Tracking GhostNet: Investigating a Cyber ... - Nart Villeneuve
Tracking GhostNet: Investigating a Cyber ... - Nart Villeneuve
Tracking GhostNet: Investigating a Cyber ... - Nart Villeneuve
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
JR02-2009 <strong>Tracking</strong> <strong>GhostNet</strong> - PART ONE<br />
15<br />
traffic using a simple IP lookup. 34 The control servers were then probed and web-based control interfaces<br />
were identified on four control servers, which allowed us to view and control the network. The system was<br />
actively monitored for two weeks, which allowed us to derive an extensive list of infected systems, and to<br />
also monitor the systems operator(s) as the operator(s) specifically instructed target computers.<br />
The data collected during both phases was integrated in Palantir, a data visualization and analysis<br />
tool. The Palantir platform provides a data fusion and visualization environment that enhances<br />
analytical capabilities.<br />
34 We looked up the associated Internet Protocol (IP) address in all five Regional Internet Registries in order to identify the country<br />
and network to which the IP address is assigned. We then performed a reverse Domain Name System (DNS) look-up on each IP<br />
address. DNS is the system that translates domain names into IP addresses; reverse DNS is a system that translates an IP address<br />
into a domain name. This can potentially provide additional information about the entity that has been assigned a particular IP<br />
address. If we discovered a domain name, we then looked up its registration in WHOIS, which is a public database of all domain<br />
name registrations and provides information about who registered the domain name.