exe. If the malware is acting
as a proxy, incoming data will be immediately written to a second outbound socket.
Malware that only creates outbound connections can be acting in virtually any capacity
at all: worm, DDoS agent, or simple bot that is attempting to phone home. At a minimum,
it is useful to determine whether the malware connects to many hosts (could be a
worm), or a single host (could be phoning home), and to what port(s) the malware
attempts to connect. You should make an effort to track down what the malware does
once it connects to a remote host. Any ports and protocols that are observed can be used
to create malware detection and possibly removal tools.
It is becoming more common for malware to perform basic encryption on data that it
transmits. Encryption must take place just prior to data transmission or just after data
reception. Identification of encryption algorithms employed by the malware can lead to
the development of appropriate decoders that can, in turn, be utilized to determine
what data may have been exfiltrated by the malware. It may also be possible to develop
encoders that can be used to communicate with the malware to detect or disable it.
The number of communications techniques employed by malware authors grows
with each new strain of malware.
Pages:
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929