Palo Alto Networks' annual threat analysis of customer network traffic shows that botnet-controlled malware that makes its way into enterprise networks almost always uses the User Datagram Protocol (UDP) to communicate, blending in with legitimate UDP-based applications such as video.
According to Palo Alto's "Application Usage and Threat Report" on network traffic in 5,500 organizations, the stateless, transaction-oriented UDP is the overwhelming choice in botnet command-and-control systems to maintain communications with malware that's weaseled its way into the enterprise network. The lesson there is that these botnet UDP communications often can easily hide among other UDP-based applications, especially video, which is proliferating in enterprise use.
"The reason we highlighted UDP is because it's often an ignored protocol," says Ryan Olson, head of threat intelligence at Palo Alto. "But UDP is not something you can just ignore."
A look at network traffic in 5,500 organizations over a year shows that malware is using UDP a full 98% of the time to communicate to a command-and-control system, according to the report. It's trying to "hide in plain sight" by blending in with the many UDP-based applications that might be found in corporate use. Palo Alto also looked at what kind of applications were being used in the corporate networks analyzed. This showed that 129 types of video applications were in use across 91% of the customer networks -- for an average of 30 per organization.
Palo Alto says that's probably too many different types, making it harder than it really should be to monitor for sneaky botnet communications. This situation argues for companies to consider setting some kind of corporate application standards. A handful of applications make sense, but "it is unlikely that there is justification for 25 file-sharing or 30 video applications on each network," the Palo Alto report notes.
The report also concludes, not surprisingly, that email, file sharing and social media were the top means to deliver malware-based threats to an organization's network.