[CB18] Discover traces of attackers from the remains of disposable attack infrastructure - Detection indicator diagnosis system with dynamic/static DNS forensics by Tsuyoshi Taniguchi & Kunihiko Yoshimura
In order to detect malicious activities, we often make use of blacklists. The blacklists are useful, however malicious domain names in the blacklists can be considered static threat intelligence after we receive them. On the other hand, the behavior of the malicious domain names depends on adversaries. Advanced cyber adversaries often change their attack infrastructure in a short time in order to avoid tracking. In the extreme cases, the malicious domain names expire soon after we receive them from the blacklists.
Previous studies have paid attention to the determination problem for unidentified domain names. Once some unidentified domain name prove to be malicious, operators simply register the malicious domain names with their blacklists and wait for updates.
We have already presented our research regarding “Detection index learning based on cyber threat intelligence and its application” and continue to concentrate on an effective utilization of known threat intelligence. In this presentation, we will present an extended framework for examining indicators based on Domain Name System (DNS) actively and passively. In short, for malicious domain names from blacklists, while we make query regarding the domain names (Active DNS), we learn the history of the domain names from the point of view of DNS for both the survival and disposable domain names (Passive DNS). Then we make opinion, for example, we guess that some malicious domain name continue to be used, on the other hand, other one disappears soon then we recommend that you have to prepare for the next malicious activities. Based on the extended framework, we implement our indicator diagnosis system. We will show several case studies regarding the diagnosis results.
Similar to [CB18] Discover traces of attackers from the remains of disposable attack infrastructure - Detection indicator diagnosis system with dynamic/static DNS forensics by Tsuyoshi Taniguchi & Kunihiko Yoshimura
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
Similar to [CB18] Discover traces of attackers from the remains of disposable attack infrastructure - Detection indicator diagnosis system with dynamic/static DNS forensics by Tsuyoshi Taniguchi & Kunihiko Yoshimura (20)
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
[CB18] Discover traces of attackers from the remains of disposable attack infrastructure - Detection indicator diagnosis system with dynamic/static DNS forensics by Tsuyoshi Taniguchi & Kunihiko Yoshimura
1. Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Discover Traces of Attackers from the Remains of
Disposable Attack Infrastructure - Indicator Diagnosis
System with Dynamic/Static DNS Forensics
0
CODE BLUE 2018
Track 2
(November 2nd
, 2018)
FUJITSU SYSTEM INTEGRATION LABORATORIES LTD.
Tsuyoshi TANIGUCHI Kunihiko YOSHIMURA
2. Tsuyoshi TANIGUCHI
Fujitsu System Integration Laboratories Researcher, Ph.D.
Mar. 2008 - Hokkaido University Ph.D. (computer science)
A Study on Correlation Mining Based on Contrast Sets
Not hypothesis testing but discover science
Characteristic relations with high appearance patterns -> relation with the high differences after
some conditioning
Apr. 2008 - Researcher, FUJITSU
Apr. 2016 - Researcher, FUJITSU SYSTEM INTEGRATION LABORATORIES LTD
Nov. 2017 CODE BLUE Day0 Special Track Counter Cyber Crime Track
Detection index learning based on cyber threat intelligence and its application
Searching treasures from a vast amount of threat intelligence
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED1
3. Overview of Indicator Learning
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
CTI data source 1
Subgroup 1 Subgroup 2 Subgroup i⋯
Preprocess
Indicator Learning
Indicator DB
CTI data source 2 CTI data source 3
2
CTI: Cyber Threat Intelligence
4. Weighting Indicators
Contrast IP addresses or domain names between two subgroups
Contrast Set Mining [Bay et.al 2001]
Emerging Patterns [Dong and Li 1999]
