# Stealthy Malware Traffic - Not as Innocent as It Looks

**Authors:** Xingsi Zhong, Yu Fu, Lu Yu, Richard Brooks

arXiv: 1703.02200 · 2017-03-08

## TL;DR

This paper presents a novel method for disguising malicious malware traffic as innocuous protocols using format transformation and side-channel obfuscation, effectively evading detection and fooling smart grid systems.

## Contribution

It introduces a two-step approach combining format transforming encryption and side-channel masking to evade network-based malware detection methods.

## Key findings

- Transformed malware traffic mimics innocuous protocols successfully.
- The approach fools current side-channel attack detection techniques.
- Fake PMU data is accepted by a real smart grid PDC.

## Abstract

Malware is constantly evolving. Although existing countermeasures have success in malware detection, corresponding counter-countermeasures are always emerging. In this study, a counter-countermeasure that avoids network-based detection approaches by camouflaging malicious traffic as an innocuous protocol is presented. The approach includes two steps: Traffic format transformation and side-channel massage (SCM). Format transforming encryption (FTE) translates protocol syntax to mimic another innocuous protocol while SCM obscures traffic side-channels. The proposed approach is illustrated by transforming Zeus botnet (Zbot) Command and Control (C&C) traffic into smart grid Phasor Measurement Unit (PMU) data. The experimental results show that the transformed traffic is identified by Wireshark as synchrophasor protocol, and the transformed protocol fools current side-channel attacks. Moreover, it is shown that a real smart grid Phasor Data Concentrator (PDC) accepts the false PMU data.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1703.02200/full.md

## Figures

13 figures with captions in the complete paper: https://tomesphere.com/paper/1703.02200/full.md

## References

45 references — full list in the complete paper: https://tomesphere.com/paper/1703.02200/full.md

---
Source: https://tomesphere.com/paper/1703.02200