In the previous post, we learned what is and how APT (Advanced Persistent Threat) attacks work. But the interesting part comes when we think about: How can we detect such complex attacks? And is there any way to detect APT infections?
The answer is yes. Yet, detecting APT attack is a real challenge and requires some advanced study.
Researchers had analysed the APT attacks that were discovered so far. As a result, this kind of attacks can be detected based on malicious DNS analysis and traffic analysis.
A. Malicious DNS analysis
As explained in the previous post, after the malware infiltrates in the system, the program will try to locate the C&C server using the DNS server. We use this method for two major reasons:
- the address can be detected and the target would be out of the attacker’s control, if the attacker hardcode the IP of the C&C server into the malware binary
- to hide the real attack source, using proxies.
Researchers have found 11 interesting features that can help in detection of APT attacks command and control domains by analysing DNS.
1. Domain Name-based Features
The study shows that APT attack is using Dynamic DNS in order to locate the C&C server. This is because DDNS updates the name of the server in real time and the user can change the domain to point to a new IP address at any time. As a quick example, if we have the domain name “x.y.z.com”, TLD of the given domain is “com”, 2LD is “z.com” and the 3LD is “y.z.com”. DDNS provider owns the 2LD domain name “z.com”, but the 3LD is created by users.
The study concentrates on these 3LD names. Apparently, for malware C&C dynamic domain, these are built in an interesting manner:
1.1 Contain Famous Name:
It is highly suspicious to find “windows”, “taobao” or “yahoo” as a registered dynamic domain name. The chance is very little that these domain names to be from Microsoft, Alibaba or Yahoo. It is like we can affirm that a long-haired man wearing a police uniform is a fake policeman.
1.2 Contain Particular Name:
Another interesting method that attackers use in order to create domain names easy to remember and also make these domain names look more like normal ones, is to use particular words such as “web”, “mail”, “news” or “update”.
They combine these works with famous ones like “yahoomail.yyy.com”, “yahoonews.zzz.com” and “windowsupdate.xxx.com” to look more familiar for the users.
1.3 Contain Phishing Name:
Phishing is a method used by attackers to gather personal information using malicious emails and websites. In order to trick the victims and obtain sensitive information such as usernames or passwords, they create phishing domain names that look similar to the legitimate ones, such as “youtuhe.com” compared to “youtube.com” or “yah00.com” compared to “yahoo.com”.
2. DNS Answer-Based Features
2.1 Silent IP
Specific IP addresses like “127.0.0.1”-loopback address, “192.168.y.y”, “172.16.y.y”, “10.z.z.z”-private address or “z.z.z.255”-broadcast address, are used to hide the C&C server and C&C network traffic when attackers do not want to send commands to the target. They do not need the domain names to point to the C&C server. For that specific time, they change the domains to point to that these IP addresses.
Another APT attack uses some predefined IP addresses as silent IP that are hardcoded into the malware binary. These addresses have some obvious features such as “220.127.116.11” or “18.104.22.168” and are invalid.
2.2 Number of Distinct IP Addresses & Number of Distinct Countries
In order to make the analysis of the attack more complicated and to hide the true attack source, the attackers use C&C servers from different countries or regions.
2.3 Number of Domains Share the Same IP with
The number of malicious dynamic domains share the same IP with is defined less than 30, because is rare that an attacker owns more than 30 dynamic names to locate the C&C server at the same time.
2.4 IP in the Same Class B Range of Known C&C Servers
The study reveals that many APT attackers rent VPS servers as C&C servers because the VPS servers are steady, hard to trace back and easy to use. VPS servers are mostly in the same class B or class A IP addresses range because is rented from the same service provider.
3. Time Value-Based Features
3.1 Daily Similarity
Apparently, the organised APT attackers usually change the domains to point to C&C servers at the beginning of a workday and change the domains to point to silent IP at the end of a workday.
3.2 Very Low Frequency
In order to avoid detection, the attackers query the domains to locate the C&C server at very low frequency, at one time for several days or even several weeks.
4. Active Probing Features
4.1 Web server or not
It is highly suspicious if the domain keeps TCP port 80 open but is not a web server. But if it is a web server, this method does not confirm if it is a command and control server or not.
4.2 Whois information
Useful information about the domain name can be received with the “whois” command. Data such as registration date, the registrar, the registrant name, email or country given by the “Whois” is compared with the same data of previous known malware C&C domains.
B. Network traffic analysis
In order to detect intrusion inside the network, two methods can be used together for better results:
1. Signature-based detection
This approach is based on identifying malicious C&C communication traffic through signature-based pattern matching using a database with known malware signatures. This method reveals great result but has a big inconvenient: cannot detect new malware infections. This disadvantage is erased by the second method: anomaly-based detection.
2. Anomaly-based detection
New unknown malware would generate abnormal behaviour, that can be detected using this technique. This type of detection requires a definition of what is “normal” and what is “abnormal” while monitoring the traffic analysis.
The researchers have discovered 4 interesting, unusual features and these are the following:
a. Mismatch of protocol and port
Analysing known APT malware traffic, it was discovered that most of them use common ports like 80, 8080, 443, 8000 or 1863 and protocols such as HTTP or HTTPs in order to communicate with the C&C server. The main reason is to bypass firewalls and tunneling through the firewall allowed ports.
An “abnormal” behaviour would be for example, to have HTTP protocol traffic but not on port 80, 8080 or other protocol traffic on port 80.
b. Encrypted Data Transpire on Uncommonly-Used Port
Most APT malware is using encrypted traffic data to avoid detection. If this traffic occurs on an uncommonly used port, it is very possible to be malicious traffic.
c. Mismatch of Uplink and Downlink Traffic
A “abnormal” characteristic of uplink and downlink traffic is to have larger traffic from infected target to the C&C server. As an example, if the HTTP request traffic is larger than the HTTP response it is highly suspicious.
The normal behaviour would be exactly the opposite.
d. Malware Domain Traffic
The APT malware purpose is to exfiltrate secret information from the victim’s machine which means that the traffic is large at that specific moment. But most of the time, the traffic of C&C server is small and smooth. Analysing and monitoring the traffic and finding peak values only in specific time points, it is a “abnormal” behaviour and could mean that the attacker stole data from the infected host.
The problem with this type of detection is the generation of false positives. Sometimes, legitimate applications have the same unusual behaviour as malicious ones.
As a conclusion, the traditional cyber security measures cannot protect systems against APT attack. Instead, learning how an APT attack works and how the attackers would try to bypass defenses systems such as anti-virus software or firewalls, new methods can be implemented for detection and prevention. The combination of methods that where presented in this article, the malicious DNS and network traffic analysis, represents a great way to detect Advanced Persistent Threat malware infections and track the real source attack.
I hope that you find this article interesting and search on your own, other methods for detecting APT attacks.
If you find something new, please let me know in the comment section below.