Professional Documents
Culture Documents
Division
http://www.sei.cmu.edu
Copyright 2014 Carnegie Mellon University
This material is based upon work funded and supported by the Department of Defense under Contract
No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineer-
ing Institute, a federally funded research and development center.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the
author(s) and do not necessarily reflect the views of the United States Department of Defense.
References herein to any specific commercial product, process, or service by trade name, trade mark,
manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation,
or favoring by Carnegie Mellon University or its Software Engineering Institute.
This report was prepared for the
SEI Administrative Agent
AFLCMC/PZM
20 Schilling Circle, Bldg 1305, 3rd floor
Hanscom AFB, MA 01731-2125
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING
INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON
UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR
PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE
OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY
WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK,
OR COPYRIGHT INFRINGEMENT.
This material has been approved for public release and unlimited distribution except as restricted be-
low.
Internal use:* Permission to reproduce this material and to prepare derivative works from this material
for internal use is granted, provided the copyright and No Warranty statements are included with all
reproductions and derivative works.
External use:* This material may be reproduced in its entirety, without modification, and freely dis-
tributed in written or electronic form without requesting formal permission. Permission is required for
any other external and/or commercial use. Requests for permission should be directed to the Software
Engineering Institute at permission@sei.cmu.edu.
* These restrictions do not apply to U.S. government entities.
CERT
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
2
0
0
0
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
S
e
r
v
e
r
2
0
0
8
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
7
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
2
0
0
0
o
r
W
i
n
d
o
w
s
X
P
L
i
n
k
s
y
s
W
A
P
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
V
i
s
t
a
,
W
i
n
d
o
w
s
7
,
o
r
F
o
r
t
i
n
e
t
F
o
r
t
i
G
a
t
e
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
7
,
W
i
n
d
o
w
s
S
e
r
v
e
r
C
i
s
c
o
r
o
u
t
e
r
J
u
n
i
p
e
r
S
S
L
V
P
N
g
a
t
e
w
a
y
C
y
b
e
r
o
a
m
U
T
M
f
i
r
e
w
a
l
l
L
i
n
u
x
2
.
4
.
x
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
V
i
s
t
a
A
s
u
s
w
i
r
e
l
e
s
s
b
r
o
a
d
b
a
n
d
r
o
u
t
e
r
C
i
s
c
o
S
w
i
t
c
h
C
i
s
c
o
W
A
P
o
r
I
A
D
r
o
u
t
e
r
D
r
a
g
o
n
F
l
y
B
S
D
2
.
9
F
r
e
e
N
A
S
o
r
V
M
w
a
r
e
E
S
X
i
S
e
r
v
e
r
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
S
e
r
v
e
r
2
0
0
8
o
r
M
i
c
r
o
s
o
f
t
Z
u
n
e
a
u
d
i
o
p
l
a
y
e
r
M
o
t
o
r
o
l
a
W
A
P
Q
N
X
S
o
n
i
c
W
A
L
L
f
i
r
e
w
a
l
l
M
i
c
r
o
s
o
f
t
X
b
o
x
g
a
m
e
c
o
n
s
o
l
e
F
5
B
I
G
-
I
P
L
o
c
a
l
T
r
a
f
f
i
c
M
a
n
a
g
e
r
l
o
a
d
b
a
l
a
n
c
e
r
D
D
-
W
R
T
S
o
n
i
c
W
A
L
L
V
P
N
a
p
p
l
i
a
n
c
e
JIB
Mandiant
CMU/SEI-2014-TR-001 | 25
7.6 I
j
+I
m
P: Port Analysis
Along with the TCP/IP fingerprint information, the open ports allow us to best categorize what APT1
found necessary in its infrastructure. We looked at the open ports to understand what types of pathways
are needed for APT1 operations:
791 IP addresses (or 51.1%) in I
j
+I
m
had open ports.
4 IP addresses (possibly proxy servers) had more than 100 ports open.
609 unique open ports are represented in the data.
Figure 4 reflects the count of open ports per IP address. Most IP addresses in I
j
+I
m
have fewer than 16
ports open. Running correlations between ports did not present any high-correlation pairs. We surmise
there would be high correlations if we could break down the IP addresses into groups based on the
exact role they play in the infrastructure. However, this was not possible with the data available for this
study.