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Itemset A
Subgroup 1 Subgroup 2
Identifiable Not appearance
IP addresses,
domain names
Malware,
Campaign
3
5. IP Addresses Which Multiple Adversaries Shared
Over 99%: Single subgroup
Under 1%: Multiple subgroups
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
456 / 58048:
0.79%
4
6. • 悪性IP1
• 悪性IP2
• 悪性IP3
Indicator Lifetime Learning
Indicator selection:long lifetime and Disposable
Indicators: malicious IP addresses
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
• Malicious IP 1
• Malicious IP 2
• Malicious IP 3
• Malicious IP 1
• 悪性IP2
• 悪性IP3
• Malicious IP 4
• Malicious IP 1
• 悪性ドメイン2
• 悪性ドメイン3
• 悪性IP4
• Malicious IP 5
Regularly updated blacklists
5
7. Lifetime Distribution Dependent on the Type of
Attacks
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Long life -> downoaderDisposable -> botnet, DGA and so on
6
The behavior of indicators corresponds to the behavior on the DNS
8. Threat Intelligence: Snapshots of Cyber Attacks
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
2018 / 7 2018 / 8 2018 / 9
APT𝛼
Domain 𝛼-1
Domain 𝛼-2
Domain 𝛼-3
Botnet 𝛽 Domain 𝛽-1
Domain 𝛼-1
Domain 𝛼-2
Domain 𝛼-3
Blacklist 𝛼
_July
A set of A
records related
with domain 𝛽-1
Blacklist 𝛽
_July
Sets of A records which adversaries map malicious domain names to
Stop using domain
𝛼-3
Blacklist 𝛼
_August
One A record with long
lifetime
Several disposable A
records
Blacklist 𝛽_August
Attack infrastructure completely depend on adversaries → Threat Intel.?
7
9. Black-Box: the Process of Malicious Domain
Detection
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Some malware
communicates with?
In white lists?
MaliciousBenign
YES
YES NO
NO
In black lists?
Malicious
YES
Malicious behavior
on the DNS?
NO
YES NO
BenignMalicious
An example of
decision tree
model
Exposure [Bilge, Leyla, et al., 2011]
• Short life
• Short TTL
• Number of distinct IP addresses
• Number of domains share the IP with
• And so on
• Domain 1
• Domain 2
• Domain 3
• Domain 4
8
10. Motivation:Toward Explainable Indicators
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
The behavior of malicious domain: long, short, changeable, and so on
To restore the behavior of malicious domain and quality
improvement of blacklists based on prioritization
• Domain 1
• Domain 2
• Domain 3
• Domain 4
① Fast-Flux -> Tracking
② Short-term Activities -> Update Threat Information
③ Stable Operation -> Normal operation
④ Domain Name Termination -> Follow-up
9
11. Threat Intelligence We Treat with
Lists of malicious domain names
Text format
CSV format
STIX format
STIX: Structured Threat Information eXpression
World standard of CTI in a structured way
XML format (1.x), json format (2.x)
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED10
12. Verification Items (Hypothesis)
The behavior of known malicious domain names
If adversaries use DNS, they leave footprints on the DNS
The type of footprints (the behavior of the malicious domain
names) cat be classified
There is a possibility that we find clues in order to predict
the future behavior of the malicious domain names
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED11
13. Case Studies (1/2)
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
type: pe, positives: 6+, sources: 5+,
first seen: from 21st May to 22nd May 2018
VirusTotal
400
Samples
Sandbox
(cuckoo)
Collect
Run
108
Domains
Detect
Filtering
White List
43
Malicious Domains
Verify malicious domain names which new malware samples
communicate with
12
14. Case Studies (2/2)
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
2018 / 7 2018 / 8 2018 / 9
Malicious domain C active period
Malicious domain A active period
8/x: Sharing
Malicious domain B active period
Verify malicious domain names before and after CTI regarding APT
is shared
Continuous use
Termination after sharing
Termination before sharing
13
15. Conclusion
Malicious domain names can be classified based on the history on
the DNS
Lifetime: Long life or short life
Freshness: fresh or shabby
The behavior of malicious domain names depend on the activities
of adversaries.
