Setting The Evil Bit: Malicious Traffic Hiding In Plain Sight

Building on the research I presented at You Sh0t the Sheriff in May, this presentation will explore ways to detect traffic generated by malware-infected hosts in a broad, generic fashion - instead of looking for traits specific to a given piece or family of malware. Specifically, my talk will explore: * HTTP protocol breakage - much of the HTTP traffic generated by compromised hosts ignores or violates key parts of the RFCs, breaking the protocol in ways worse than even Internet Explorer 6. * Legal WTFs - other times, malware generates traffic that is technically legal per the RFCs, but simply makes no sense in the real world. This includes items such as POSTs to image URIs, blatantly malicious User-Agent strings (i.e. "GBot/2.3"), mismatches between declared Content-Types and actual data returned, etc. * Spam blasts - after realizing that the hosts in my malware zoo have been blacklisted at all the major mail providers, I\'ve set up an outbound mail honeypot to make sure all of that traffic is captured as well. Techniques for detection ranging from simple flow analysis on port 25 to inspection of SMTP headers and bodies will be based on this new data. * General "Ha Ha" - malware does ridiculous things all the time, and the presentation will be full of the funniest and most ludicrous examples I can find from my malware zoo.