Figure 4: Count of Open Ports per IP Address in Ij+Im
7.6.1 Most Common Open Ports in I
j
+I
m
Table 8 reflects the most common open ports, each occurring in more than 10% of the IP addresses
having open ports in I
j
+I
m
.
Figure 5shows the distribution of open ports and the frequency of occurrence for the open ports with
more than 20 occurrences.
0
20
40
60
80
100
120
140
160
2 3 4 5 6 7 8 9 11 10 12 14 13 15 16 216166157131 57 47 39 20 19
CMU/SEI-2014-TR-001 | 26
Table 8: Ports Representing 10+% of Open Ports
Port Count % Total IP Addresses with
Open Ports in Ij+Im
% Total IP Addresses in Ij+Im
80 655 82.8% 47.3%
3389 434 54.9% 31.3%
443 312 39.4% 22.5%
21 305 38.6% 22.0%
25 217 27.4% 15.7%
135 212 26.8% 15.3%
53 165 20.9% 11.9%
22 162 20.5% 11.7%
1025 156 19.7% 11.3%
3306 146 18.5% 10.5%
139 145 18.3% 10.5%
445 137 17.3% 9.9%
1723 123 15.5% 8.9%
110 117 14.8% 8.4%
1026 101 12.8% 7.3%
143 86 10.9% 6.2%
Figure 5: Count of IP Addresses for Ports Occurring 20+ Times in Ij+Im
0
100
200
300
400
500
600
700
8
0
(
H
T
T
P
)
3
3
8
9
(
R
D
P
)
4
4
3
(
H
T
T
P
S
)
2
1
(
F
T
P
)
2
5
(
S
M
T
P
)
1
3
5
(
N
e
t
B
I
O
s
)
5
3
(
D
N
S
)
2
2
(
S
S
H
)
1
0
2
5
(
N
F
S
o
r
I
I
S
)
3
3
0
6
(
M
y
S
Q
L
)
1
3
9
(
N
e
t
B
I
O
s
)
4
4
5
(
M
i
c
r
o
s
o
f
t
A
D
)
1
7
2
3
(
P
P
T
P
)
1
1
0
(
P
O
P
3
)
1
0
2
6
(
D
c
o
m
S
e
r
v
i
c
e
s
)
1
4
3
(
I
M
A
P
)
8
0
8
0
(
A
l
t
H
T
T
P
)
1
0
2
7
(
I
P
v
6
b
e
h
i
n
d
N
A
T
)
9
9
3
(
I
M
A
P
S
)
9
9
5
(
P
O
P
3
S
)
1
1
1
(
R
P
C
)
1
4
3
3
(
M
S
S
Q
L
)
2
3
(
T
e
l
n
e
t
)
8
4
4
3
(
A
p
a
c
h
e
T
o
m
c
a
t
S
S
L
)
4
6
5
(
U
R
L
R
e
n
.
D
i
r
.
S
S
M
)
4
9
1
5
4
(
u
n
r
e
g
i
s
t
e
r
e
d
)
5
9
0
0
(
V
C
N
)
5
8
7
(
S
M
T
P
)
4
9
1
5
2
(
u
n
r
e
g
i
s
t
e
r
e
d
)
6
0
0
1
(
X
1
1
)
CMU/SEI-2014-TR-001 | 27
7.6.2 I
j
to I
m
Port Comparison
When comparing the number of open ports in the I
j
and I
m
sets, we noticed a similar distribution.
However, I
m
had a higher percentage of open ports:
51.7% of the I
j
set were open (442 IP addresses).
77.2% of the I
m,
set were open (410 IP addresses).
When analyzing the common but less frequent ports, we noticed that ports 22, 445, and 111 occurred
more frequently in I
m
than in I
j
. Figure 6 highlights the comparisons between the two data sets.
Figure 6: Port Comparison of Ij and Im
7.7 I
j
+I
m
A: Autonomous System Numbers
We mapped the IP addresses in I
j
+I
m
to their respective ASNs for two reasons. First, we wanted to see
what types of companies were represented. Second, we wanted to understand if the infrastructures of
any particular companies were being targeted:
All the IP addresses were mapped (1,386).
