When we analyze malware C&C network traffic we often see that it contains HTTP protocol. Sometimes the messages are obfuscated and sometimes sent as plain text. They can be intentionally crafted to look like sent by a web browser. But in many cases they are sent using standard libraries and tools. Intuition suggests that there should be some distinct features, which can help to distinguish between malware and benign applications sending HTTP requests. In our presentation we want to present results of our analysis in search of such features.
Analyzed features include headers’ appearance (misspellings, unusual names), header values, general payload analysis (entropy, character analysis etc.) and header sequence order. In our search we have analyzed more than 35 000 pcap files from CERT Polska’s sandbox environment and Malware Capture Facility Project. They include network traffic of about 190 malware families, splitted into common categories like bankers, ransomware, downloader, spambot etc. To identify distinct features, we have compared the results against browser traffic to Alexa’s top 500 popular domains worldwide. The outcome was surprising even for us.

The presentation won’t be academic. We want to share main conclusions which can help you when dealing with malware HTTP traffic. To provide even more operational knowledge, we want to compare the results with traffic generated by popular Windows HTTP libraries and tools. Also we will present particularly interesting examples of HTTP anomalies, both in malware and benign traffic.