What Is Outbound Malware?

What Is Outbound Malware?

Messages being sent from a device, email server or any other platform may contain malware because of reasons such as the user’s device being compromised by malicious malware has hijacked their email and automatically sending messages to their address book, a user’s email credentials being stolen and someone using them to send messages filled with malware to individuals or some user sending messages which contains malicious materials. Some users also send messages which contain attachments which are infected with malware. What are these types of malwares being sent to people called?

Malware outbound is any malware that tries to reach a specific destination. This type of malware can spread through different channels or protocols. The main goal for an outbound malware is to contact a controller, sending the results he requests and receiving instructions from there.

Malware outbound can be detected by observing anomalous outgoing traffic from a computer or network, while behavior-based anti malware might detect this type of malware if it exhibits behaviors associated with malware outbound such as trying to connect to specific domains/hosts, sending emails without user interaction and using unusual ports instead of common ones (like 80 for http vs 443 for https).

Types of Outbound Malware

Banking Malware

Banking malware is malware that tries to get sensitive banking information, such as credit card numbers and passwords, from the victim’s computer. once it finds one of these, it sends them to its controller without the user noticing.

This is different from traditional phishing because instead of just stealing the information, the attacker interacts with the victim’s browser or operating system in order to get more valuable information, such as credit card numbers. this is done through sandbox-aware malware that tries to detect


Ransomware is a type of malware that encrypts the victims files and asks for a ransom in order to receive the decryption key. Some ransomware infects USB devices and even internet routers, preventing the victim from connecting to the Internet while demanding the ransom.


spyware is a type of malware that tries to monitor the user’s actions in order to steal data, like passwords or credit card numbers. This is usually done through keyloggers, spyware and other types of trojans/backdoors. This type of malware can also create screenshots (to see what you are typing) and send them.

Malware Protocols

In order to find out if there is any outbound malware an analyst has to know the common protocols used by malware.

  1. SMTP

the most common protocol used by malware. An example of this is the old ZBOT malware that has been around for many years . This malware has different variants that try to contact the controller using SMTP, some variants send emails with attached files while others use phishing emails with a link that points to the controller.

  1. HTTP

malware can be used to spread using HTTP, this is usually done if the malware needs to exploit a specific vulnerability in a server or web app. Some examples are the webshells/backdoors used by hackers in order to get access to specific computers or servers.

  1. Command & Control Servers

malware can use specific domains/hosts to contact its controller. This is the most common strategy used by Ransomware where it tries to contact a domain/host in order to get the location of the ransom and other instructions.

  1. DNS

DNS queries are sent by various pieces of malware in order to get the information it needs. This is usually done using two types of records, A records that are used to get the location of a host and NS records that are used to get the name servers (such as ns1.malware.example.com, ns2.malware.example.com ..etc).

What Can An Outbound Malware Do?

Outbound malware is used to send stolen data back to the controller. This data could be a list of files, hashed passwords, credit card numbers and other sensitive information as well as screenshots of the user’s screen.

Most outbound malware uses a mix between human interaction and automation. This means that it will try to send the stolen data through SMTP/HTTP(S) or even DNS if certain conditions are met.

This type of malware is one of the most common types of malware around, with examples such as Zeus Panda Banker, Gootkit or Tinba.The command control server might give specific instructions to malware on what to do next, like encrypting more files or sending where the ransom is supposed to be sent.

Other types of outbound traffic are DNS requests, the response could be used in order to get information about where the controller is.

How Can An Analyst Find Out If There Is Any Outbound Malware?

The best way to check for outbound malware is by scanning the traffic with known DNS requests or HTTP headers. Doing this will allow you to detect any type of outbound traffic, since most types of Outbound malware use HTTP(S) to send data back to its controller. 

Also, checking for Command & Control servers in e-mails or social media accounts can also be useful. If the analyst finds any traffic that looks unusual, this might indicate the presence of outbound malware.

Tools Used To Detect Outbound Malware

  1. Wireshark

Wireshark is a network protocol analyzer that captures packets and shows them in a readable format. It allows deep inspection of hundreds of protocols and includes filters for packets as well as built-in decryption capabilities.

  1. Rekall

Rekall is a powerful memory forensic framework that can be used in order to find compromised hosts and it’s one of the best tools for the job. Users can easily identify processes, network sockets, open files and other active/inactive objects by using it.

  1. ThreatExpert

ThreatExpert is an antivirus software made by me (Dirk-jan Mollema) and it uses machine learning in order to classify and detect malware samples. when an analyst uploads a file into ThreatExpert, then the application will start classifying this file based on static/dynamic analysis as well as machine learning algorithms.

Prevention From Outbound Malware

Outbound malware is a big threat for companies or individual users, since it can lead to data breaches and other problems. Making sure your applications are up-to-date is one of the most important steps in order to prevent outbound malware from attacking your platform.

This means updating your browser, plugins, antivirus software and any other software you have installed on a regular basis. This will make it harder for attackers to exploit vulnerabilities which might then lead them to gain access into your system and use it as a spam botnet or sending stolen data back to its controller. There are several ways for preventing outbound malware.

1) Installing an antivirus solution that includes automatic updates

2) Making sure all software is up-to-date

3) Enforcing a strong password policy on your account(s)

4) Avoiding public WiFi networks when sending data that contains sensitive information

5) Installing security patches and making sure organizations have a cyber security incident response plan in place, ready to be executed.


Malware outbound might be used to steal the information of a specific person or organization. An example is banking malware that tries to find credit card numbers in memory and send them back to its controller. It can also be used as part of ransomware attacks where the malware contacts command & control servers and waits to receive the location of the ransom and other instructions.

Recent Posts