Observer Effect: How Intercepting HTTPS Traffic Forces Malware to Change Their Behavior

  • María José Erquiaga
  • Sebastián García
  • Carlos García Garino
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 790)

Abstract

During the last couple of years there has been an important surge on the use of HTTPs by malware. The reason for this increase is not completely understood yet, but it is hypothesized that it was forced by organizations only allowing web traffic to the Internet. Using HTTPs makes malware behavior similar to normal connections. Therefore, there has been a growing interest in understanding the usage of HTTPs by malware. This paper describes our research to obtain large quantities of real malware traffic using HTTPs, our use of man-in-the-middle HTTPs interceptor proxies to open and study the content, and our analysis of how the behavior of the malware changes after being intercepted. The research goal is to understand how malware uses HTTPs and the impact of intercepting its traffic. We conclude that the use of an interceptor proxy forces the malware to change its behavior and therefore should be carefully considered before being implemented.

Keywords

Malware Botnets HTTPs Malware traffic Network security MITM Proxy Malware behavior 

References

  1. 1.
    O’Neill, M., Ruoti, S., Seamons, K., Zappala, D.: TLS inspection: how often and who cares? IEEE Internet Comput. 21(3), 22–29 (2017).  https://doi.org/10.1109/MIC.2017.58 CrossRefGoogle Scholar
  2. 2.
    de Carné de Carnavalet, X., Mannan, M.: Killed by Proxy: Analyzing Client-end TLS Interception Software, 21–24 February 2016, San Diego, CA, USA. Copyright 2016 Internet Society, ISBN 1-891562-41-X.  https://doi.org/10.14722/ndss.2016.2337
  3. 3.
    Lokoč, J., Kohout, J., Čech, P., Skopal, T., Pevný, T.: k-NN classification of Malware in HTTPS traffic using the metric space approach. In: Chau, M., Wang, G.Alan, Chen, H. (eds.) PAISI 2016. LNCS, vol. 9650, pp. 131–145. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-31863-9_10 CrossRefGoogle Scholar
  4. 4.
    Střasák, F.: Detection of HTTPS Malware Traffic. Open Informatics, Computer and Information Science, May 2017. https://dspace.cvut.cz/bitstream/handle/10467/68528/F3-BP-2017-Strasak-Frantisek-strasak_thesis_2017.pdf?sequence=-1
  5. 5.
    Anderson, B., Paul, S., McGrew, D.: Deciphering Malware’s use of TLS (without Decryption) (2016). http://arxiv.org/abs/1607.01639
  6. 6.
    Anderson, B.: Hiding in Plain Sight: Malware’s Use of TLS and Encryption, 25 January 2016. http://blogs.cisco.com/security/malwares-use-of-tls-and-encryption
  7. 7.
    Anderson, B., McGrew, D., Kendler, A.: Cisco Systems, Inc. Classifying Encrypted Traffic with TLS-Aware Telemetry, January 2016. http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=449962
  8. 8.
  9. 9.

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • María José Erquiaga
    • 1
    • 2
    • 3
  • Sebastián García
    • 4
  • Carlos García Garino
    • 1
    • 3
  1. 1.ITICUNCuyoMendozaArgentina
  2. 2.Facultad de Ciencias Exactas y NaturalesUNCuyoMendozaArgentina
  3. 3.Facultad de IngenieríaUNCuyoMendozaArgentina
  4. 4.CTU UniversityPragueCzech Republic

Personalised recommendations