Confirm threat information sharing recently
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED14
16. Content
Overview of indicator diagnosis system
What do we diagnose known malicious domain names?
Static threat analysis: Passive DNS
Dynamic threat analysis: Active DNS
The Fusion of Active and Passive DNS
Case Studies
1. Diagnoses regarding malicious domain names which malware samples
communicate with
2. Diagnoses regarding malicious domain names from CTI related with APT
3. Discussion: Limitations of the Diagnosis System
Conclusion
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED15
17. What Do We Diagnose Known Malicious Domain
Names? (1/2)
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
xxx.xxx.com
(Known malicious
domain)
Indicator
Diagnosis System
Shabby
Inactive
Status?
How long? (Lifetime)
When? (Freshness)
Active
Fresh
Long life Short life
or
or
or
16
18. What Do We Diagnose Known Malicious Domain
Names? (2/2)
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
PresentPast
First seen
First seen
Long life (Active)
Recently:
Fresh (Active)
Short active time:
Short life (Inactive)
Old Days:
Shabby (Active)
Period and timing when the relation between domain names and sets of IP
addresses can be observed on the DNS
first seen
Freshness Lifetime
17
19. Approach: Dynamic/Static DNS Forensics
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
DNS
Blacklist
(CTI) xxx.xxx.com
xxx.xxx.com
IN A a.a.a.a
Present FuturePast
DNS server
Passive DNS
Dynamic: Active DNS
The present Status?
Static:Passive DNS The history?
The future
behavior?
Footprints based queries
A verification of the behavior of known malicious domain names on the DNS
18
20. Domain Name System (DNS)
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Root DNS
server
TLD (top level domain) server
.jp, .com, .org, .net
Authoritative
DNS server 1
Authoritative
DNS server 2
19
21. The Flow of Name Resolution on the DNS
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Root DNS
server
.com
DNS server
fujitsu.com
DNS server
Caching
DNS server
User
Authoritative DNS server
fujitsu.com?
80.70.173.142
fujitsu.com?
fujitsu.com?
fujitsu.com?
.com DNS server
fujitsu.com DNS
80.70.173.142
20
23. Overview of Active DNS and Passive DNS
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Active DNS: Thales [Kountouras,
Athanasios et al., 2016]
actively query DNS server and collect data
Sensor
Root DNS
server
.com
DNS server
fujitsu.com
DNS server
Caching
DNS server
User
Authoritative DNS server
22
Passive DNS: passive DNS replication
[Weimer, Florian, 2005]
capture and collect DNS response packets
24. The Fusion of Active and Passive DNS
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Sensor
Passive DNSPassive DNS Analyzer
Black
List
The first point
Seeds: known malicious
domain names
The second point
The present status
The third point
The history on the DNS
Caching
DNS server
User
Authoritative DNS server
23
25. The Fusion of Active and Passive DNS Provide
Valuable Synergy
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Blacklists
Passive DNSActive DNS
Seeds Malicious
The present status
on the DNS
The history
on the DNS
24
26. Content
Overview of indicator diagnosis system
What do we diagnose known malicious domain names?
