Finding the malware snarls in traffic Friday, 09 June 2017

News article written by Corbett Communications. The statements made or opinions expressed do not necessarily reflect the views of Engineers Australia.

Results of a university study just released say network traffic can provide early indication of malware attacks, a timely warning in the wake of the recent worldwide WannaCry ransomware infection.

By analysing network traffic going to suspicious domains, malware infections can be detected weeks or even months by engineers before they’re able to capture a sample of the invading malware, according to the Georgia Institute of Technology in the US.

“These findings show that we need to fundamentally change the way we think about network defence,” A/Prof Manos Antonakakis from the School of Electrical and Computer Engineering at George Tech said. “The choke point is the network traffic, and that’s where this battle should be fought.”

Nutting out the network

The study’s researchers analysed more than five billion network events from almost five years of network traffic carried by a major internet service provider (ISP) in the US. They also studied domain name server (DNS) requests made by nearly 27 million malware samples, and examined the timing for the re-registration of expired domains because these often provide the launch sites for malware attacks.

For the study, a filtering system had to be developed to separate benign network traffic from that which was malicious in the ISP data. The researchers also conducted what they believed was the largest malware classification effort to date to differentiate the malicious software from potentially unwanted programs (PUPs).

To study similarities, they assigned the malware to specific ‘families’. By studying malware-related network traffic seen by the ISPs prior to detection of the malware, the researchers were able to determine that malware signals were present weeks and months before new malicious software was found.

More than 300,000 malware domains were found that were active for at least two weeks before the corresponding malware samples were identified and analysed, the study found. The researchers also noted that there was often a lag of months between when expired domains were re-registered and attacks from them began. 

Hot spot indication

“There were certain networks that were more prone to abuse, so looking for traffic into those hot spot networks was potentially a good indicator of abuse underway,” co-author of the study, Chaz Lever said. “If you see a lot of DNS requests pointing to hot spots of abuse, that should raise concerns about potential infections.”

Requests for dynamic DNS also related to bad activity, according to the researchers, as these often correlate with services used by hackers because they provide free domain registrations and the ability to quickly add domains.

Traditional defences depend on the detection of malware in a network, but relying on samples gives malicious hackers a critical time advantage to gather information and cause damage. What is required is minimising the amount of time between the compromise and detection, Antonakakis warned.

Detecting a change indicating infection requires knowledge of the baseline activity, he said. Engineers must have information about normal network traffic so they can detect the abnormalities that may signal a developing attack. While many aspects of an attack can be hidden, Antonakakis explained, malware must always communicate back to those who sent it and its communication will be observable.

Antonakakis advised that engineers should minimise the unknowns in their networks and classify their appropriate communications as much as possible so they can see the bad activity when it happens.

Author: Desi Corbett

Image: Identifying threats in network traffic early can ward off malware attacks according to Georgia Tech. Source: Georgia Tech.