The study comes from Georgia Institute of Technology and the findings are aimed foremost at network administrators. In a nutshell, the research shows if network traffic going to suspicious domains is tracked then security administrators should be able to detect malware infections weeks before they are able to capture a sample of the invading malware. This means the use of new and revised malware-independent detection strategies, with aim being tracking and responding to network security breaches far more quickly.
Such studies are important, given the growing malware threat. For instance, one tranche of research indicates that malware that can turn computers into perpetual eavesdropping devices, even without a microphone. With this, malware has been shown to be capable of re-configuring the headphone jack from a line-out jack to a microphone jack. The result is that the connected headphones function as a pair of recording microphones, transforming the computer into an eavesdropping device.
Key to the strategy is using the way malware providers work against them. Most malware invaders are required to communicate with their command and control computers. This means that network traffic is generated and this can be detected and analyzed, with the appropriate software.
As lead researcher Dr. Manos Antonakakis explains: “Our study shows that by the time you find the malware, it’s already too late because the network communications and domain names used by the malware were active weeks or even months before the actual malware was discovered.” To take advantage of this, however, requires a change to the way malware detection is currently configured.
The task can be streamlined since certain networks were found to be more prone to attack. The result is that looking for traffic into such ‘hot spot networks’ acts as good indicator of abuse underway. This was shown using software capable of filtering benign network traffic from malicious traffic.
The new approach was recently presented at the 38th IEEE Security and Privacy Symposium, 2017. The findings were put into a white paper titled “A Lustrum of Malware Network Communication: Evolution and Insights.”