In the I
j
+I
m
list, there were 388 unique ASNs, belonging to 362 different organizations.
Organization types included internet service providers (ISPs), hosting providers, universities, and
state governments. We could not determine a type for a small number of the ASN owners.
7.7.1 Types of Organizations Represented
The majority of the ASNs represented either hosting or internet service providers. The minority
represented educational institutions, or local or state government. The majority of the hosting and ISPs
are fairly well known; of the top 20 hosting companies, approximately 50% are represented in the I
j
+I
m
set.
0
50
100
150
200
250
300
350
400
8
0
3
3
8
9
4
4
3
2
1
2
5
1
3
5
5
3
3
3
0
6
1
0
2
5
1
3
9
1
7
2
3
1
1
0
2
2
4
4
5
1
0
2
6
1
4
3
8
0
8
0
1
0
2
7
9
9
3
9
9
5
1
4
3
3
2
3
8
4
4
3
5
9
0
0
4
9
1
5
4
5
8
7
1
1
1
1
0
0
0
0
4
9
1
5
2
4
6
5
6
0
0
1
8
0
0
0
5
1
5
Ij
Im
CMU/SEI-2014-TR-001 | 28
7.7.2 Targeted Organizations
If IP addresses are clustered within ASNs, it is reasonable to assume the companies owning those
ASNs have been targeted for some particular reason. IP addresses that are distributed across many
ASNs have likely been chosen randomly. Approximately half of the IP addresses in I
j
+I
m
appear
clustered in a small number of ASNs.
Figure 7 reflects the 28 organizations with 10 or more IP addresses in the data set. Table 9 reflects the
top five companies and the percentage of IP addresses that resolve to them:
28 organizations (or 51.9%) were associated with 10 or more IP addresses.
208 organizations were associated with only one IP address.
127 organizations were associated with 2 to 9 IP addresses.
Figure 7: Organizations with 10 or More IP Addresses
Table 9: Top Five Organizations in Registering IP Addresses in Ij+Im
Company Associated IP Addresses Percentage of Total IP
Addresses
Psychz Networks 86 6.2%
Google Inc. 73 5.3%
GoDaddy.com, LLC 43 3.1%
Hurricane Electric, Inc. 40 2.9%
AT&T Services, Inc. 38 2.7%
0
10
20
30
40
50
60
70
80
90
100
P
s
y
c
h
z
N
e
t
w
o
r
k
s
G
o
o
g
l
e
I
n
c
.
G
o
D
a
d
d
y
.
c
o
m
,
L
L
C
H
u
r
r
i
c
a
n
e
E
l
e
c
t
r
i
c
,
I
n
c
.
A
T
&
T
S
e
r
v
i
c
e
s
,
I
n
c
.
N
O
V
A
R
T
I
S
-
D
M
Z
-
U
S
X
O
C
o
m
m
u
n
i
c
a
t
i
o
n
s
K
r
y
p
t
T
e
c
h
n
o
l
o
g
i
e
s
D
C
S
P
a
c
i
f
i
c
S
t
a
r
,
L
L
C
F
D
C
s
e
r
v
e
r
s
.
n
e
t
C
o
m
c
a
s
t
C
a
b
l
e
C
o
v
a
d
C
o
m
m
u
n
i
c
a
t
i
o
n
s
C
o
.
S
B
I
S
-
A
S
A
S
f
o
r
S
B
I
S
-
A
S
(
A
T
&
T
)
H
I
N
E
T
D
a
t
a
C
o
m
m
u
n
i
c
a
t
i
o
n
S
o
f
t
L
a
y
e
r
T
e
c
h
n
o
l
o
g
i
e
s
I
n
c
.
T
i
m
e
W
a
r
n
e
r
C
a
b
l
e
I
n
t
e
r
n
e
t
L
L
C
e
N
o
m
,
I
n
c
o
r
p
o
r
a
t
e
d
N
e
t
w
o
r
k
O
p
e
r
a
t
i
o
n
s
C
e
n
t
e
r
I
n
c
.
