New Research From Damballa: 80% Of Malware Still Favors HTTP

Sandboxing and signature strategies are simply not able to keep up with constantly morphing malware

September 10, 2013

3 Min Read


September 5, 2013 – Atlanta – Damballa, the advanced threat discovery company, today released customer research data that indicates over 75% of active infections easily evade detection by traditional protection methods. As malware is evolving so quickly, the research indicates that some of the most frequently deployed security solutions cannot identify active infections that lead to costly breaches.

"While next-gen malware is starting to leverage non-HTTP channels, such as peer-to-peer, HTTP continues to be the predominant channel used by 80% of all malware we see," said Terry Nelms, researcher at Damballa. "Malware today is using HTTP to 'blend in' and evade detection by sending small traces of information over the core ports and protocols that enterprises allow in and out of their network. Our research indicates that firewalls and IPS are highly ineffective at detecting next-gen malware infected devices."

Nelms presented this research (code name: ExecScent) in a USENIX paper titled, "ExecScent: Mining for New C&C Domains in Live Networks with Adaptive Control Protocol Templates." The tool identified hundreds of infected hosts on networks that had traditional security products deployed.

The company today announced new capabilities to detect emerging and never-before-seen malware by utilizing ExecScent as the basis for a new HTTP Request Profiler. In recent customer trials, the new HTTP Request Profiler within the Damballa Failsafe platform detected five times the number of active infections that traditional technologies found. Leveraging Damballa's Big Data harvesting and machine learning systems, trained on millions of malware samples a week from malware repositories and consumer and enterprise records, the new HTTP Request Profiler can statistically identify similar structures within HTTP requests to discover hidden infected devices.

Detecting today's advanced threats requires great efficiency and solutions that go beyond a single approach to recognizing malware. The new HTTP Request Profiler joins seven other Profilers in the Damballa Failsafe platform to deliver the most accurate determination that a device has actually been compromised.

Threat actors are constantly changing their control server destinations and modifying their malware with new serial variants and one-time use server malware sites to evade detection by traditional signature and sandboxing-based systems. When this occurs, it is valuable to perform both behavioral and content-based approaches for active threat discovery to analyze the syntax or structure of the communications, which does not change as frequently.

Damballa can now leverage this statistically similar structure to determine that a device is infected with a new variant of a known malware family. The new HTTP Request Profiler can identify malicious activity by analyzing the content of an HTTP requests, indifferent of the malware variant or destination involved.

For more information on the ExecScent research and the HTTP Request Profiler, visit

Click to Tweet: @DamballaInc finds over 75% of #malware evades detection by traditional #prevention methods #infosec

About Damballa

As the experts in advanced threat protection, Damballa discovers active threats that bypass all security prevention layers. Damballa identifies evidence of malicious network traffic in real time, rapidly pinpointing the compromised devices that represent the highest risk to a business. Our patent-pending solutions leverage Big Data from the industry's broadest data set of consumer and enterprise network traffic, combined with machine learning, to automatically discover and terminate criminal activity, stopping data theft, minimizing business disruption, and reducing the time to response and remediation. Damballa protects any device or OS including PCs, Macs, Unix, iOS, Android, and embedded systems. Damballa protects more than 400 million endpoints globally at enterprises in every major market and for the world's largest ISP and telecommunications providers. For more information, visit, or follow us on Twitter @DamballaInc.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights