Stealth HTTP Post

Triggers

• An internal host is sending data to an external system in multiple HTTP Post requests without being referred and without software identification
• These posts appear to be machine generated since they occur with a regular timing pattern

Possible Root Causes

• Adware, spyware or malware installed on an internal host is communicating back to its command and control server
• The communication may include some data leakage from the local host, which is particularly common with spyware

Business Impact

• An infected host can attack other organizations (e.g. spam, DoS, ad clicks) thus causing harm to your organization’s reputation, potentially causing your IP addresses to be black listed and impacting the performance of business-critical applications
• The host can also be instructed to spread further into your network and ultimately exfiltrate data from it
• Software which infected the host can create nuisances and affect user productivity

Steps to Verify

• Look up the domain and IP address to which the communication is being sent via VirusTotal or other reputation services to see if this is known malware; such lookups are supported directly within the UI
• Search for the domain + “virus” via a search engine – this is effective for finding references to known adware or spyware
• Download the supplied PCAP and look at the HTTP payload being sent to see if any data is being leaked in clear text or whether the identity of the program is visible in the payload