A
m
a
z
o
n
.
c
o
m
,
I
n
c
.
C
r
y
s
t
a
l
T
e
c
h
W
e
b
H
o
s
t
i
n
g
I
n
c
.
K
o
r
e
a
T
e
l
e
c
o
m
P
a
e
T
e
c
C
o
m
m
u
n
i
c
a
t
i
o
n
s
,
I
n
c
.
M
C
I
C
o
m
m
u
n
i
c
a
t
i
o
n
s
S
e
r
v
i
c
e
s
,
L
e
v
e
l
3
C
o
m
m
u
n
i
c
a
t
i
o
n
s
R
a
c
k
s
p
a
c
e
H
o
s
t
i
n
g
V
e
r
i
z
o
n
O
n
l
i
n
e
L
L
C
U
n
i
f
i
e
d
L
a
y
e
r
S
p
r
i
n
t
L
i
n
k
G
l
o
b
a
l
N
e
t
w
o
r
k
CMU/SEI-2014-TR-001 | 29
Company Associated IP Addresses Percentage of Total IP
Addresses
NOVARTIS-DMZ-US (Qwest/CenturyLink) 38 2.7%
Some of the companies found in I
j
+I
m
are known to be malicious outside of APT1 operations. Many
have contained malware used by other malicious groups during various operations of their own. For
instance, Psychz Networks and Krypt Technologies popped up very frequently, more frequently than
the biggest hosting sites. Research on these two companies indicates they both provide bulletproof
hosting services. Psychz Networks in particular has a reputation of hosting a slew of malicious
websites.
7.8 I
j
+I
m
C: Location of IP Addresses
The I
j
+I
m
IP addresses are associated with 54 different countries, 45 U.S. states, and the District of
Columbia. Figure 8 reflects the distribution of companies with more than five resolving IP addresses by
U.S. state. Figure 9 shows the non-U.S. countries with resolving IP addresses.
Figure 8: U.S. States with Five or More Associated IP Addresses
0
50
100
150
200
250
300
350
400
c
a
l
i
f
o
r
n
i
a
a
r
i
z
o
n
a
t
e
x
a
s
v
i
r
g
i
n
i
a
f
l
o
r
i
d
a
i
l
l
i
n
o
i
s
c
o
l
o
r
a
d
o
n
e
w
y
o
r
k
n
e
w
j
e
r
s
e
y
w
a
s
h
i
n
g
t
o
n
p
e
n
n
s
y
l
v
a
n
i
a
g
e
o
r
g
i
a
m
i
c
h
i
g
a
n
n
o
r
t
h
c
a
r
o
l
i
n
a
o
h
i
o
d
e
l
a
w
a
r
e
d
i
s
t
r
i
c
t
o
f
c
o
l
u
m
b
i
a
i
n
d
i
a
n
a
u
t
a
h
m
i
s
s
o
u
r
i
m
a
s
s
a
c
h
u
s
e
t
t
s
w
i
s
c
o
n
s
i
n
n
e
b
r
a
s
k
a
k
a
n
s
a
s
o
r
e
g
o
n
c
o
n
n
e
c
t
i
c
u
t
t
e
n
n
e
s
s
e
e
l
o
u
i
s
i
a
n
a
n
e
v
a
d
a
a
l
a
b
a
m
a
CMU/SEI-2014-TR-001 | 30
Figure 9: Non-U.S. Countries with Two or More Occurrences
7.9 I
j
+I
m
R: Routing Data
The routing data allows us to identify how the IP addresses are connected to the internet, whether
through a fixed, dynamic, or other connection. Figure 10 shows the types of routing data found for
I
j
+I
m
:
Fixed, dedicated lines are lease lines or fiber connections, which indicate this is a connection from
a mid-sized to large organization.
Fixed, other lines constitute all other fixed connections such as DSL or cable.
Pop represents a dial-up connection.
Other is any other type of connection, for example, a connection through an international proxy or
gateway.
