back to article Half of Q1's malware traffic observed by Sophos was TLS encrypted, hiding inside legit requests to legit services

After years of warnings about security, surveillance, and unwanted state intrusion, one group of internet-connected folk has taken heed: malware operators. British infosec biz Sophos reckons just under half of malware traffic it saw in the wild during the opening three months of 2021 alone was using Transport Layer Security ( …

  1. deive

    "nearly half of all malware TLS communications went to servers in the United States and India." - This fact seems a bit commy!?!

    1. Diogenes8080

      Jolly Boating Weather

      Possibly correct if your honeypot is in Chennai.

      Elsewhere in the world, other nets are likely to figure. For botnets, Stiff's scurvy crew say CN 1st, IN 2nd and US 3rd:

      I am surprised the ratio of encrypted traffic is not higher. SSL is free, domains and hosting are cheap and no-one seems to think it is their problem if a fraudster tells lies when applying for any of these.

      1. stiine Silver badge

        Re: Jolly Boating Weather

        These days, unencrypted traffic on port 80 would be even more suspect...

    2. Alumoi Silver badge

      What were you expecting?

      US for NSA and India for customer support.

  2. Hubert Cumberdale Silver badge

    Criminals are using encryption?

    Then it should be banned!! Won't somebody think of the children?!!! (But not in that way.)

  3. Mike 137 Silver badge

    It had to happen

    However concealing malware on the fly using transport encryption is only a small part of the problem. "Hiding inside legit requests to legit services" worries me a whole lot more, and that can (and does) happen with or without TLS.

    1. Throatwarbler Mangrove Silver badge

      Re: It had to happen

      It would be a lot easier to detect nefarious traffic, however, if the traffic were not already encrypted.

      We're moving to the point that deep-packet inspection at the edge of the consumer network is going to be a necessity. Basically, each home's router/firewall will also need to act as a Web proxy configured to decrypt and inspect all traffic passing through it to search for malware, as is currently common on enterprise networks. That should be a fun exercise.

      1. Anonymous Coward
        Anonymous Coward


        TBH thats been the case for quite some time, its hardly a revelation from Sophos here.

        Any serious intrusion has been using SSL traffic for C2 for a long old time.

        The reasons are two fold:

        1) its encrypted (like duh!)

        2) Your network already chucks out so much SSL that they hide in the background noise

        So you could always use something clever to decrypt and inspect at your edge - assuming that in 2021 you actually still have a physical edge now your workforce is working from home.

        Assuming you have a physical edge, all you need to do is to deploy forward trust certs to all of your endpoints so the magic box can inspect the traffic.... at this point in any complex environment you then need to start building an exception list for decryption or everything breaks.... shortly after this you'll probably look for a low beam and a length of rope.

        Your mileage may vary, but in a large complex environment....

        You could always use ETDR solutions rather than network intercept, might be easier these days. Just make sure you buy the correct vendor one or you'll discover a large chunk of your platforms aren't supported either...

    2. Anonymous Coward
      Anonymous Coward

      Re: It had to happen

      PS using stuff like Reddit or Google docs or Google calendar or facebook or even posted in slack (or IRC!) is all C2 methods I've seen for years and years....

      The bad guys will do anything to try and hide their comms, which is why ETDR is a much better way of combatting them than trying to use network tools - and I say that as a network person as much as a security one.

  4. Anonymous Coward
    Anonymous Coward

    IPv6 isn't exactly helping.

    I'm going to have to look for a firewall that can zap the extensible header functionality because it is almost tailor made for covert transmissions.

    1. Chris Hills

      Re: IPv6 isn't exactly helping.

      100% agree. I am a massive IPv6 proponent, but extensible headers and fragmentation are terrible ideas.

  5. vogon00

    Encrypt, Encrypt, Encrypt, Encrypt...

    ...seems to be the current industry mantra, which is a good thing and a bad thing.

    On one hand, I like encryption as it means there is less chance of 'leaking' stuff you really should keep secure (Banking, authentication details, loads of stuff). This is main benefit for us 'end users', let alone the non-cognoscenti 'Joe Public' who don't know enough to be concerned.

    On the other, encryption can be a PITA even at small scale and like all 'security' stuff it can get in the way a bit. My main objection is that people like me can no longer peer into the data stream and figure out how something works and/or what has gone wrong. When encryption wasn't as ubiquitous as it is now, malware was easier to spot as it tried to obfuscate/encrypt what is was doing...which was a 'red flag' back in the day. Now, it's just more encrypted unobservable traffic... Personally, I miss the ability to 'reverse engineer' AKA learn-by-example using Wireshark :-)

    Mine is the one with only port 80 in the pocket :-)

    Encryption benefits you and the owner of the endpoint to are talking to - and that's it. e.g. only Microsoft/Google/Amazon/Other infrastructure vendor get to see and use the juicy personal data you provide them with, as they have access to the decrypted 'raw' stuff (Unless they sell it on, of course). I'm half tempted to go a bit further and say it only benefits them, not you, as it gives them a 'protected' revenue stream!

    Mine is the one with only port 80 in the pocket:-)

    1. Graham Cobb Silver badge

      Re: Encrypt, Encrypt, Encrypt, Encrypt...

      It's just a tool.

      Sure, nowadays, all protocols use TLS, whether legitimate, confidential, criminal or just cat pictures. That's a good thing and, more importantly, there is no more point moaning about it than that it snows in winter. It isn't going to go away.

      Even without TLS, much data is compressed, which makes it just as hard to see what any particular communication contains.

    2. Anonymous Coward
      Anonymous Coward

      Re: Encrypt, Encrypt, Encrypt, Encrypt...

      Decrypt it then if you want.... its fairly simple.

      Forward trust certs allow MITM intercept.

      As I wrote above, on a small scale, dead easy.... just don't assume it scales so easily ;-) Definitely don't believe glib comments from vendors of gear that does it!!

  6. petef

    In my experience most features that enhance security are adopted more quickly by the bad guys.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022