Feeds

Zoom out for a view of malware, say boffins

Forest, trees – you know the drill

The Power of One eBook: Top reasons to choose HP BladeSystem

One of the reasons malware gets past corporate defences is that a single HTTP request can look perfectly innocent. However, according to research to be presented at a security conference next week, those requests reveal themselves if the defender takes a “big picture” view.

According to research to be presented at the Internet Society's Network and Distributed System Symposium, at a very large scale, the HTTP requests issued by users who make the mistake of clicking on a malware link become easy to identify – even without having to analyse the content of the HTTP content downloaded.

Led by Luca Invernizzi at UC Santa Barbera, the research was designed to avoid the pitfalls of current protection systems. “Drive-by exploits use the web to download malware binaries. Finally, Nazca does not perform any analysis of the content of web downloads, except for extracting their MIME type. That is, we do not apply any signatures to the network payload, do not look at features of the downloaded programs, and do not consider the reputation of the programs’ sources,” the paper states.

Instead, their system, dubbed Nazca, watches Web traffic between hosts on one side of the network, and the Internet, looking for connections associated with malware downloads.

When HTTP requests that Nazca is watching are downloading a possibly-suspicious EXE, the authors explain, they have learned to identify connection characteristics associated that are different from legitimate downloads. For example, malware authors' “evasive actions” such as “domain fluxing, malware repackaging, and the use of malware droppers for multi-step installations” make an attack easier to recognise for Nazca.

That information is aggregated to identify related, malicious activity – and thus to reduce the rate of false positives, they say.

In gathering traffic information, Nazca looks at IP and TCP packet headers, HTTP headers, and enough HTTP payload to get the MIME type information, which is hashed to make it easy to test program downloads for uniqueness. The system also gathers “a content hash of the uncompressed first k bytes at the beginning of the file” – with k=1000 for their test.

The analysis, the paper states, then focuses on identifying known malware distribution techniques. For example, server-side polymorphism is identifiable since the malware host is sending large numbers of EXEs whose hashes won't match. Other characteristics that Nazca looks at is the number of domains or IP addresses associated with a malware campaign, such as:

  • Distribution from a single IP operating many colocated domains;
  • Use of a large number of TLDs;
  • Many different paths and file names served by the distributor (as evidence of polymorphism); and
  • Suspiciously few URIs per domain (because legitimate CDNs typically have very large directory structures; and
  • Served file types (because CDNs serve many file types, while malware servers focus on EXEs.

While no single characteristic demonstrates malice, taken together on a large enough traffic sample – a very large enterprise network, or an ISP network – the authors claim their approach can identify zero-day malware campaigns with a low rate of false positives.

The paper, turned up by CRN Australia, can be downloaded here as a PDF. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.