Active malware infections frequently use HTTP requests to bypass and evade most traditional security approaches. To combat this problem, Damballa is adding HTTP request profiling capabilities to its advanced threat protection
While next-generation malware is shifting to non-HTTP channels -- such as peer-to-peer -- HTTP continues to be the channel used by 80% of all malware, according to Terry Nelms, a researcher for Atlanta-based Damballa.
"Malware today is using HTTP to 'blend in' and evade detection by sending small traces of information over the core ports and protocols that enterprises allow in and out of their network," Nelms explained. "Our research indicates that firewalls and IPSes [intrusion prevention systems] are highly ineffective at detecting next-generation-malware-infected devices."
So Nelms and researchers from the University of Georgia, Georgia Institute of Technology and New York University Abu Dhabi teamed up to work on a solution.
The result was a research project, code named ExecScent, which Nelms presented in an USENIX Security Symposium paper. The researchers designed a system to mine new, previously unknown command-and-control domain names from live enterprise network traffic. It turns out the new system is able to identify hundreds of infected hosts on networks that went undetected by traditional security approaches.
Based on ExecScent, Damballa is adding an HTTP request profiling tool to its Failsafe platform. The profiling tool is designed to detect emerging and never-before-seen malware. In customer trials, it detected five times the number of active infections caught by traditional technologies.
One key reason the new profiling tool outperforms traditional technologies is because it leverages Damballa's big data-harvesting and machine-learning systems. The tool is trained on millions of malware samples each week that come from malware repositories and consumer and enterprise records. The HTTP request profiler can be used to statistically identify similar structures within HTTP requests to uncover hidden infected devices.
Cybercriminals are constantly changing their control server destinations and modifying their malware with new serial variants and one-time-use server malware sites to evade detection by traditional signature- and sandboxing-based systems. When this occurs, performing behavioral and content-based approaches can be valuable for active threat discovery to analyze the syntax or structure of the communications, which don't change as frequently.
Damballa is leveraging this statistically similar structure to determine whether a device is infected with a new variant of a known malware family. The new profiler can identify malicious activity by analyzing the content of a HTTP request, regardless of the malware variant or destination involved, according to Nelms.