Got Beacons?

Suppose you are a Malware designer and need to devise a mechanism to (1) find out which compromised zombies are available and (2) routinely perhaps provide some feedback on relying keystrokes, credit card numbers, and other valuable goodies like this.

A simple solution is to have your Malware send small infrequent messages back to your mother-ship masquerading the messages as some main-stream protocol like https or dns.

Well, that’s a beacon! If the Malware designers were to add some randomness in their communication, it would make the detection of beacons nearly impossible; but adding randomness also makes the management of possibly thousands of Zombies much harder. So, Beacons are usually very regular, they are also relatively easy to detect using high-school math.

Some Beacons are good. Did you know that Apple routinely gets beacons from all your I-devices? Proably not, because they are a vehicle for providing useful services (like where is the phone located, how fast is it travelling down the highway, etc..).

Some Beacons are very, very bad. And you should try to detect them. If you don’t you are letting the bad guy get away with it and steal your data.