BlackHat资料us-14-Li-APT-Attribution-And-DNS-Profiling-WP.pdfVIP

Abstract Advanced Persistent Threat (APT) attacks are highly organized, continue for prolonged periods, and exhibit discernible attributes or patterns. To maintain command and control network redundancy, APT attacks are generally embedded with multiple domain name system (DNS) names. Intuitively, APT attackers maintain and control a large number of DNS–internet protocol (IP) address pairs. The majority of existing studies on malware attribution greatly emphasize grouping the technological or behavioral contexts from malware binaries. In this study, we examined a small sample of malware from a specific victim group that had been subjected to APT attacks. Results show that the attackers followed specific behavioral patterns involving registering DNS domains and frequent use of stable DNS–IP pairs. Although gathering such evidence from malware binaries is not complicated, tedious online queries regarding open source information are required. We developed an automated solution to simplify the collection and storage of information as a knowledge base for future analysis. Once the initial set of malicious DNS–IP address pairs, parked domains, and whois information are identified, the database can be used to perform updates manually. This database can be used for further analysis using a visualization tool as well as to identify the possible identities or personas of the attackers. We used Maltego to perform the analysis in this study. 1. Introduction The attribution of malware attackers pose a challenge to malware analysts. Most researchers extract technological artifacts from malware binaries and perform data mining analysis to determine the identity of attackers or at least fingerprint partial information of malware authors. When studying Windows malware, the portable executable (PE) hea