Hiding in Plain Sight: Spotting Botnet Activity in the UDP Channel with EnCase Analytics

Alfred Chung

In its 2014 Application Usage and Threat Report, Palo Alto Networks shared their finding that hackers are using old-school exploit techniques in new ways and in new places. Their research found that common network applications such as FTP, RDP, SSL, NetBIOS, and UDP are being used as gateways or pivot points to communicate directly with endpoints for the purpose of data exfiltration.

The company’s analysis showed that nearly all threat activity was visible in only a small number of applications, and that “nearly 99 percent of all malware logs were generated by a single threat across a single application: unknown UDP.” UDP has become the command-and-control channel for botnets as a safe place to “hide in plain sight,” with the ZeroAccess botnet generating the heaviest amount of malware activity. 

When malware uses custom peer-to-peer that does not match any known UDP applications, how can information security teams hope to identify it? EnCase Analytics studies and baselines activity and processes at the data link or network interface layer (level 2 in the OSI model). Because of this, it is possible to track volumes of activity on connection types, including TCP, UDP, RAW, TCP6, UDP6, and UNIX.

Here’s a look at an EnCase Analytics dashboard that shows connections by protocol:

Click to view at a larger size

And here is a view that shows those connections filtered for protocol types TCP, TCP6, UDP, and UDP6:

Click to view at a larger size

In this dashboard, we’ve drilled down to all UDP connections as seen from the endpoint. The bar chart sorts process names, in descending order, by the number of UDP connections it has opened across the entire enterprise. Using this view, you can hunt for suspicious UDP connection activity based on the process name and volume of connections. The trend chart at the bottom displays historical data for use in identifying anomalous connection behavior.

This visualization was built in EnCase Analytics in just a few minutes, using the out-of-box data schema, and is only one of thousands—if not more—dashboards that can be created using the included data-visualization authoring tool.

What Kind of Visualization Would You Like to See? Let us know your thoughts in the Comments section below, and you can always learn more about EnCase Analytics right here.