Static threat analysis: Passive DNS
Dynamic threat analysis: Active DNS
The Fusion of Active and Passive DNS
Case Studies
1. Diagnoses regarding malicious domain names which malware samples
communicate with
2. Diagnoses regarding malicious domain names from CTI related with APT
3. Discussion: Limitations of the Diagnosis System
Conclusion
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED25
27. Citation: Data Source
Passive DNS
DNSDB
Farsight Security
https://www.dnsdb.info/
Active DNS (Public caching DNS)
Google: Google Public DNS (8.8.8.8)
Cloudflare: Global Authoritative DNS (1.1.1.1)
Malware Sample
Virus Total
https://www.virustotal.com/ja/
Cyber Threat Intelligence (CTI)
Open Threat Exchange
Alien Vault
https://www.alienvault.com/open-threat-exchange
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED26
28. 1. Diagnoses regarding Malicious Domain Names
Which Malware Sample Communicate with
Assumed situation
Analyze new malware samples
The malware samples communicate with suspicious domain names in a
sandbox
The purpose of case studies
1. Verify the behavior of known malicious domain names
2. Verify footprints on the DNS
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED27
29. Malicious Domain Names Which Malware Sample
Communicate with
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
type: pe, positives: 6+, sources: 5+,
first seen: from 21st May to 22nd May 2018
VirusTotal
400
Samples
Sandbox
(cuckoo)
Collect
Run
108
Domains
Detect
Filtering
White List
43
Malicious Domains
28
30. Identification of Benign Domain Names Based on a
White List
Normal service
ex. whatismyaddress.com, digicert.com and so on
Domain administrators have no connection with malware
developers even if domain name itself is malicious
Anti-Sandbox
ex. update.microsoft.com, www.yahoo.com and so on
Communicate with C2 by public channel
ex. twitter.com
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED29
31. 1. Diagnoses regarding Malicious Domain Names
Which Malware Sample Communicate with
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Caching
DNS server
Sensor
Passive DNSPassive DNS Analyzer
Malicious
Domain
5/21 – 5/22
1. Trial and error (5/28)
30
32. Trial and Error:Active DNS
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
You easily are able to get results if you install dig command
31
33. Single A Record
dig Command Example (a Part of the Output)
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
;; QUESTION SECTION:
;auth-rambler.com. IN A
;; ANSWER SECTION:
auth-rambler.com. 599 IN A 185.212.128.37
Single A record
32
34. The Results regarding Single A Record Based on
Active DNS
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Domain name (URL) A record
codelux2017.ddns[.]net 187.115.234[.]242
skypeprocesshost.ddns.com[.]br 177.98.32[.]236
auth-rambler[.]com 185.212.128[.]37
bb[.]org 103.224.182[.]249
diaoge2010.tl-ip[.]net 121.41.39[.]145
lhy3944335.meibu[.]com 120.210.205[.]20
m3.vzv[.]me 35.229.81[.]255
numbers.3322[.]org 183.236.2[.]18
ukvlqwtmdlcmigp.floattenmidget[
.]ru
46.101.50[.]21
vopspyder[.]website 185.6.242[.]251
Domain name (URL) A record
www.51wgl[.]com 47.104.163[.]38
xmr.f2pool[.]com 116.211.169[.]162
kiss.oatmealscene[.]loan 54.88.21[.]193
ma.owwwv[.]com 43.229.113[.]12
stiekehelp.gameassists.co[.]uk 78.24.213[.]153
tv.yaerwal[.]com 199.2.137[.]29
www.iuqerfsodp9ifjaposdfjhgosuri
jfaewrwergwff[.]com
72.5.65[.]99
zinfandel.lacita[.]com 98.124.199[.]28
jlarga1b2c3d4.ddns[.]net 0.0.0[.]0
Colored areas represents changing A records.
