you're still going to get the answer. You're still going to be able to access the resource. That's great.

However, if you have to change something like a domain has to change IPs because you're moving data centers or something like that, you want a very low TTL because if it's cached in the recursive for an, you know, really long amount of time, you're not going to get the updated answer until that cache expires. So, there's good and bad about this, but basically the recursive server will cache the answer in its memory and it will decrement uh the seconds that are set in the TTL. when it expires, it flushes the cache. Now, if it's a popular domain, um it's just going to get asked again and again. But in the meantime, until that cache expires, any

um question that is asked of that recursive server gets answered from memory. It's faster, it's more efficient, you don't have to do a whole bunch of stuff, you know, clog up the pipes, etc. So when I say cash miss here on this slide, it means every time the cache expires or it's never had it in its cache in the first place, it goes out and does the song and dance. Uh we operate a global sensor network. There's other passive DNS providers, by the way. I'm not saying, you know, they're garbage. We have the best data, but you know, that's not a there. So basically we we capture the information from the recursive server uh and the authority name server

the communication between it's privacy by design. I don't know who makes the query. I don't want to know who makes the query. That's private. I don't care. When we uh partner with new operators of uh recursive servers basically we want at least a thousand users ideally. more is better because then yes you could possibly say like one one user of those a thousand made this query but it's pretty hard to attribute that and when you have you know million users behind one of those it becomes impossible I can still tell yeah I came from this recursive server farm but there might be 36 servers and you know lots and lots of users so we we care about privacy a lot

and we do not want to capture uh the patterns of individuals so when we um capture this information, it gets submitted in real time to our processing stack. We do verification, BA verification for you DNS nerds who know what what that is. Um, we do dduplication because you can imagine on a global network, Google gets looked up millions and millions of times a second and if it arrives at our stack at the same time and it's exactly the same thing, we have to dduplicate it because it wouldn't make sense to have multiple inputs in a database. But from the time that a domain gets looked up on an instrumented server uh before it is querable in the database uh best case

scenario is 2 minutes. Uh it can be faster sometimes it can be a little bit slower but it's it's pretty fast as those things go. So what what why am I telling you all this? It's a super valuable tool for threat hunting. You can now do things that regular DNS was not designed for. You can say given this IP address tell me all of domains that have ever been associated with that IP address that had that IP as its a record. The data goes back down to 2010 so 15 16ish years worth of data. Um if you know the incident happened like between March of 2023 and you know January of 24 or something you could

limit and do the searches just in that time frame. But if you're like, I just want to know what's going on with this and where things have moved, you can say, give it to me all time. What I really like is I used to run the engineering team at a company called Fireside Security, which I got acquired by domain tools. So DNSTV is near and dear to my heart because I used to manage the developers and you know what's a quasi um product manager for that thing. Uh query performance is really important to me. There's some other sources there where you make a complex query and you hit enter and you go get a cup of coffee and you come back

and it's not done. You're like, "Okay, uh maybe I'm going to go grab a snack and you come back and it's not done." It's like maybe you go to lunch and maybe it's done. If I run queries against DNSTB and the query does not come back in under two seconds, I'm calling ops because something is wrong. So, uh very performant and you can pivot to your heart's content. This is where the rabbit hole gets really uh difficult or very tricky because you can say give me this IP address tell me all of the other domains and of course then you can say given those domains show me where those are connected or where are those

are you can kind of think of a passive DNS database not just ours as um the way back machine for DNS basically you can see where assets have moved you can see um if you have the ownership uh information correlated it's a nice complimentary data source you can pretty much map an adversar's infrastructure because the thing about DNS, you can be deceptive, but DNS can't lie. It doesn't work otherwise. So, you might not know who is behind something, but you can see that a particular record was pointed here, did this, etc., and it moved over time. Oh, there was a takedown, it went away for a while, then it popped up again over there. Uh, you can also do

things like uh make connections between seemingly unrelated domains. That's super powerful. you're you're hunting a particular threat actor and you know with you know high degree of certainty that this particular domain is involved because thread actors as I previously mentioned like to invest in like bulletproof hosting they turn and burn domains they don't care but the the IP uh space and the servers where they actually host the actual stuff and sometimes in the cloud um is something that they built in such a way that it's hard to take down probably in jurisdictions where law enforcement maybe turns a blind eye or doesn't even exist etc. So by being able to make the correlation and to map the

infrastructure that way it's a super powerful tool uh to get a lay of the land what an adversar's infrastructure might actually be. Now the other thing is it's called passive DNS for a reason because it's passively observed and if you query the database you do not give away that you're investigating. If you're doing active DNS lookups like okay you know do a dig on this particular domain. If the threat actor is sophisticated, they will control the authority servers for that particular domain and they will watch if it gets looked up because they can just sit there and say, "Oh, there's packets coming in asking about this domain. Nobody should know about this domain. We haven't weaponized it yet. We haven't

deployed it yet. Why are there queries coming from the internet about this particular domain? Somebody is clearly on to us." So by using passive DNS because all of the information was made by real users somewhere around the world at some point or another investigations you do in passive DNS stay passive. You do not tip your hat against thread actors because they can't see that you're actually doing those lookups. Now you will say that there might be some delay and uh if they are very sneaky and then changing some values and we haven't observed an update yet that is a risk but it's better than giving away the fact that you're investigating them. Yes. Question. >> Someone already looked it up right?

