Roberto Perdisci is an expert on botnets and malware infections at the University of Georgia. He came to Switzerland to present his Amico Open Source Software at Swiss Cyberstorm 2014 and I (Christian Folini here) had the pleasure to host a workshop with him and several malware specialists from MELANI, the Federal Swiss Reporting and Analysis Centre for Information Assurance.
Roberto covered his Amico software, which inspects http traffic to see if drive-by or malware download infections occur. Unlike Anti-Virus software, Amico uses a heuristic approach that examines the files requested by the clients. The interesting characteristics are changing file hashes, changing download links, moving domains (incl. Fast Flux), switching IP addresses and more of the kind. His Cyberstorm presentation can be downloaded here.
He reports a malware detection rate of 90% with a false positives rate of about 0.5%. That is quite remarkable.
Then we went on to discuss the merits and disadvantages of breaking SSL/TLS connections in enterprises and federal networks, policy issues and the like. The guys talked about Cybercrime as a service including former bulletproof hosters that developed into seemingly lawful resellers of hosting services. They provide their customers with alternative servers immediately, if a domain is taken down on request of a government.
APT is still hot and BYOD policies open new options for malware as the devices reside in different security environments. The malware waits until it sees the user is at home or at Starbucks and then reports the secret data via covert channels that are blocked when residing inside the protected network.
All in all a very interesting morning. Especially for me giving me some insight into a field of security I am usually not very familiar with.