33
35. Multiple A Records
dig Command Example (a Part of the Output)
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
;; QUESTION SECTION:
;ic-dc.deliverydlcenter.com. IN A
;; ANSWER SECTION:
ic-dc.deliverydlcenter.com. 59 IN A 13.33.4.6
ic-dc.deliverydlcenter.com. 59 IN A 13.33.4.170
ic-dc.deliverydlcenter.com. 59 IN A 13.33.4.142
ic-dc.deliverydlcenter.com. 59 IN A 13.33.4.29
Multiple A records
34
36. The Results regarding Multiple A Records Based on
Active DNS
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Domain name (URL) A record
imp.searchjff[.]com 52.200.52[.]112, 52.202.163[.]199
search.searchjff[.]com 50.19.242[.]110, 174.129.43[.]57
bounce2.pobox[.]com 64.147.108[.]74, 64.147.108[.]75
ic-dc.deliverydlcenter[.]com 13.33.4[.]170, 13.33.4[.]142, 13.33.4[.]6, 13.33.4[.]29
imp.yourpackagesnow[.]com 52.1.198[.]247, 52.4.240[.]94
ns1.wowservers[.]ru 221.120.220[.]72, 81.4.163[.]122, 190.35.242[.]126,
197.254.118[.]42ns2.wowservers[.]ru
trialcet[.]com 104.31.91[.]83, 104.31.90[.]83
www.iuqerfsodp9ifjaposdfjhgosu
rijfaewrwergwea[.]com
104.17.40[.]137, 104.17.39[.]137, 104.17.38[.]137,
104.17.37[.]137, 104.17.41[.]137
www.laichiji123[.]com 104.24.96[.]136, 104.24.97[.]136
www.shangizhiyan[.]com 104.28.2[.]77, 104.28.3[.]77
Colored areas represents changing A records. 35
37. CNAME
dig Command Example (a Part of the Output)
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
;; QUESTION SECTION:
;lulukan.qyhxhnt.com. IN A
;; ANSWER SECTION:
lulukan.qyhxhnt.com. 599 IN CNAME
lulukan.qyhxhnt.com.a.bdydns.com.
lulukan.qyhxhnt.com.a.bdydns.com. 119 IN CNAME
opencdncloud.jomodns.com.
opencdncloud.jomodns.com. 59 IN A 101.69.175.35
CNAME
Multiple
CNAME
36
38. The Results regarding CNAME Based on Active DNS
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Domain name (URL) CNAME A record
lulukan.qyhxhnt[.]com
• lulukan.qyhxhnt.com.a.bdydns[.]com
• opencdncloud.jomodns[.]com
101.69.175[.]35rjb.qyhxhnt[.]com
• rjb.qyhxhnt.com.a.bdydns[.]com
• opencdncloud.jomodns[.]com
tongbu.erhaojie[.]com
• tongbu.erhaojie.com.a.bdydns[.]com
• opencdncloud.jomodns[.]com
mininews.kpzip[.]com
• mininews.kpzip.com.cdn.dnsv1[.]com
• 897194.s2.cdntip[.]com
Flux type
pc.mainmarketingswarm[.]c
om
swarm.wizzcloud[.]io
149.202.91[.]53
149.202.76[.]117
vip2.gutou[.]cc y.gutousoft[.]com 120.24.75[.]226
won.channeltest[.]bid d1g1b9l7554igi.cloudfront[.]net
13.33.4[.]214, 13.33.4[.]184,
13.33.4[.]47, 13.33.4[.]44
vtboss.yolox[.]net 22283.bodis[.]com 199.59.242[.]150
Colored areas represents changing A records. 37
39. No Answer
dig Command Example (a Part of the Output)
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
;; QUESTION SECTION:;carder.bit. IN A
(No ANSWER SECTION)
38
40. No Answer
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Domain name (URL) A record
carder[.]bit
No Answer
jss365sv.cat[.]jp
ransomware[.]bit
www.wap95516.com[.]cn
www4.cedesunjerinkas[.]com
39
41. 1. Diagnoses regarding Malicious Domain Names
Which Malware Sample Communicate with
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Caching
DNS server
Sensor
Passive DNSPassive DNS Analyzer
Malicious
Domain
5/21 – 5/22
1. Trial and error (5/28)
2. Verification (10/9)
40
42. Diagnostic Item Related with Active DNS
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Diagnostic item Diagnostic result
Activity status
Active
Inactive
A record change
Changeable
No change
41
43. Diagnostic Item Related with Passive DNS
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Diagnostic item Diagnostic result
Type
Multiple IP
Multiple domain
1 domain – 1 IP
Lifetime
Short life
Long life
Freshness
Fresh
Stable operation
Shabby
42
44. Verify Malicious Domain Names Which New Malware
Sample Communicate with
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
PresentPast
First seen
First seen
Long life (Active)
Recently:
Fresh (Active)
Short active time:
Short life (Inactive)
Old Days:
Shabby (Active)
How is the behavior of known malicious domain names?
