Content-Type Mismatch Detection

Published by Alex Kirk

In a recent analysis of the Zeus trojan , a new rule was created that detected a mismatch between a declared content-type of "text/html" and the actual data in a response from a web server (SID 16460 of the Talos Certified Rules set). The rationale behind this rule, in a nutshell, is that the data returned by Zeus C&C servers is encrypted - and while cracking this encryption and inspecting plaintext data is infeasible, especially at wire speeds, checking that no HTML is present when it's the declared type of content is feasible, and is a reliable way of finding Zeus C&C traffic.

As predicted in that analysis, this rule is useful for finding C&C traffic for other malware families as well. During analysis of some Torpig PCAPs submitted by a customer, we realized that its C&C servers behaved virtually identically to Zeus' servers - the infected host sends a POST request that contained binary data, presumably encrypted, and the controlling server replies with a packet whose declared content-type is "text/html", but whose data is actually more binary/encrypted data. While analyzing Bredolab PCAPs from machines that Talos had infected, its controlling servers generated traffic that triggered this rule in two distinct scenarios - both when serving up malicious binaries (see packet #11 in the sample below), and when responding to GET requests from the infected host, which resulted in the bare string "ok" (see packet #95).

While Talos advises caution using this rule in blocking mode - its triggering conditions are generalized enough that it could still fire on legitimate traffic - this rule should be a useful tool for detecting malware on your network.

As a service to the community, Talos will be maintaining on this page a list of different types of malware that we have detected in our tests using this rule. To date, this includes:

  • Zeus
  • Torpig
  • Bredolab

Sample data: