Malware traffic and signatures
We are starting 2015 with a new offering. The security landscape has changed and we are meeting the requests of many of our clients to expand beyond our previous policy of only providing traffic and rules for actual exploits.
Those of you who are familiar with the term 'Indicators of Compromise (IOC)' will be happy to know that we will now include Malware traffic files in our monthly updates. Starting this month with coverage of the 'Soaksoak' malware, we will be creating traffic files that will test your IDS/IPS for their detection capabilities of network traffic that indicates a compromise has already happened within your networks.
Typically this type of network traffic will be inside to outside and will indicate that a host within your networks has been infected by some malware and is communicating to the internet out of band. So if we take December's update as an example, we have provided traffic files that demonstrate a host machine requesting malicious files from known bad domains and DNS queries from that host for known bad domains. All of these files are showing examples of IOCs for the 'Saoksoak' malware.
The good news is, that we are still providing Snort rules for every new traffic file that we produce, so you are going to see a lot more Malware rules coming your way too.
This does not mean that our coverage of the latest vulnerabilities will reduce, on the contrary, we are still firm believers that the most effective way to protect your networks, is to stop malware at the perimeter before it has the chance to reside itself on a host machine. So we will continue to produce traffic files to help you protect your external defences. However, providing these new traffic files will enable you identify and possibly stop an infection at the second and third stages of an attack, before the malware has a chance to do any real damage.
You may be interested to know, that the majority of the recorded delivery methods for the 'Soaksoak' malware, was a vulnerable plug in for WordPress called 'RevSlider'. This vulnerability is also covered in our Traffic IQ library, so you will have all the information you need to fully protect yourselves from attack, in relation to the 'Soaksoak' malware.