One of my favorite talks was by a gentleman by the name of Frankie Li (aka Ran2). In his talk titled “APT Attribution and DNS Profiling” he discussed the challenges in dissecting multiple attacks and attributing them to a singular APT threat actor. Now I want to be clear when I say APT threat actor I don’t necessarily mean a singular person. Many times APT threat actors are what we call “state sponsored” and are essentially a team of hackers and security experts employed by a foreign government. But back to the talk, Mr. Li pointed out that it is very difficult to attribute attacks to campaigns and many companies do this attribution in different ways. Mr. Li described a different way of doing this attribution.
Let’s set up the talk by explaining a few things first. When APT actors develop malware they usually develop an infrastructure in which they can communicate to the hosts that they have infected. This is referred to as Command and Control or C2. C2 is usually a covert channel, meaning that they use protocols like HTTP/HTTPS, IRC and even DNS to communicate back to the mother ship; making it very difficult for cyber defenders to differentiate between legitimate traffic and malicious C2 traffic. Once an actor has his/her infrastructure set up they will embed either IP or DNS names in to the malware. This allows the malware to dial home once it has been installed and allows the actors to have “hands on keyboard” access to the compromised host.
What Mr. Li theorized and tried to prove is that APT actors, especially state sponsored ones, have a team that is in charge of registering DNS names for their C2 infrastructure. He made the point that when you register a DNS name with a domain registrar like GoDaddy you need to provide several pieces of information such as valid email address, name and street address. Now this information could be very valuable to a cyber defender when trying to group several attacks in to one campaign and here’s why. When these registration teams go to register DNS and IP pairs they most likely register hundreds or thousands of domain names. When they do this they input the same information for each registration and “park” the domain or assign it an IP address and wait until it needs to be used for a specific attack. Now when the attack is ready to start they change the whois information for the domain and add additional A records or DNS-IP pairs. At this point you may have two different attacks from the same actor with different DNS-IP pairs and whois information. Wouldn’t it be great if as a cyber defender you could look at the historical whois and DNS zones? Well it is possible with the help of Virus Total and Passive DNS.
According to Virus Total, Passive DNS is “a technology which constructs zone replicas without cooperation from zone administrators, based on captured name server responses.” What this means is that Virus Total queries certain DNS names and IP addresses and saves their responses in a historical database that anyone can query. Now you have the ability to see what IP address a certain DNS name was parked at before an attack was kicked off and the DNS zone was changed.
What Mr. Li did was create a sort of plugin for Maltego which is a visualization product that queries open source intelligence systems and presents graphs that link certain pieces of information together. This plugin queries passive DNS and whois to find historical references to certain DNS-IP pairs and helps cyber defenders to correlate different DNS names and IP addresses together and tie them to a specific threat actor. As an example Mr. Li posted a YouTube video showing what his plugin can do.
Finally, Mr. Li has posted the source of his Maltego plugin to Google Code and released it under the GNU GPL license. You can find the source code and installation instructions here. You can also find information on how to query Virus Total for passive DNS and historical IP reports here and here.
In conclusion, I think this tool is a great asset to the information security community. It will help cyber defenders to better attribute APT attacks with campaigns and with threat actors. I hope that you checkout the code and YouTube videos and use them in your organization as well.