A team of researchers have developed a novel and effective approach to identify zero-day malware by its attempts to evade traditional security defences.
The work focuses on new areas not served by traditional anti-malware techniques to detect new malware and help prevent staff from infecting enterprise networks.
It differed from traditional defences because it targeted an overlooked component of common but effective drive-by-download attacks.
While most defences focused on the first step used to foist malware on victims, identifying malicious sites, and the third step, preventing the execution of malware, the second facet of attack remained unchecked.
Here, shellcode executed in the first step issues a HTTP request to obtain malware which would be executed in the third component.
The novel technique spun into the Nazca tool worked by detecting the tell-tale signs of malware distribution networks.
In this way, it differed from existing defences that used malware signatures or examined the functionality of malware to prevent or detect infections.
The team of eight researchers from the University of California, Italy's Polytechnic University of Turin, and Boeing's security firm Narus said the Nazca tool overcame shortfalls in traditional malware defences.
"From the network point of view, [step two] connections are hardly suspicious, and look essentially identical to legitimate requests performed by users who download benign programs," the researchers wrote in a paper to be presented at the upcoming Network and Distributed System Security Symposium. (pdf)
"However, the situation changes significantly when 'zooming out' and leaving the myopic view of individual malware downloads.
"Instead, when considering many malware downloads together – performed by different hosts, but related to a single campaign – a malware distribution infrastructure becomes visible."
Because the platform was content agnostic, it avoided the coverage gaps present in blacklists and other reputation databases and avoided the perils of malware code obfuscation, the researchers wrote.
Nazca monitored traffic between machines on the corporate network and the internet to identify suspicious connections. In doing this it extracted and analysed metadata from the requests and identified attempts to download malware.
In identifying those attempts it watched for strange, seemingly benign downloads. These stood out because they employed evasion techniques to avoid traditional security defences including domain fluxing, malware repackaging, and the use of malware droppers.
This meant the Nazca tool worked well with existing security defences, the researchers wrote, adding it was designed for larger networks such as those operated by internet service providers, large enterprises and universities.
Nazca then sought to find common malicious activity across connections it flagged as suspicious in a very successful bid to reduce false positive malware infection attempts.
The researchers found the tool to be highly efficient and accurate during a week long live trial on a unnamed large internet service provider in which zero day malware was plucked from some ten million file downloads.
It further detected malware from 19 domains unknown to the anti-virus industry, and captured several infection command and control botnet infrastructures.
Criminals could attempt to avoid Nazca by using encrypted channels such as HTTPS or services such a Dropbox or Google Drive, or maintain constantly-changing small, independent malware infrastructure.