Characterizing Anomalies in Malware-Generated HTTP Traffic

<table class="table-group" id="tab1"><tr><td><table class="table"><tr><td class="thead-hr" colspan="2"><hr/></td></tr><tr class="thead"><td class="align_left">Snort ID</td><td class="align_center">Alert message</td></tr><tr><td class="thead-hr" colspan="2"><hr/></td></tr><tr><td class="align_left">1:43685:1</td><td class="align_center">MALWARE-OTHER Win.Trojan.Nemucod variant outbound connection</td></tr><tr><td class="align_left">1:2023577:1</td><td class="align_center">ET TROJAN Locky CnC Checkin HTTP Pattern</td></tr><tr><td class="align_left">1:32678:2</td><td class="align_center">MALWARE-CNC Win.Trojan.Dridex variant outbound connection</td></tr><tr><td class="align_left">1:33145:2</td><td class="align_center">MALWARE-CNC Win.Trojan.Dridex initial outbound connection</td></tr><tr><td class="align_left">1:2019478:1</td><td class="align_center">ET TROJAN Dridex POST Checkin</td></tr><tr><td class="align_left">1:2023551:1</td><td class="align_center">ET TROJAN Locky CnC checkin Nov 21</td></tr><tr><td class="align_left">1:2023552:1</td><td class="align_center">ET TROJAN Locky CnC checkin Nov 21 M2</td></tr><tr><td class="align_left">1:2807610:2</td><td class="align_center">ETPRO TROJAN DirtJumper DDoS (INBOUND)</td></tr><tr><td class="align_left">1:2016879:2</td><td class="align_center">ET POLICY Unsupported/Fake Windows NT Version 5.0</td></tr><tr><td class="align_left">1:2821731:3</td><td class="align_center">ETPRO CURRENT_EVENTS MalDoc Request for Payload Aug 17, 2016</td></tr><tr class="table-tr"><td colspan="2"><hr class="tbody-hr"/></td></tr></table></td></tr></table>

<div>The top 10 most common Snort IDs and alert messages observed in the analyzed traffic.</div>

Security and Communication Networks

Characterizing Anomalies in Malware-Generated HTTP Traffic

Table 1