Malware and Botnets rely on DNS to communicate with their command and control servers. As such, recent malware detection systems attempt to detect anomalies in DNS request patterns. These systems claim to work as a catch-all for any malware that abuses the DNS system. But are these systems actually effective? Prior to deploying any malware detector, or when new malware is on the rise, enterprises should evaluate the effectiveness of such detectors.
One way of testing the effectiveness is to run real malware samples and check whether they are detected. However, this is infeasible in a production network, as there is always a risk that the malware might cause damage. Furthermore, malware samples often do not execute on demand, which make the testing difficult.
Today, we offer Maltese – a Malware Traffic Emulator that allows you to generate malicious traffic in order to test the effectiveness of malware detector solutions with the current focusing on DNS traffic. Released at Black Hat 2016, the tool allows you to emulate the DNS traffic patterns of a given malware family, inject it into a network, and observe whether the malware detector reports an infection. The injected traffic is completely benign and, therefore, testing poses no risk to the network. The generation of DNS traffic patterns can be based on individual research or from information published by various members of the security community.
Currently, security practitioners resort to one-off scripts or hacked environments to satisfy this testing need. These one-offs often involve a list of domains generated, a network packet capture (PCAP) of the malicious traffic, or a Domain Generation Algorithm (DGA). Our tool enables security professionals to utilize any of these three artifacts in an easy, quick, and configurable manner for generating DNS traffic patterns.
Download the tool and play around with it in your environment. Testing the veracity of manufacturer’s claims can be a difficult task. With Maltese, one piece just got a bit easier.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.