Discovering Encrypted Bot and Ransomware Payloads Through Memory Inspection Without A Priori Knowledge
This addresses the challenge of rapid malware detection for network security, though it appears incremental as it builds on existing memory inspection techniques.
The paper tackles the problem of detecting malware that uses encrypted channels by presenting a new approach to discover cryptographic artifacts in memory without prior knowledge, enabling identification of bot and ransomware payloads.
Malware writers frequently try to hide the activities of their agents within tunnelled traffic. Within the Kill Chain model the infection time is often measured in seconds, and if the infection is not detected and blocked, the malware agent, such as a bot, will often then set up a secret channel to communicate with its controller. In the case of ransomware the communicated payload may include the encryption key used for the infected host to register its infection. As a malware infection can spread across a network in seconds, it is often important to detect its activities on the air, in memory and at-rest. Malware increasingly uses encrypted channels for communicating with their controllers. This paper presents a new approach to discovering the cryptographic artefacts of real malware clients that use cryptographic libraries of the Microsoft Windows operating system. This enables malware secret communications to be discovered without any prior malware knowledge.