>> Yes. >> So they already know that >> it might have been them. >> Yeah. They're testing infrastructure. They're doing some small deployment. Uh and because we have lots and lots of sensors out there and we don't really talk about where they are specifically, we have pretty good coverage and we oftentimes will catch uh the adversaries testing their infrastructure early on and you'll see there'll be like one or two lookups that's it and then all of a sudden it spikes and now there's a million lookups and then it goes away again because it got blocked. So the power of the pivot in this particular example with spy note um one of the CNC domains was ms k i s d a kw

is googly cook top tldd that is a very dirty tldd um very if if you're into malware research this will be familiar so you look up the a record now you could do that of course in regular DNS but again you might give away uh to the threat actor that you're looking at it. So, you might as well look it up in in pass DNS. And by the way, there will be a like timestamp of the latest observation of that. If that's a year old, I'll be like, "Yeah, maybe that's not credible." But if it's like from, you know, 5 minutes ago, probably pretty good. So then uh using that IP address you can now do the reverse lookup

basically um and say tell me all of the domains that this particular uh IP address has set as its a record or domain that has IP as as its a record. So in this particular case, it's a small thing, but we found about 10 other domains. But then when you pivot on each of those domains you just found, you can enumerate over a thousand additional IPs that have been used, are actively being used, or they switch back and forth between. So now the rabbit hole got really deep because now you can take those IPs and say, "Show me all the domains that are associated with it." And there's going to be some, you know, chaff in there, but you will likely be

able to enumerate future CNC domains that they're staging and getting ready. And that's a really powerful tool because if you want to then develop a block list against that and say like, you know what, and we haven't seen those yet, but chances are they're coming. I'm going to block them in my enterprise uh either the DNS layer or like with uh EDR or something. When somebody then tries to access them, they will not be able to get infected because the communication with the downloader can't be made. There's a bit of an eye chart. Uh, but this is just showing um the work basically. So this is uh web front end for our database. Uh I looked it up. I

said show me all of the A records and it found in this case for A records specifically seven results. But the IP that we mentioned previously 1992476.61 is prominently right there. And then if we pivot on that um we talk about lefthand side and right hand side. So left-hand side basically meaning the domain right hand side being the answer being the IP address. But but because we index both sides you can search for the answer to get what the question was in the first place. And so in this case you pivot over to our data uh put in the IP address and now we find 10 domains that are also have this as their a record. And then you go from

there and you pick one of them. You can run all 10 of them, but I just picked one of them and I found another a little over a,100 uh IPs that were associated uh with that particular uh malicious domain. And now of course you didn't put in the slides and this would be you know you can script this you can automate it you can use AI we have an MCP server you can say just like ask the question against it basically you know given the results of this query now run me all of the domains that are associated with these IP addresses and then it just gets crazy from there. So the key threating takeaways by the way um Sherid Degrippa

who works for Microsoft I believe coined that term so shout out to her uh thrunting threat hunting I kind of like it it's a little cringy but I still like it. Um so the key takeaway is that is not all young domains are bad but a lot of uh bad domains are young. That's still true but it's slightly shifting and it'll probably swing back again. It's kind of a pendulum. um patterns can be identified and so not trusting y domains can help. Um you can also you know you saw the domain it was kind of nonsense sometimes especially in the in the old uh domain generation algorithm days but that's also kind of making a little bit of a resurgence. If

you identify a pattern in some of those domains we have full reax capability to search across any label of a fully qualified domain name. So if you figure out what the pattern is, you might find a whole bunch more that you previously weren't thinking of. Um it helps defenders protect against these threats. So we can put them in block lists. We can put in the EDR and say don't let uh any machines that we manage talk to these. But hunters can make connections and enumerate the um adversaries infrastructure and try to get ahead of it. See what's coming next. That's the best case scenario. Uh IP reuse is common because it's difficult to get solid IPs. you know, IPv4 obviously is

exhausted and you know, IPv6 is coming any day now. We have IPv6, but like I can tell you unless you're on a certain mobile carrier who basically have um run their entire internal network between the handset and their infrastructure on IPv6. But of course, you know, 70% of the internet is still only reachable by IPv4. So there has to be six to four translations, so might as well. So IPv6 was a great idea, but the implementation was crap and so I don't think humans will ever fully adopt it. It's not going away, but it's not going to take over the internet. Mark my words. Um, so they use same IPs because those are difficult to establish once they are uh solid. Uh,

but passive DNS is a powerful tool uh to find these uh domains in the wild. Um, because the internet runs on DNS, there's almost no way around that. Yeah, you can do some direct IP stuff, but it doesn't scale, especially when you push it to an end user. It's too limiting. So, domains uh and domain names are sticking around. And being able to use them for thread hunting is uh really a very powerful tool. And uh if that's of interest, uh come see me later. Questions? >> Yes. >> What's the name of your MCP server? And do you need is there a free app free tier? Um, we're about to go JA with that for RSA,

so that will be an announcement. Um, the use of it is free, but basically it's a fancy API gateway. So, you have to have an API key to the underlying data enable to be able to use it. So, we're not going to like charge for access to MCP, but you have to be a customer of the underlying data set, which is make it more easy to consume. >> I'm an academic. Is there an academic? Yeah, >> as a matter of fact, uh we run a grant program for uh academic researchers and investigative journalists. I'll be at NICAR conference, which is a conference of investigative journalists uh next week where I'll teach them how to use uh

DNS to like develop leads and stories. So, if you uh email grants domaintools.com, uh we'll see what it is that you're researching and uh chances are we'll grant you access. Yes. So if you have an A record and you are trying to be pinned to a domain and you decide to pop into the Google and you do the search and you find in the last two months 10,000 plus you hit that limit. >> Do you have any tips for then trying to whittle that down because you can't go in and search all those >> automation AI you know as much as I'm an AI skeptic and uh somewhat reluctant for that kind of stuff it's really good

because you know you give it the data and you ask it some questions and then it does all the hard work. So that that is useful, but it you kind of have to know what you're looking for a little bit because it might wildly go crazy and be like, "Hey, I see a thing." I'm like, "No, you're hallucinating." But all right, thanks for everybody. Go to lunch.