Analysis of Malware Hidden Behind Firewalls with Back Scans

Abstract

Malware infection and propagation in Local Area Network(LAN) have became a critical security consideration in IoT systems. Recent cases happen when hosts are observed to be infected even protected by firewall. If we go deep into the analysis on infected hosts, we can measure on the possibility of this situation. When we are aware of status of ports on the source host, we can determine how intrusion happens based on classification on manner of infection. We propose SB-MSS (scan back to malicious source scan source), a network measurement method on malware behaviors in infection on hosts even protected by firewall. This includes passive analysis and active back scan, i.e., port back scanning and vertical back scanning methods towards malicious sources. We conducted 2-week experiment and provide our results in attack distribution on different factors, possible port entrances for malware intrusion and classification result on different infection type. We found in 82.52% cases, malware infection bypasses firewalls.