Most of you know that I do a lot of research on the horrible things that haunt the internet. Recently, I have come across enough samples of malcode to suggest a truly sinister problem is heading our way.

Though I cannot release the specifics, I have seen several unrelated groups actively testing spyware that once inside your perimeter, tunnels out to the C&C via SSH and in other cases, SSL.

Detecting these new threats will be extremely difficult and will force security vendors to quickly throw together hueristics that say if you see this protocol and if the destination is an IRC server then block the traffic (or something of the like).

I'm going to discuss this in detail with an AV vendor on Monday. Hopefully they will have encouraging news, as in they are also aware and have a viable solution ready to go.

Consider this your early warning.

--TH13