Feeds

Zoom out for a view of malware, say boffins

Forest, trees – you know the drill

5 things you didn’t know about cloud backup

One of the reasons malware gets past corporate defences is that a single HTTP request can look perfectly innocent. However, according to research to be presented at a security conference next week, those requests reveal themselves if the defender takes a “big picture” view.

According to research to be presented at the Internet Society's Network and Distributed System Symposium, at a very large scale, the HTTP requests issued by users who make the mistake of clicking on a malware link become easy to identify – even without having to analyse the content of the HTTP content downloaded.

Led by Luca Invernizzi at UC Santa Barbera, the research was designed to avoid the pitfalls of current protection systems. “Drive-by exploits use the web to download malware binaries. Finally, Nazca does not perform any analysis of the content of web downloads, except for extracting their MIME type. That is, we do not apply any signatures to the network payload, do not look at features of the downloaded programs, and do not consider the reputation of the programs’ sources,” the paper states.

Instead, their system, dubbed Nazca, watches Web traffic between hosts on one side of the network, and the Internet, looking for connections associated with malware downloads.

When HTTP requests that Nazca is watching are downloading a possibly-suspicious EXE, the authors explain, they have learned to identify connection characteristics associated that are different from legitimate downloads. For example, malware authors' “evasive actions” such as “domain fluxing, malware repackaging, and the use of malware droppers for multi-step installations” make an attack easier to recognise for Nazca.

That information is aggregated to identify related, malicious activity – and thus to reduce the rate of false positives, they say.

In gathering traffic information, Nazca looks at IP and TCP packet headers, HTTP headers, and enough HTTP payload to get the MIME type information, which is hashed to make it easy to test program downloads for uniqueness. The system also gathers “a content hash of the uncompressed first k bytes at the beginning of the file” – with k=1000 for their test.

The analysis, the paper states, then focuses on identifying known malware distribution techniques. For example, server-side polymorphism is identifiable since the malware host is sending large numbers of EXEs whose hashes won't match. Other characteristics that Nazca looks at is the number of domains or IP addresses associated with a malware campaign, such as:

  • Distribution from a single IP operating many colocated domains;
  • Use of a large number of TLDs;
  • Many different paths and file names served by the distributor (as evidence of polymorphism); and
  • Suspiciously few URIs per domain (because legitimate CDNs typically have very large directory structures; and
  • Served file types (because CDNs serve many file types, while malware servers focus on EXEs.

While no single characteristic demonstrates malice, taken together on a large enough traffic sample – a very large enterprise network, or an ISP network – the authors claim their approach can identify zero-day malware campaigns with a low rate of false positives.

The paper, turned up by CRN Australia, can be downloaded here as a PDF. ®

Next gen security for virtualised datacentres

More from The Register

next story
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.