Malicious attackers can't just hack into your network any time they want and touch any device they want. Firewalls and other security measures prevent the bulk of those attacks, but advanced malware occasionally slips though, opening the door for direct communication between hackers and your network.
When that advanced malware gets inside your network and initiates communication out to the attacker, that's when the real trouble begins, according to Stephen Newman, vice president of products at Damballa.
While traditional network security often blocks communications from untrusted external sources, internal hosts that are infected with advanced malware are trusted.
"What happens on an infected device is that the malware initiates communication out to the attacker -- much like call-blocking doesn't prevent you from making calls out, if a trusted device within your network wants to call anywhere in the world the network lets it," explained Newman. "By picking up the phone, which is essentially what the malware is doing inside your network, a two-way line of communication is opened up with the attacker, who can then tell the device to do things like steal certain data or be quiet for 10 days, but to check back in again in 10 days."
Advanced malware communication and evasion techniques
Think of advanced malware as a disposable tool that has a component in it that initiates communications. This malware uses a domain-generated algorithm (DGA) to enable communication of an infected device with the attacker.
Advanced threat protection
For more information about advanced threat protection, read this related story.
"One tactic we're seeing now is attackers using a DGA module inside their malware," said Newman. "On any given day, the DGA component will go out and make a request on a completely legitimate website, collect a date stamp and bring it back to the malware and use it as what we call a 'seed.' So the date is entered into the DGA black box, and that black box turns around and generates 100 randomly created domain names that have never been seen before."
The attacker conveniently has the same DGA, so they go get the same seed and plug in the same algorithm to generate the same 100 domain names. The key difference is that the attacker only assigns an IP address to one of those 100 domain names for the day.
The advanced malware on the infected device looks up 100 domain names with a DNS query. Only one comes back with an IP address that the malware can communicate to. On the second day, the process repeats and a brand new domain is used for communicating.
"Attackers can change the domain every day, and that's how malware works, and they're able to hide their communication and evade detection by an intrusion prevention system (IPS) or security gateway," Newman said.
But by closely watching the communications of all of the devices within a network, Damballa, FireEye, RSA and other vendors are profiling this type of behavior, using a technique often referred to as advanced threat protection.
"A device with 99 failed DNS queries in a short period of time is abnormal behavior. There's no legitimate reason for any human to type in 99 nonsensical domain names and have them all fail to resolve to an IP address," said Newman. "We can identify and flag that behavior. On top of that, we layer in our knowledge and intelligence of how the attackers are working. So we corroborate a behavioral element with the intelligence that says we looked at the structure of the domains that were generated by that algorithm and, statistically speaking, we've never seen those domains, but they match the algorithm being used by known criminal groups such as Bobax or TDL4."
It's possible to show that a particular device is infected -- even if the advanced malware is evading all traditional perimeter defense security mechanisms. "By layering different techniques of behavioral and cyber threat intelligence on top of each other, we can identify infected devices," said Newman.
This was first published in April 2013