Q

Conducting APT detection when Elirks, other backdoors hide traffic

Is it possible to detect APT attacks when malicious traffic is hidden? Expert Nick Lewis details how the Elirks backdoor connection hides APT traffic.

In the recent SecureWorks APT report, it found that Elirks backdoor connections were involved in many advanced

persistent threat (APT) attacks because they look like legitimate traffic. Is there any way to detect and/or thwart APT attacks that hide via Elirks or similar services?

Ask the expert

Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)

To avoid detection, many attackers attempt to disguise attacks amidst legitimate traffic because analyzing all traffic for APT detection requires more effort than analyzing just the known bad traffic. With the prevalence of encrypted traffic, identifying a backdoor connection as being either part of an attack or a legitimate remote access connection can be very difficult. If the system in question doesn't normally make certain kinds of connections or only makes Windows file sharing connections to approved enterprise file servers and connects outbound to websites, white listing known legitimate traffic and investigating any other traffic might be an easy option. Companies can also use blacklists or reputation services to block known malicious network connections.

According to the Dell SecureWorks APT report, the Elirks backdoor uses the microblogging service Plurk for part of the command-and-control functionality of the botnet, but traffic from Plurk could also emanate from the likes of Flicker, Google Images, YouTube and so on. All of these legitimate websites could be used to create a command-and-control infrastructure, even if it is just to serve as a backup if the peer-to-peer bot loses contact with other peers. Dell SecureWorks sells an appliance that can detect Elirks botnet traffic and other vendors, including FireEye, Damballa and Arbor Networks, offer appliances that can detect or block botnets.

This was first published in December 2012

Dig deeper on Monitoring Network Traffic and Network Forensics

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close