0
5
10
15
20
25
30
35
40
T
A
I
W
A
N
,
P
R
O
V
I
N
C
E
O
F
C
H
I
N
A
K
O
R
E
A
,
R
E
P
U
B
L
I
C
O
F
J
A
P
A
N
U
N
I
T
E
D
K
I
N
G
D
O
M
T
H
A
I
L
A
N
D
H
O
N
G
K
O
N
G
S
I
N
G
A
P
O
R
E
I
R
E
L
A
N
D
C
A
N
A
D
A
G
E
R
M
A
N
Y
P
O
R
T
U
G
A
L
I
N
D
I
A
P
O
L
A
N
D
C
H
I
N
A
R
O
M
A
N
I
A
N
E
T
H
E
R
L
A
N
D
S
R
U
S
S
I
A
N
F
E
D
E
R
A
T
I
O
N
A
U
S
T
R
A
L
I
A
L
A
T
V
I
A
F
R
A
N
C
E
V
I
R
G
I
N
I
S
L
A
N
D
S
,
B
R
I
T
I
S
H
B
U
L
G
A
R
I
A
S
O
U
T
H
A
F
R
I
C
A
B
R
A
Z
I
L
U
K
R
A
I
N
E
M
E
X
I
C
O
H
U
N
G
A
R
Y
C
Z
E
C
H
R
E
P
U
B
L
I
C
M
O
L
D
O
V
A
,
R
E
P
U
B
L
I
C
O
F
I
N
D
O
N
E
S
I
A
S
W
I
T
Z
E
R
L
A
N
D
L
I
T
H
U
A
N
I
A
B
E
L
G
I
U
M
I
S
R
A
E
L
S
P
A
I
N
CMU/SEI-2014-TR-001 | 31
Figure 10: Neustar Routing Types in Ij+Im
In the figure, note that
1,000 IP addresses have routing types.
50% of those addresses have fixed connections through leased lines or optical fiber cable,
indicating they likely belong to organizations and not individuals.
984 IP addresses have connection types, which means their routing type is fiber, leased line, DSL,
cable, or dial-up.
7.10 I
j
+I
m
O: Open Resolvers
An open resolver is a misconfigured DNS server that answers recursive queries for hosts outside its
network. We wanted to see whether open resolvers appeared to be an important factor for the APT1
infrastructure. Several open resolvers occur in the data set, and several of the companies represented in
the set have more than one open resolver in our list:
There are a total of 43 open resolvers in I
j
+I
m
.
They constitute 3.1% of I
j
+I
m
.
They belong to 30 different organizations.
The biggest offenders with more than one open resolver are listed in Table 10.
Table 10: Organizations Associated with More Than One Open Resolver
Company Name Number of Open Resolvers
Comcast Cable Communications, Inc. 6
CrystalTech Web Hosting, Inc. 5
MegaPath Networks, Inc. 3
Charlotte Colocation Center, LLC 2
NOVARTIS-DMZ-US (Qwest/CenturyLink) 2
unknown,
27%
fixed,
dedicated
50%
fixed,
other
20%
other, 1% pop, 2%
CMU/SEI-2014-TR-001 | 32
7.11 APT1 Analysis Summary
Within the APT1 data set, all IP addresses had information for at least ASN and country. Almost 24%
(329) of the IP addresses also have a fingerprint, at least one open port, and routing data. Less than
13% (177) of the IP addresses lacked a fingerprint, open ports, and routing data.
CMU/SEI-2014-TR-001 | 33
8 Results: IPv4 Sample
To confirm our analysis from the I
j
+I
m
data set, we had to know what the IPv4 address space looked
like in contrast to the data associated with APT1. Then, we had a baseline of what we would expect to
see with TCP/IP fingerprint information and SyncScan data in the APT1 data set if there was nothing
special about the IP addresses and the infrastructure they represent. We found the sample to differ
considerably from the I
j
+I
m
data, which confirmed our speculation that APT1 has special requirements
for its infrastructure.
8.1 SF
p75
: TCP/IP Fingerprints of S Given a 75% Match
Of the 100,000 IP addresses in our sample, 11,132or 11.13% of the entire sample setwere
fingerprinted:
686 of them were unique.
35.2% of the fingerprinted machines ran Linux, 12.9% ran Microsoft Windows, and 51.9% ran
neither.
