More Hackers Building SSL Encryption into Malware, Zscaler Finds

Hackers are increasingly using Secure Sockets Layer encryption to conceal device infections, shroud data exfiltration and hide botnet communications, according to cloud security company Zscaler.

SSL Malware Threat

Malware authors and operators are increasingly using Secure Sockets Layer (SSL) encryption to hide their communications and escape detection, with the use of SSL for malware communications doubling in the first six months of 2017, security-in-the-cloud firm Zscaler said in its latest threat report.

On average, the company has seen 600,000 “encrypted malicious activities” every day, including calling back to command-and-control servers, phishing attempts and malware delivery. About 60 percent of the malicious activities were related to banking Trojans and a quarter related to ransomware, the Zscaler analysis stated.

“I think we are heading in the direction where SSL will become [a de-facto measure taken by attackers], because it provides an additional layer of security for them to cover the C&C communications,” Deepen Desai, senior director of research for Zscaler, told eWEEK.

“Even today, they will not do command-and-control over plain text; they will use custom encryption. SSL just adds another layer on top it.”

The company found that as many as a quarter of all new malware executables analyzed in its cloud sandbox communicated over SSL and transport layer security (TLS) in 2017.

Malware authors have always found different ways to hide their programs’ communications, such as using the TOR network or going through covert channels using DNS queries. Yet, SSL is a Web standard and so is very common on corporate networks. In 2016, security firm Blue Coat found that malicious SSL activity jumped by a factor of 58.

Exploit kits, malware, adware and C&C communications have all been observed using SSL encryption to hide the content of the communications. More than 300 Web exploits per day use SSL as part of their infection chain, the company said.

Zscaler and Blue Coat are not the only companies to see the increasing obfuscation of communications by attackers. On Aug. 3, security firm Kaspersky Lab published an analysis of current trends in steganography, a communications technique that embeds messages or data in other traffic—most often, images.

The company stated that steganography has become popular with the developers of malware and spyware, but that most anti-malware tools have trouble detecting the payloads.

“So far, the security industry hasn’t found a way to reliably detect the data exfiltration conducted in this way and the goal of our investigations is to draw industry attention to the problem and enforce the development of reliable yet affordable technologies, allowing the identification of steganography in malware attacks,” Alexey Shulmin, security researcher at Kaspersky Lab, said in a statement.

Zscaler warned companies that the increase in SSL encryption should prompt firms to focus on inspecting SSL traffic.

The company also noted other trends in its threat report, including the increase in network-connected devices in the enterprise. Such devices connected to the so-called Internet of Things are often vulnerable to attack. The most common IoT devices are focused on entertainment, comprising 30 percent of all devices detected, security (27 percent) and health (13 percent).

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...