Identifying malware with HTTP content type inconsistency via header-payload comparison

Abstract

Malware is one of the most severe security threats on the Internet. A key challenge for attackers is to install their malware programs on as many victim machines as possible. HTTP protocol, being the most popular protocol and occupying a significant portion of network traffic, is an obvious target for attackers to exploit for malware distribution. Advanced attackers would even hide the malicious executable program behind a benign file such as text, image. The existence of malware becomes harder to detect and the distribution channels become more evasive (i.e., not clear to identify). However, the exploited and hidden behavior often leads to an inconsistency between the actual content type and the declared content type. In this paper, we conduct a detailed study on a seven-month traffic of content type inconsistency executable program downloaded from an ISP of CSTNET (China Science and Technology Network). We found that 99.78% (891/893) of PE (portable executable) files declared to be images are malicious and 100% of PE files declared to be text with typical file extensions, “.pdf”, “.doc”, “.css” are malware. So, content type inconsistency can be used to detect evasive network attacks as well as effectively discover unknown malware from the traffic.