8.1.1 Top TCP/IP Fingerprints
Unlike the I
j
+I
m
set, none of the Microsoft Windows OSs breaks the top five occurring fingerprints.
Instead, those top five contain two Linux OSs and three other, unrelated identities. Table 11 reflects the
top five fingerprints, the number of occurrences, the percentage of the fingerprinted data, and the
percentage of the sample.
Table 11: Top Five Fingerprints in S
Fingerprint Count % Total of IP
Addresses with
Fingerprints in S
% Total IP Addresses
in S
Linux 2.6.32 734 6.6% 0.7%
VxWorks 691 6.2% 0.7%
Linux 2.6.18 463 4.2% 0.5%
Linksys WRT610Nv3 WAP 451 4.0% 0.5%
AVM FRITZ!Box FON WLAN 7170 WAP
(Linux 2.6.13)
418 3.8% 0.4%
Figure 11shows the top 30 fingerprint occurrences for the IPv4 sample and the number of times each
particular fingerprint occurs.
CMU/SEI-2014-TR-001 | 34
Figure 11: Top 30 Fingerprints in Ss IP Addresses
8.2 I
j
+I
m
F
p75
and SF
p75
Comparison
The IPv4 sample is crucial because it tells us what we should expect to see throughout the IPv4 space.
If APT1 was not targeting something specific, we should expect similar results to the sample:
Of the IPv4 sample, only 11.13% of the IP addresses returned fingerprints, compared to 32.5% in
the I
j
+I
m
set.
No single fingerprint constituted more than 1% of the total IP addresses in S.
No single fingerprint constituted more than 7% of the total fingerprinted IP addresses in S.
While the Linux percentages in the I
j
+I
m
and S sets were close, the Windows OSs diverged
considerably as shown in Table 12. The S set had a greater percentage of non-Windows and non-Linux
machines than the I
j
+I
m
set: We would expect these differences if APT1 was targeting specific
architecture.
Table 12: Operating System Comparison Between Ij+Im and S
Operating System Ij+Im S
Linux 30.8% 35.2%
Windows 71.6% 12.9%
Other 7.3% 51.9%
0
100
200
300
400
500
600
700
800
L
i
n
u
x
2
.
6
.
3
2
V
x
W
o
r
k
s
L
i
n
u
x
2
.
6
.
1
8
L
i
n
k
s
y
s
W
R
T
6
1
0
N
v
3
W
A
P
A
V
M
F
R
I
T
Z
!
B
o
x
F
O
N
W
L
A
N
7
1
7
0
W
A
P
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
S
e
r
v
e
r
2
0
0
3
S
P
2
L
i
n
u
x
2
.
6
.
1
5
-
2
.
6
.
2
7
F
o
r
t
i
n
e
t
F
o
r
t
i
G
a
t
e
-
5
0
B
o
r
3
1
0
B
f
i
r
e
w
a
l
l
L
i
n
k
s
y
s
R
V
0
4
2
r
o
u
t
e
r
L
i
n
u
x
2
.
6
.
3
2
-
2
.
6
.
3
5
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
X
P
S
P
3
C
o
m
p
a
q
i
P
A
Q
C
P
-
2
W
C
o
n
n
e
c
t
i
o
n
L
i
n
u
x
2
.
6
.
3
2
-
3
.
2
L
i
n
u
x
2
.
6
.
1
3
-
2
.
6
.
3
2
L
i
n
u
x
2
.
6
.
3
9
C
i
s
c
o
1
8
1
2
,
3
6
4
0
,
o
r
3
7
0
0
r
o
u
t
e
r
(
I
O
S
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
V
i
s
t
a
S
P
2
L
i
n
u
x
2
.
6
.
9
-
2
.
6
.
3
3
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
S
e
r
v
e
r
2
0
0
3
S
o
n
u
s
G
S
X
9
0
0
0
V
o
I
P
p
r
o
x
y
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
S
e
r
v
e
r
2
0
0
8
S
P
1
Z
T
E
Z
X
V
1
0
H
2
0
1
A
D
S
L
r
o
u
t
e
r
C
i
s
c
o
A
C
E
l
o
a
d
b
a
l
a
n
c
e
r
L
i
n
u
x
2
.
6
.
3
2
-
3
.
6
L
i
n
u
x
2
.
6
.
1
6
S
h
o
r
e
T
e
l
S
h
o
r
e
G
e
a
r
-
T
1
V
o
I
P
s
w
i
t
c
h
N
o
r
t
e
l
B
a
y
S
t
a
c
k
4
6
0
s
w
i
t
c
h
,
o
r
L
i
n
k
s
y
s
L
i
n
u
x
2
.
6
.
2
3
C
i
s
c
o
A
i
r
o
n
e
t
1
2
6
2
W
A
P
o
r
I
A
D
2
4
3
0
Z
y
X
E
L
P
r
e
s
t
i
g
e
2
6
0
2
R
-
D
1
A
A
D
S
L
T
h
o
m
s
o
n
T
C
W
7
1
0
w
i
r
e
l
e
s
s
c
a
b
l
e
CMU/SEI-2014-TR-001 | 35
8.2.1.1 Ij+ImFp75
and SFp75 Top TCP/IP Fingerprint Comparison
Although we found the I
j
+I
m
sets top fingerprints in the sample, they occurred in a much lower
percentage of the IP addresses. Additionally, we found that three of the top five most frequently
occurring OSs in the sample were nonexistent in the I
j
+I
m
set. Microsoft Windows Server 2003
machines, in particular, had a much higher percentage of occurrences in the I
j
+I
m
data. This further
supports the theory that APT1 was targeting specific architecture. Table 13 compares the top finger-
prints of the I
j
+I
m
and S sets.
Table 13: Top Fingerprint Comparison Between Ij+Im and S
Figure 12 shows the top 30 fingerprints found in the IPv4 sample data. The fingerprints shown in black
also occur in the top 10 fingerprints of the I
j
+I
m
data. Only 5 of the top 10 fingerprints in I
j
+I
m
are in
the top 30 of the S data set.
Figure 12: Top 30 Fingerprints in S and Top 10 Overlap with Ij+Im
0
100
200
300
400
500
600
700
800
L
i
n
u
x
2
.
6
.
3
2
V
x
W
o
r
k
s
L
i
n
u
x
2
.
6
.
1
8
L
i
n
k
s
y
s
W
R
T
6
1
0
N
v
3
A
V
M
F
R
I
T
Z
!
B
o
x
F
O
N
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
L
i
n
u
x
2
.
6
.
1
5
-
2
.
6
.
2
7
F
o
r
t
i
n
e
t
F
o
r
t
i
G
a
t
e
-
5
0
B
L
i
n
k
s
y
s
R
V
0
4
2
r
o
u
t
e
r
L
i
n
u
x
2
.
6
.
3
2
-
2
.
6
.
3
5
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
X
P
C
o
m
p
a
q
i
P
A
Q
C
P
-
2
W
L
i
n
u
x
2
.
6
.
3
2
-
3
.
2
L
i
n
u
x
2
.
6
.
1
3
-
2
.
6
.
3
2
L
i
n
u
x
2
.
6
.
3
9
C
i
s
c
o
1
8
1
2
,
3
6
4
0
,
o
r
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
L
i
n
u
x
2
.
6
.
9
-
2
.
6
.
3
3
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
S
o
n
u
s
G
S
X
9
0
0
0
V
o
I
P
M
i
c
r
o
s
o
f
t
W
i
n
d
o
w
s
Z
T
E
Z
X
V
1
0
H
2
0
1
A
D
S
L
C
i
s
c
o
A
C
E
l
o
a
d
b
a
l
a
n
c
e
r
L
i
n
u
x
2
.
6
.
3
2
-
3
.
6
L
i
n
u
x
2
.
6
.
1
6
S
h
o
r
e
T
e
l
S
h
o
r
e
G
e
a
r
-
T
1
N
o
r
t
e
l
B
a
y
S
t
a
c
k
4
6
0
L
i
n
u
x
2
.
6
.
2
3
C
i
s
c
o
A
i
r
o
n
e
t
1
2
6
2
Z
y
X
E
L
P
r
e
s
t
i
g
e
2
6
0
2
R
-
T
h
o
m
s
o
n
T
C
W
7
1
0