Worryingly, more than 75% of active HTTP malware, despite it being technically “old school,” easily evades traditional intrusion prevention systems.
Terry Nelms, the researcher at Damballa who authored a report with the findings, said that they point to a need for fresh approaches, since sandboxing and signature strategies are simply not able to keep up with constantly morphing malware.
“Malware today is using HTTP to ‘blend in’ and evade detection, by sending small traces of information over the core ports and protocols that enterprises allow in and out of their network,” said Nelms in announcing the findings. “Our research indicates that traditional firewalls and IPS are highly ineffective at detecting next-gen malware communication with threat actors.”
To make it more difficult, the cyber snoops are constantly changing their control server destinations and modifying their malware with new serial variants and one-time use malware sites to evade detection.
This is driving a need to perform both behavioral and content-based approaches for active threat discovery, Nelms said. Malware may evolve quicker than blacklists or file blocking techniques do, and the syntax or structure of the communications used by the bugs tend to be more static.
Most modern malware, especially botnets, consist of at least two fundamental components: a client agent, which runs on victim machines, and a control server application, which is administered by the malware owner. Because code reuse applies to both components, this naturally results in many different malware samples sharing a common command-and-control (C&C) protocol, even when control server instances owned by different malware operators use different C&C domains and IPs.
“Code reuse is common practice in malware,” Nelms explained in the paper. “Often, new (polymorphic) malware releases are created by simply re-packaging previous samples, or by augmenting previous versions with a few new functionalities. Moreover, it is not uncommon for the source code of successful malware to be sold or leaked on underground forums, and to be reused by other malware operators.”
That means looking for those hallmarks inside the content of an HTTP request can help determine that a device is infected with a new variant of a known malware family. Damballa itself has commercialized the idea with its HTTP Request Tool, which it said can identify malicious activity by analyzing that content, indifferent of the malware variant or destination involved.