Security researchers discovered a way to detect and block malware in Transport Layer Security (TLS) connections without decrypting the traffic.
Cisco's researchers Blake Anderson, Subharthi Paul and David McGrew published a report that highlights ways that malware leaves “recognizable footprints in the traffic, even when it is TLS protected.”
In a report titled “Deciphering Malware's use of TLS (without Decryption),” the authors examined millions of flows of TLS encrypted traffic and tens-of-thousands of malicious TLS flows. The report authors analyzed 18 malware families, including Bergat, Deshacop, Dridex, Dynamer, Kazy, Parite, Razy, Sality, Skeeyah, Symmi, Tescrypt, Toga, Upatre, Virlock, Virtob, Yakes, Zbot, Zusy.The research team used customized software to analyze data features from live traffic and packet capture files. The researchers were able to determine family attribution with 90.3% accuracy when using a single, encrypted flow, and 93.2% when using all encrypted flows within a 5-minute window.