First
seen
Freshness Lifetime
43
45. Diagnosis of Known Malicious Domain Based
on Indicator Diagnosis System
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Legend
:Single A record
:Multiple A records
:CNAME
:No Answer
44
46. Diagnostic Item: Freshness
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Fresh
Shabby
Stable
Operation
2010 20182016
When is the first seen among a set of A records
related with the input malicious domain?
45
47. Diagnostic Item: Lifetime
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Short
lifetime
Long lifetime
Over three years
Dozens of days
How long is the A record recently observed
from first seen to last seen?
46
48. The Difference between Lifetime and Freshness
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
2012 2013 2014 2015 2016 2017 2018
m3.vzv[.]me
tv.yaerwal[.]c
om
diaoge2010.tl
-ip[.]net
lhy3944335.
meibu[.]com
numbers.332
2[.]org
Lifetime
Lifetime
Life
time
Li
fe
ti
m
e
Freshness
Freshness
Freshness
L
i
f
e
t
i
m
e
New Activities
Freshness
47
49. Content
Overview of indicator diagnosis system
What do we diagnose known malicious domain names?
Static threat analysis: Passive DNS
Dynamic threat analysis: Active DNS
The Fusion of Active and Passive DNS
Case Studies
1. Diagnoses regarding malicious domain names which malware samples
communicate with
2. Diagnoses regarding malicious domain names from CTI related with APT
3. Discussion: Limitations of the Diagnosis System
Conclusion
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED48
50. 2. Diagnoses regarding Malicious Domain Names
from CTI Related with APT
Assumed situation
Analyze some APT
Get cyber threat intelligence from open source
The purpose of case studies
Verify the behavior of malicious domain names before and after sharing
Target APT
PseudoGate
Dark Hotel
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
※CTI: Cyber Threat Intelligence
49
51. 2. Diagnoses regarding Malicious Domain Names
from CTI Related with APT
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Jul., 2018 Aug., 2018 Sep., 2018
Malicious domain C active period
Malicious domain A active period
8/x: Sharing
Malicious domain B active period
Verify malicious domain names before and after CTI regarding APT
is shared
Continuous use
Termination after sharing
Termination before sharing
50
55. Expiration Prediction
An Analysis of Related Domain
regarding 31.31.196[.]78
Survival: 61% (1237/2016)
Disposable:23% (470/2016)
The ratio of survival is relatively
high, long life prediction
cna8a9[.]space - (8/2 - )
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED54
56. Expiration Prediction
An Analysis of Related Domain
regarding 31.31.196[.]163
Survival: 7% (920/13401)
Disposable:77% (10328/13401)
The ratio of disposable is high, short
life prediction
fritsy83[.] website (7/15 - 7/27)
oo00mika84[.]website (7/17 - 8/15)
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED55
60. Expiration Prediction
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
An Analysis of Related Domain
regarding 54.72.130[.]67
Survival: 5% (32662/629744)
Disposable:62% (391692/629744)
The ratio of disposable is high,
short life prediction
windows-updater[.]net (8/1 - 9/10)
59
61. Content
Overview of indicator diagnosis system
What do we diagnose known malicious domain names?
