It is always a challenging task for malware analysts in attribution of malware attackers. Most of the researchers extract the technological artifacts from the malware binaries and perform data mining analysis to determine the identity of the attackers or at least to fingerprint partial information of the malware authors. For studying the Windows malware, the PE headers are first “des-constructed”. The extracted metadata are then categorized with some defined rules, stored in a SQL database and further analyzed (Yonts, 2012). Some malware analysts extend their work to the areas of contextual analysis by obtaining attributes or “genes” from different “layers” like the exploits or shell code it used, the metadata of the PE information, the connected TCP port number and the C2 network infrastructure (Xecure-Lab, 2012). Some researchers take a step backward to extract the metadata information from email headers if the malware was distributed through spear-phishing emails (Lee, M. & Lewis, D., 2011).
read more......http://espionageware.blogspot.hk/2014/04/apt-attributions-and-dns-profiling.html
read more......http://espionageware.blogspot.hk/2014/04/apt-attributions-and-dns-profiling.html