I have heard of malware using TLS, RC4, and XOR to encrypt command and control communications. Why is it that malware doesn't use VPN's? For example Ipsec vpn, I would think this would make end to end traffic much more secure and encrypted.
Asked
Active
Viewed 267 times
1
-
How do you know that there is no malware that does use a VPN? – multithr3at3d Jan 25 '20 at 15:09
2 Answers
5
The goal of malware is to hide itself against detection, which means hiding the communication and hiding its activity on the infected system. Hiding communication can be done by blending into normal traffic by using protocols which are pretty common and which are not blocked by firewalls like HTTP, HTTPS, DNS etc.
IPSec to arbitrary endpoints isn't really common in most environments so using it would make the malware actually stand out. Apart from that IPSec is usually implemented at the kernel level and would show up as an additional network interface on the machine (which also could be used by other applications). While one could likely implement all of IPSec in user space too it is complex. But why do such efforts if there are much easier and more stealth options in the first place.
With other VPN like OpenVPN, Wireguard etc it is similar. While they might be more common for home users since they are the underlying technology for free and commercial VPN providers use of these in company environments would actually be especially suspicious. Employees are typically not supposed VPN from their own workstations in the first place so that would clearly stand out of the normal traffic. And also here the complexity is much higher than with TLS so only more effort while being less stealth, i.e. no advantages but only disadvantages.
For example Ipsec vpn, I would think this would make end to end traffic much more secure and encrypted.
TLS is secure enough if properly used. Even RC4 might still be secure enough depending on the use case. There is no need to be "much more secure and encrypted" than this in most cases, and IPSec isn't even more secure than TLS. If you only want to transport a pizza you don't need a truck even though it is more powerful than a small car.
Steffen Ullrich
- 201,479
- 30
- 402
- 465
0
IPSEC tunnels would not work in most corporate environments as they would be blocked. In more secure environments, a desktop initiating an IPSEC handshake would almost certainly trigger a SEIM alert.
A simple TLS socket would be far less noticeable, could run over proxies, and would provide the same level of security that an IPSEC tunnel would but is far more likely to work and be less detectable.
Although the really stealthy stuff is even more covert and often won't use encryption but instead will bury the payload in anodyne protocols like ICMP or send the data over long periods of time so your monitoring system is unlikely to properly re-assemble the payload.
flyerhawk
- 41
- 3