The extremely popular Upatre Trojan downloader has undergone considerable changes that will make it and its communication more difficult to spot and block.
The changes were implemented in the new variants detected and analyzed late last week by Cisco's Talos Group researchers, and include:
(Nearly) full SSL encryption of traffic to and from the C&C server
"All communication after the identification of IP address from public websites has been placed inside an SSL session making identification of the threat more difficult," they noted.
Before, the traffic was HTTP over non-standard ports and only occasionally SSL. The non-encrypted portion now only accounts for less than 1% of the data transferred between the compromised host and C2 servers.
