UDP: The Malware Hiding Place of Choice

Chad Berndtson


Category: Malware, Reports

Our 2014 Application Usage and Threat Report reveals that attackers are using existing applications on networks and carrying out threat activity using traditional exploit techniques in nontraditional ways. Among those techniques, common network applications such as UDP, FTP, RDP, SSL and NetBIOS are being used for lateral communications and exfiltration of data.

Based on our analysis, what’s interesting is that a small number of applications exhibited nearly all threat activity — and that nearly 99 percent of all malware logs were generated by a single threat across a single application: unknown UDP

Many organizations seem to ignore UDP because it is a stateless protocol, other applications such as video use it, and it is found on every network. But the report data shows that many of the botnets we detected in this year’s AUTR research used UDP for their command-and-control channel.

The heaviest malware activity came from the ZeroAccess botnet, which is used by cyber criminals for several purposes, from “mining” for Bitcoins, to perpetuating click-fraud against online advertisers, to generating spam e-mails. An important takeaway is that the use of custom peer-to-peer across UDP works well from the attacker’s point of view, but typically does not match any known UDP applications, resulting in that botnet traffic being identified as unknown UDP. This technique of “hiding in plain sight” is common in malware traffic and is one of key reasons why unknown UDP was where we found such a high volume of malware activity was found.

Download the 2014 Application Usage and Threat Report to learn more about cyber activities involving unknown UDP and also how to implement proactive controls.

For More

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.