Malware Uncertainty Principle: an Alteration of Malware Behavior by Close Observation

During the last couple of years there has been an important surge on the use of HTTPs by malware. The exact reason for this increase is not completely understood yet, but it is hypothesized that it was forced by organizations only allowing web traffic to the Internet and that using HTTPs makes the malware similar to normal connections. Therefore, there has been a growing interest in understanding the usage of HTTPs by malware. This paper describes our research to obtain large quantities of real malware traffic using HTTPs, our use of man-in-the-middle HTTPs interceptor proxies to open and study the content and our analysis of how the behavior of the malware changes after being intercepted. Our research goal is to understand the use of HTTPs in malware traffic and the impact of intercepting its traffic. After our analysis we conclude that the use of a interceptor proxy in a network should be carefully considered.


My research experience has been mostly focused on studying the behavior of malware in the network. In particular, the behavior of large botnets in real networks. I researched and worked capturing large quantities of malware traffic for long period of times (available to download) , analyzing the attacks manually and investigating the decisions taken by malware. In my first research experience, I’ve analyzed a group of features for botnet detection in order to find network anomalies. Later, I worked as a collaborator in the Stratosphere project, directed by Sebastián García. This work allowed me to work with the IDS Stratosphere and learn about DGA (Domain Generation Algorithms). Presently, I’m working on the Nomad project, directed by Sebastián García. My main tasks consists in looking for malware using HTTPs, execute that malware in the CVUT laboratory, monitoring it and analyze its actions.

Print Friendly, PDF & Email