Readers will no doubt be familiar with the concept of categorising URLs, and how this forms an important part of security today. Classification enables users to prevent access to URLs that are known to be hosting undesirable content (ranging from phishing sites to malware), or to URLs known to be unsuitable from a policy perspective (for example, gambling sites). A classification type we take very seriously within SophosLabs is that labelled callhome URLs.
So what exactly is a callhome URL? We use this classification for the sites to which malicious files connect in order to download more components or ‘report home’ (and receive remote command). Examples of the latter include typical IRC bots and backdoor and proxy Trojans (for example, Troj/Proxy-HR).
Why is it so important to recognise and block callhome connections? This becomes apparent if you consider the difference between the terms infected and compromised. When a piece of malicious code runs, the machine can be said to be infected. However, as soon as someone has some form of remote access to (and control of) the machine, it is compromised. Infected machines can be cleaned – malware can be analysed, and the changes it makes upon execution reversed (in most cases). However, once a machine has been compromised, cleaning is not possible. Of course, the malware can be removed, and the changes known to have made made reversed. But without knowing what changes were made by the intruder with remote access to that machine, it cannot be restored to its original pre-infected state. The victim will rarely know what data has been viewed or tampered with.
So, the business of recognising (and blocking) as many callhome connections as possible is just another piece in the ‘providing protection’ puzzle. Even in cases where the malware itself may be missed, and a machine becomes infected, being able to block the callhome connection can make a huge difference.