Blue Coat Labs
Escalation of SSL-Based Malware
Escalation of SSL-Based Malware
Recently, the team here at Blue Coat Labs conducted research around the security blind spots created by encrypted traffic. The findings were extremely helpful in validating that the use of SSL/TLS in malware is on the rise, most prominently seen in ransomware. Based on the team’s research, we identified two key findings, which are highlighted in a recent report from the Fraunhofer Institute for Communication Information Processing and Ergonomics FKIE, sponsored by Blue Coat. The key findings include:
- The number of malware samples jumped from approximately 500 per month before October 2015 to over 29,000 samples in November and December 2015
- The number of C&C servers using SSL jumped from 1,000, until and including Q1 2015, to 200,000 per quarter in Q3 2015
Clearly, these were extremely sharp increases, so it was important to understand the basis and context behind these statistics. Therefore, the following will describe the research methodology as well as the full nature of the statistics.
SSL-based Malware Increase: Research Methodology
To perform this research, Blue Coat Labs leveraged the SSL Blacklist and Blue Coat’s enterprise API agreement with VirusTotal. Utilizing these assets, we attained the list of malware families known to be using SSL from the SSL Blacklist site. Straight from the database, the families were:
["Dridex", "KINS", "Shylock", "URLzone", "TorrentLocker", "CryptoWall",
"Upatre", "Spambot", "Retefe", "TeslaCrypt", "CryptoLocker", "Bebloh",
"Gootkit", "Geodo", "Tinba", "Gozi", "VMZeus", "Redyms", "Qadars", "Vawtrack",
After securing this list, we then used it to query VirusTotal, which was able to identify how many different malware samples were found that were associated with those specific SSL-utilizing malware families. The team then began charting these figures for each month dating back to January, 2014, enabling us to look for patterns or trends.
Note: In order to provide adequate context for these figures, and to ensure that any growth figures weren’t simply the result of an overall spike in all types of malware, the team followed this same process of tracking the number of overall malware samples across the same time period. This provided a baseline against which to contrast the SSL-based malware growth.
SSL-based Malware Increase: Observations and Context
After charting all the figures, what we found was that between January 2014 – September 2015, these families were leading to a somewhat stable monthly average of around 500 samples per month. However, this number spiked up to an average of 29,000 from October-December 2015.
What this spike indicates is that the “known suspect” malware families that have historically used SSL saw a rapid and dramatic surge in distribution and usage. Looking at the timeframe of the spike, it coincided with the onset of the holiday season. As such, the spike could have been attributed to the launch of one or more large-scale campaigns with infrastructures based on those malware families.
Whether this increase is in fact the start of an escalating trend or is just a short-term burst, this is still an example of the use of SSL/TLS as an obfuscation technique on a wide scale, making the threat even more relevant than ever.
The second part of this research involved contrasting with overall malware occurrences. During the same timeframe, January 2014 – December 2015, we found that overall monthly malware occurrences were spiky but roughly stable with a slight upward trend. When the two trend patterns were compared, it demonstrated that the observed increase in SSL-based malware was not riding the wave of a bigger trend.
C&C Server Increase: Research Methodology
The increase in the number of Command and Control (C&C) servers* is in fact related to the above finding on malware samples. Similar to the malware research, the team leveraged the SSL Blacklist and was able to identify the number of servers found to be associated with known SSL-using malware families. In this case, tracking was done on a quarterly basis.
*Note: Here, “C&C Server” refers to any server that is part of the overall malware infrastructure: coordination points, malware download sites, data exfiltration points, etc.
C&C Server Increase: Observations and Context
Similar to what our team found with the malware samples, the number of C&C servers associated with the SSL Blacklist malware families were found to be relatively stable in 2014, with an average of approximately 1,000 per quarter. However, the number dramatically increased to over 100,000 C&C servers in Q2 2015, and further jumped to over 218,000 in Q3 2015.
Although the timing of the increase comes earlier than the appearance of associated malware, this is consistent with the idea of threat actors building up a C&C framework in advance of launching a large-scale campaign for the 2015 holiday season. What’s more, the massive jump in C&C servers is likely attributed to the malware utilizing Domain Generating Algorithms (DGA) for short-living Domains to build out a C&C infrastructure.
These findings help to explain how threat actors could achieve the huge explosion in the number of C&C servers associated with the SSL Blacklist.
For more information about the reliance on short-lived domains by threat actors, please visit Blue Coat’s 2014 research report, “One Day Wonders,” which can be downloaded here.