APT Attribution and DNS Profiling

Advanced Persistent Threat (APT) attacks are highly organized and are launched for prolonged periods. APT attacks exhibit discernible attributes or patterns. In order to maintain the command and control (c2) network redundant, APT attacks are generally embedded with multiple DNS names. An intuitive view is that APT attackers keep and control a high number of DNS-IP address pairs. Most of existing malware attribution works placed great emphasis on grouping the technological or behavioral contexts from the malware binaries. 

Frankie Li studied a small sample of malware from a specific victim group who had been subjected to APT attacks. The study indicates that the attackers follow some behavioral patterns of registering DNS domains and the frequently use of stable DNS-IP pairs. The gatherings of such evidence regarding malware binaries are not complicated. But it requires tedious online queries of open source information. 

The team developed an automated solution to simplify the tasks of collecting and storing the information as a database for future analysis. Once the initial set of malicious DNS-IP pair, "parked domain" and "whois information" are identified; the database can be called to perform updates manually. This database can be used for further analysis by a visualization tool, and for identification of the possible identity or personas of the attackers. In the study Maltego was used for analysis.

Frankie Li had presented his work at Blackhat, USA 2014.      

The video of the said presentation: