What percent of recent malware that transmits data bypasses basic outbound filtering?

Discussion in 'other firewalls' started by MrBrian, May 29, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Approximately what percent of recent malware that transmits data bypasses basic outbound filtering? Would it be closer to 10%, 50%, or 90%?
     
  2. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That's an impossible question to answer without a more specific description of what you mean by bypassing outbound filtering. The answer will vary greatly depending on the abilities of the firewall involved. Are you referring to those that connect out via an application (svchost or Internet explorer) that already has outbound access as opposed to connecting directly? Malware that replaces or corrupts Winsock or establishes its own separate access route?

    With an almost unlimited quantity of malware variants in existence and more being released every minute, an accurate figure is impossible. Even if one could be calculated, it would be out of date by the time you finished.

    The samples I have are not representative of what's in circulation and don't include the more recent releases. Out of these, less than half connect out directly. A substantial percentage use svchost.exe, which is allowed internet access on most systems.
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Here is what I meant: let's say the malware is badstuff.exe. If the malware connects only through badstuff.exe, and in a manner that the most basic but competent firewall with outbound filtering would be expected to block, then for the purposes of this thread I would consider badstuff.exe to not have bypassed basic outbound filtering. Anything else, including using rootkits to cloak activity, plus all of the scenarios you outlined, would be considered a bypass. Anything sneaky would be considered a bypass. Probably almost anything in the Matousec tests would be considered a bypass.

    If I understand correctly, then your answer to my question is more than 50%, but with the caveat that you're using somewhat older samples. I wasn't looking for an exact figure, just a rough estimate. Thank you for the response :).
     
  4. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975

    I come across many that use a file called svchost.exe but I hardly remember any that attempt to use the actual svchost process.

    In my experience at testing infected files, I've found that the vast majority attempt direct connections.
     
  5. wat0114

    wat0114 Guest

    For years, I've controlled how svchost connects with a firewall, in present case with Win 7 two-way. Mainly I do this because I hate how it likes to call home to the MS mothership from time to time. I've only tested ~ 30 malware samples within the last year using Malware Defender with outbound filtering in a vm, and several samples attempted outbound access but they were caught by MD. Otherwise I have no idea of the percentage of recent malware that can bypass fw filtering.

    *EDIT*

    actually, member Franklin is probably best qualified to respond to this. He's a volunteer malware tester.
     
    Last edited by a moderator: Jun 1, 2010
Loading...
Thread Status:
Not open for further replies.