Stealthy Malware Traffic - Not as Innocent as It Looks
This addresses the challenge of stealthy malware for cybersecurity practitioners, though it is incremental as it builds on existing evasion techniques.
The study tackled the problem of malware evading network-based detection by developing a method to camouflage malicious traffic as innocuous smart grid data, resulting in transformed traffic being misidentified as legitimate protocol and accepted by real smart grid systems.
Malware is constantly evolving. Although existing countermeasures have success in malware detection, corresponding counter-countermeasures are always emerging. In this study, a counter-countermeasure that avoids network-based detection approaches by camouflaging malicious traffic as an innocuous protocol is presented. The approach includes two steps: Traffic format transformation and side-channel massage (SCM). Format transforming encryption (FTE) translates protocol syntax to mimic another innocuous protocol while SCM obscures traffic side-channels. The proposed approach is illustrated by transforming Zeus botnet (Zbot) Command and Control (C&C) traffic into smart grid Phasor Measurement Unit (PMU) data. The experimental results show that the transformed traffic is identified by Wireshark as synchrophasor protocol, and the transformed protocol fools current side-channel attacks. Moreover, it is shown that a real smart grid Phasor Data Concentrator (PDC) accepts the false PMU data.