“While next-gen malware is starting to leverage non-HTTP channels, such as peer-to-peer, HTTP continues to be the predominant channel used by 80% of all malware we see,” said Terry Nelms, researcher at Damballa. “Malware today is using HTTP to ‘blend in’ and evade detection by sending small traces of information over the core ports and protocols that enterprises allow in and out of their network. Our research indicates that firewalls and IPS are highly ineffective at detecting next-gen malware infected devices.”
Nelms presented this research (code name: ExecScent) in a USENIX paper titled, “ExecScent: Mining for New C&C Domains in Live Networks with Adaptive Control Protocol Templates.” The tool identified hundreds of infected hosts on networks that had traditional security products deployed.
The company today announced new capabilities to detect emerging and never-before-seen malware by utilizing ExecScent as the basis for a new HTTP Request Profiler. In recent customer trials, the new HTTP Request Profiler within the Damballa Failsafe platform detected five times the number of active infections that traditional technologies found. Leveraging Damballa’s Big Data harvesting and machine learning systems, trained on millions of malware samples a week from malware repositories and consumer and enterprise records, the new HTTP Request Profiler can statistically identify similar structures within HTTP requests to discover hidden infected devices.
Detecting today’s advanced threats requires great efficiency and solutions that go beyond a single approach to recognizing malware. The new HTTP Request Profiler joins seven other Profilers in the Damballa Failsafe platform to deliver the most accurate determination that a device has actually been compromised.
Threat actors are constantly changing their control server destinations and modifying their malware with new serial variants and one-time use server malware sites to evade detection by traditional signature and sandboxing-based systems. When this occurs, it is valuable to perform both behavioral and content-based approaches for active threat discovery to analyze the syntax or structure of the communications, which does not change as frequently.
Damballa can now leverage this statistically similar structure to determine that a device is infected with a new variant of a known malware family. The new HTTP Request Profiler can identify malicious activity by analyzing the content of an HTTP requests, indifferent of the malware variant or destination involved.