Malware frequently uses HTTP for communication, but it's not the only option. Neither is TCP the only IP protocol we can use. The advantage to using HTTP is that there is just so much of it. Equipment and monitoring systems are used to seeing it, an analyst analyzing it, so it just doesn't stand out. And that's the key - you want your malicious C&C traffic to blend in as much as possible, which is why we like to use common protocols that, ideally, look like they're sent to common sites. But HTTP isn't the only protocol that does this.
So analysts will look for unusual protocols, out-of-place ports, and strange domains when analyzing network traffic for malicious use. If you're a bad actor, you want to avoid all of these issues if you can help it. There are other common protocols people use on enterprise networks that aren't unusual - specifically, protocols like SIP (session initialization protocol), RTSP (Real Time Streaming Protocol) and RTP (Real-time Transport Protocol).
from DZone.com Feed https://ift.tt/2szTLaB
No comments:
Post a Comment