Monday, February 12, 2007
I've just read a very interesting analysis of a new malware on SANS ISC. They've found a malware that downloads a password protected zip file from a HTTP location. The contents of this package is encrypted. The malware also uses a certificate to establish SSL connections to the IRC control servers, avoiding detection by network IDSes. Very interesting.However, this one still doesn't solve the major obstacles for malware spreading. It tries to use a simple TCP outbound connection to talk to the servers, what is usually blocked by well configured firewalls. It would be far more difficult to block it if it tries to use SSL HTTP connections through a common proxy setup. The malware could search google for an specific string (or a dynamic string generated by some sort of pseudo-random number generator), finding dynamically the URLs where it could download its commands.Another thing that is interesting on that analysis is the note from the ISC handler saying that most antivirus are still not able to detect this malware. He mentions defense in depth strategy, what is absolutely right. The use of anomaly detection is also an important feature to fight these new malware threats. I'd like to see how the SONAR technology from Symantec would react against this particular case.