Webinar by paloalto Length: 01:00:00

Analyzing samples collected by WildFire

Prevalence port/protocol evasion in malware as compare to non-malicious

Common tricks of evasive traffic:

1. use existing protocol in unexpected way (example IRC in port 80)

2. use standard protocol over non-standard ports to avoid signature

Example, DNS tunneling:

tcp-over-dns

Dns2tcp

Iodine

Heyoka

ozymanDNS

NSTX

Take advantage of recursive query to pass encapsulate TPC message to a remote DNS server and send responses back.

App-ID address the Evasion Problem.

WildFirew analysis center, sand box-based analysis looks over samples

- detect new and unknown malware samples

- Use appip to analyze traffic generated by malware

- focus on evasive traffic behavior an unusual traffic that could not be detected by APP-ID

16,497 newly discovered malware samples - in April 2012:

66% traffic were undetected by traditional AV vendor

80% traffic generated to Internet

59% 7,918 generated evasive traffic

Common evasive behavior:

sort http headers

Unknown traffic

ddyn, fastflux domain

Fake http

Non standard http

IRC on regular port

IRC on non standard port

(surprisingly little use of IRC - it's becoming obsolete for malware)

Unknown  traffic is significantly high rate in malware as oppose to valid network traffic

11% of malware session presented as unknown

0.6% of legitimate traffic present as unknown

Enterprise can progressive reduce the amount of unknown traffic:

Custom APP-IDs

I raised questions:

You mentioned that 66% of malware traffic is not detected by major AV software, how did you test it?

Did you involve AV company to test it?

There is a common mistake of AV testing simply using using the AV CLI functionality, such using VirusTotal, whereas AV have has multiple layers of protection that might not detect via CLI functionality.

The common mistake of AV testing is simply using the CLI engine without, whereas AV has many layers of protection that cannot be access via CLI.