TMCnet News

Damballa Reports Over 75% of HTTP Malware Evades Detection by Traditional Protection Methods
[September 10, 2013]

Damballa Reports Over 75% of HTTP Malware Evades Detection by Traditional Protection Methods


Sep 10, 2013 (Close-Up Media via COMTEX) -- Damballa, an advanced threat discovery company, released customer research data that indicates over 75 percent of active infections easily evade detection by traditional protection methods.

As malware is evolving, the research indicates that some of the most frequently deployed security solutions cannot identify active infections that lead to costly breaches.

"While next-gen malware is starting to leverage non-HTTP channels, such as peer-to-peer, HTTP continues to be the predominant channel used by 80 percent of all malware we see," said Terry Nelms, researcher at Damballa. "Malware today is using HTTP to 'blend in' and evade detection by sending small traces of information over the core ports and protocols that enterprises allow in and out of their network. Our research indicates that firewalls and IPS are highly ineffective at detecting next-gen malware infected devices." Nelms presented this research (code name: ExecScent) in a USENIX paper titled, "ExecScent: Mining for New C&C Domains in Live Networks with Adaptive Control Protocol Templates." The tool identified hundreds of infected hosts on networks that had traditional security products deployed.



According to a release, the company announced new capabilities to detect malware by utilizing ExecScent as the basis for a new HTTP Request Profiler. In recent customer trials, the new HTTP Request Profiler within the Damballa Failsafe platform detected five times the number of active infections that traditional technologies found. Leveraging Damballa's Big Data harvesting and machine learning systems, trained on millions of malware samples a week from malware repositories and consumer and enterprise records, the new HTTP Request Profiler can statistically identify similar structures within HTTP requests to discover hidden infected devices.

Detecting today's advanced threats requires great efficiency and solutions that go beyond a single approach to recognizing malware. The new HTTP Request Profiler joins seven other Profilers in the Damballa Failsafe platform to deliver the most accurate determination that a device has actually been compromised.


Threat actors are constantly changing their control server destinations and modifying their malware with new serial variants and one-time use server malware sites to evade detection by traditional signature and sandboxing-based systems. When this occurs, it is valuable to perform both behavioral and content-based approaches for active threat discovery to analyze the syntax or structure of the communications, which does not change as frequently.

Damballa can now leverage this statistically similar structure to determine that a device is infected with a new variant of a known malware family. The new HTTP Request Profiler can identify malicious activity by analyzing the content of an HTTP request, indifferent of the malware variant or destination involved.

More Information: http://www.damballa.com ((Comments on this story may be sent to [email protected]))

[ Back To TMCnet.com's Homepage ]