Most Malware Executables are small….
Martin Holste sent in an inspired idea. Since the vast majority of malware executables downloaded via http are small, why don’t we look for anything small? (actual numbers from several malware collections show an average just under 500kb).
Great idea. It won’t catch everything, but it’ll do a lot. The complication is we have to rely on the http header reported size in this case since we can’t really truly look at the stream as a whole. A return header will look something like:
HTTP/1.1 200 OK
Date: Wed, 07 Nov 2007 23:56:05 GMT
Server: Apache
Last-Modified: Wed, 07 Nov 2007 23:55:46 GMT
ETag: “24d26c-79f0-7cf3a470″
Accept-Ranges: bytes
Content-Length: 31216
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: application/x-msdos-program
That’s a get request for a binary that the web server knows is a binary by filename. If it didn’t identify it’d say plain/text for the content-type, but otherwise the same.
So… if we set a flow bit from the get if it looks like a binary then a second rule to look for the file size we’ll be able to identify smaller binaries.
One flaw is that many of the servers serving spyware/malware aren’t full blown http servers, and don’t report the valid headers as apache or IIS would. So this certainly won’t be fool-proof, but it’ll be interesting.
The following rules are up for testing:
#Idea by Martin Holste, sigs by Matt Jonkman
# The idea here is that most legitimate exe downloads are more than 1meg, most malicious are far less than 1 meg.
# This is evadable of course, and doesn’t work with non-compliant web servers, but this will catch many…
#First we qualify this as a packet containing the header return info from the get request and is likely binary content
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE POLICY Likely Binary in HTTP by Type Flowbit”; flow:established,from_server; flowbits:isnotset,BE.http.binary; content:”HTTP/1″; depth:6; content:”|0d 0a|Content-Type\: application/”; nocase; flowbits:noalert; flowbits:set,BE.http.binary; classtype:not-suspicious; sid:2007670; rev:1;)
#next we check that the content-length is less than 7 digits, thus under 1,000,000 bytes.
# note: I re-check for the leading HTTP/1 to make sure we’re still in the header packet, not in the rest of the binary stream
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE POLICY Binary Download Smaller than 1 MB — Likely Hostile”; flow:established,from_server; flowbits:isset,BE.http.binary; content:”HTTP/1″; depth:6; content:”MZ”; pcre:”/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/”; classtype:policy-violation; sid:2007671; rev:2;)
I’ve added the check for the MZ to make sure we’re looking at a real executable.
Also added a flowbits set for this bit to the other rules we have that look for PE headers in downloads, so this second rule will be applied to those dowloads as well.
Please report issues and results!
Matt