Presented at SuriCon 2018 by Anton Tyurin, Positive Technologies
Detection based on content is often impossible for encrypted communication. At the same time, there are a lot of malware that use self-signed certificates or Tor. We would like to introduce to the community new method of leveraging the power of Suricata rules for detecting malicious connections under TLS. Custom closed protocols based upon raw TCP are also the case. We will introduce fingerprints for Dridex, Ursnif, Remcos. All of them are using TLS and/or custom proto. Based on these examples we will show how to detect malicious C2 communication on an early stage of infection. By the way, heartbeat communication contains enough unique data for creating rules too. We’ll demonstrate how to create more accurate detection with these both kinds of special data pieces joining through the flowbits. The aspects that make harder the implementation of this kind of detection, as well as the ways of solving problems (i.e. handling paddings in TLS fragments and joining of such fragments in one Suricata buffer), will be considered. We hope that our methodology will be interesting not only for malware analysts but also for developers who are working on detecting engines optimization. And it will also serve as a catalyst in the development of detection methods.