Malware families using SSL to protect their C&C server communications continue to rise, a new study found.
The number of malware samples detected each month and the amount of active C&C servers are increasing, said researchers at security provider, Blue Coat. For both categories, the security firm said it found a huge jump in SSL deployment starting at the end of 2015.
The company analyzed cyber-criminal activity from January 2014 up to December 2015 and used data from the SSL Blacklist site, which tracks abused or bad SSL certificates.
The report analyzed detections and the infrastructure of common malware families known to implement SSL to protect themselves. Some of these malware variants included names such as Dridex, KINS, Shylock, URLzone, TeslaCrypt, CryptoLocker, TorrentLocker, CryptoWall, Upatre, Gootkit, Geodo, Tinba, Gozi, VMZeus, Redyms, Vawtrack, Qadars, Spambot, Emotee, and Retefe.
Researchers found during the two-year period they analyzed, malware samples, employing SSL or not, both went up.
Malware samples deploying SSL have always been smaller in numbers when compared to the overall number, but something changed in October 2015, when the number of malware using SSL increased.
Blue Coat researchers saw SSL malware numbers going from 500 samples detected per month to 29,000 in the span of two months.
The same thing happened with the number of C&C servers that used SSL-protected connections to talk to their bots, which jumped from 1,000 servers in Q1 2015 to 200,000 in Q3 2015.
Blue Coat considered a C&C server any website or IP that attackers used as coordination points, malware download sites, data exfiltration points, and other Web-based operations points.
“Looking at the timeframe of the spike, it coincided with the onset of the holiday season. As such, the spike could have been attributed to the launch of one or more large-scale campaigns with infrastructures based on those malware families,” Blue Coat researchers said.
Researchers also said the number of C&C servers grew well before the malware sample spike, which makes sense because attackers need to set up their C&C server infrastructure before initiating malware campaigns.