In a recent trend, malware has increasingly been observed utilizing covert communications. Beyond neutralizing these malicious communications, it is possible to engage in counterattacks against malware components, or performing denial-of-service-attacks on the connection itself. We created an active network traffic warden with network address translation support, which aims to perform these  counterattacks, and evaluated it against common maliciously used and publicly available remote access tools. The current implementation has ten unique packet manipulation options available, including the ability to search the protocol fields of the packet, or its entire bytecode sequence, for regex patterns and replace specifiable occurrences of these. Packet manipulation is performed entirely in-flow, while the communication is happening in real time.

The user has the freedom to specify which packets within the malicious communication should be manipulated, be it those bound for the command and control server, the malware client, or both. For any operation the user defines, they may also make use of cross-packet protocol field tracking to precisely target a packet in a sequence. We show that the warden can be used to cause targeted erroneous behavior in command and control servers, and also tested it against real legitimate traffic, to account for a false detection of benign traffic as malicious.