Static threat analysis: Passive DNS
Dynamic threat analysis: Active DNS
The Fusion of Active and Passive DNS
Case Studies
1. Diagnoses regarding malicious domain names which malware samples
communicate with
2. Diagnoses regarding malicious domain names from CTI related with APT
3. Discussion: Limitations of the Diagnosis System
Conclusion
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED60
62. DNS Blocking by Caching DNS Server
A case where we receive resource records with No A record after
we query caching DNS server
Termination or DNS blocking by caching DNS server
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Caching
DNS server
No A record
Blacklist Refer to same
blacklists
61
63. Concealment Actual Domain Operation by CNAME
MAL_HIFRM
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
opencdncloud.jomodns[.]com
rjb.qyhxhnt.com.a.bdydns[.]com tongbu.erhaojie.com.a.bdydns[.]com
rjb.qyhxhnt[.]com tongbu.erhaojie[.]comlulukan.qyhxhnt[.]com
CNAME CNAMECNAME
CNAMECNAME
lulukan.qyhxhnt.com.a.bdydns[.]com
CNAME
A set of front domain names
Domain operated
actually
62
64. Dormant and Changeover
Dormant:period that corresponding domain does not map any A records
on the DNS even if the domain has A records before and after the period
Changeover:change A records observed over years to other A records
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
2012 2013 2014 2015 2016 2017 2018
tv.yaerwal[.]c
om
diaoge2010.tl
-ip[.]net
lhy3944335.
meibu[.]com
numbers.332
2[.]org
Dormant
Dormant
DormantDor
mant
Changeover
63
65. Content
Overview of indicator diagnosis system
What do we diagnose known malicious domain names?
Static threat analysis: Passive DNS
Dynamic threat analysis: Active DNS
The Fusion of Active and Passive DNS
Case Studies
1. Diagnoses regarding malicious domain names which malware samples
communicate with
2. Diagnoses regarding malicious domain names from CTI related with APT
3. Discussion: Limitations of the Diagnosis System
Conclusion
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED64
66. Verification Results
If adversaries use DSN, they leave footprints on the DNS.
A case where there exists footprints on the DNS.
Another case where there are no footprints.
The type of footprints (the behavior of the malicious domain names)
cat be classified.
Lifetime:Long life and Short life
Freshness:fresh and shabby
There is a possibility that we find clues in order to predict the future
behavior of the malicious domain names.
Expiration Prediction
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED65
67. Diagnostic Results and Opinions
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Opinion Diagnostic result Comment
Termination Inactive
Indicators expiree, we strongly recommend you to
explore next threat information
New
Activities
Active, fresh
This malicious domain is recently observed. It worth
monitoring the activities regarding the domain
Stable
Operation
Active, No change,
stable operation or
shabby
You continue to operate blacklists normally
Short-term
Activities
Short life
The malicious domain has possibilities of expiration.
We recommend you to update blacklists
Surveillance
Active,
changeable,
multiple IP
We doubt the malicious domain related with Fast-flux.
We recommend you to check blacklists regarding
Fast-Flux and whitelists regarding normal CDN
66
68. Conclusion
Take inventory of received blacklists
Simply dig command (Active DNS) help you confirm the survival of input domain
names on the DNS
Take the appropriate reposes according to the behavior of the
malicious domain name
The history of domain names based on Passive DNS tells you the behavior of
the known malicious domain names
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED67
69. Citation
Passive DNS
Weimer, Florian. "Passive DNS replication." FIRST conference on computer security incident. 2005.
Bilge, Leyla, et al. "EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis." Ndss. 2011.
Active DNS
Kountouras, Athanasios, et al. "Enabling network security through active DNS datasets." International
Symposium on Research in Attacks, Intrusions, and Defenses. Springer, Cham, 2016.
van Rijswijk-Deij, Roland, et al. "A High-Performance, Scalable Infrastructure for Large-Scale Active
DNS Measurements." IEEE Journal on Selected Areas in Communications 34.6 (2016): 1877-1888.
Contrast set mining
Bay, Stephen D., and Michael J. Pazzani. "Detecting group differences: Mining contrast sets." Data
mining and knowledge discovery 5.3 (2001): 213-246.
Dong, Guozhu, and Jinyan Li. "Efficient mining of emerging patterns: Discovering trends and
differences." Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery
and data mining. ACM, 1999.
Copyright 2018 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED68