Analysis of Multiple Darknet Focusing on Outbound Packets and its Application to Malware Analysis

Abstract

PRACTICE (Proactive Response Against Cyber-attacks Through International Collaborative Exchange) project was initiated with the aim of reducing the risk of cyber-attacks, by constructing a coordination system on cyber-attacks internationally and analyzing observed data of darknet sensors installed in 10 countries participating in PRACTICE. However, all of the previous studies related to PRACTICE are narrow-ranging results focusing on specific attacking hosts. In this paper, we analyzed the wide-ranging relationship between darknets sensors installed in countries participating in PRACTICE from the viewpoint of inbound packet and outbound packet for each port number. Inbound packet is a packet observed in countries participating in PRACTICE, and outbound packet is a summary of packets from a specific country observed in countries participating in PRACTICE. As a result, when attacking port 23 in countries participating in PRACTICE, it became clear that the attack tendency is clearly divided depending on the attacking country. Furthermore, assuming that Malware is involved in the difference in attack tendency by country, we conducted a correlation analysis of observed data of PRACTICE and observed data of Malware by country provided by ESET. As a result, it became clear that outbound packet for port 23 and downloader type malware related to botnet closely interlocked and this malware spreads infection by using Telnet (port 23). From the analysis results, as pointed out previously, it was revealed that the darknet packet for a specific port number is linked to Malware's activity.