APT Attribution and DNS Profiling

Presented at Black Hat USA 2014, Aug. 6, 2014, 2:50 p.m. (25 minutes).

Advanced Persistent Threat (APT) attacks are highly organized and are launched for prolonged periods. APT attacks exhibit discernible attributes or patterns. In order to maintain the command and control (c2) network redundant, APT attacks are generally embedded with multiple DNS names. An intuitive view is that APT attackers keep and control a high number of DNS-IP address pairs. Most of existing malware attribution works placed great emphasis on grouping the technological or behavioral contexts from the malware binaries. We studied a small sample of malware from a specific victim group who had been subjected to APT attacks. Our study indicates that the attackers follow some behavioral patterns of registering DNS domains and the frequently use of stable DNS-IP pairs. The gatherings of such evidence regarding malware binaries are not complicated. But it requires tedious online queries of open source information. We developed an automated solution to simplify the tasks of collecting and storing the information as a database for future analysis. Once the initial set of malicious DNS-IP pair, "parked domain" and "whois information" are identified; the database can be called to perform updates manually. This database can be used for further analysis by a visualization tool, and for identification of the possible identity or personas of the attackers. In our studies, we used Maltego for the analysis.


Presenters:

  • Frankie Li - VXRL Research
    Ran2 is an independent researcher specializing in computer forensics and malware analysis. He is a security researcher for the Valkyrie-X Security Research Group (vxrl.org), a member of the Information Security and Forensics Society (ISFS), the Professional Internet Security Association (PISA), International High Technology Crime Investigation Association, Asia Pacific Chapter (HTCIA), and The Honeynet Project, Hong Kong Chapter. He is also a part-time lecturer of Digital Forensics classes offered by HKU SPACE and Mentored courses for SANS. Ran2 holds a master degree of ECom/IComp from The University of Hong Kong. He also holds several industry designations, including Certified Information Systems Security Professional (CISSP), GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), and GIAC Reverse Engineering Malware (GREM).

Links:

Similar Presentations: