Dynamic malware analysis traditionally runs in a closed network environment without Internet connection. This prevents the malware from causing damages to the outside world. However, for malware that involves significant amount of network activities, a closed network environment defeats the purpose of dynamic analysis, as much of the malware’s network behavior will not be exhibited and captured.
We propose a system to allow malware exhibiting network behavior in a dynamic malware analysis environment while also ensuring that the malware can do no harm beyond the boundary of the analysis environment. Our system transparently retargets propagation and attack traffic, instead of blocking them, to decoys inside the analysis environment. At the same time, we allow the malware’s control traffic, which is deemed to be harmless, to cross the boundary of the analysis environment.
The evaluation result shows that our system significantly increases the amount of observed network activities during dynamic malware analysis when compared with a traditional closed network environment. The overall effect is having a dynamic analysis environment, which is useful for those malware with lots of network activities.
The use of traffic retargeting and decoys in our system can improve the effectiveness of dynamic analysis beyond what an open network environment (with unrestricted Internet access) can offer. This happens when a malware requires accessing machines on the Internet, which for some reason are not accessible during the time of analysis. An example is a spam-ware sending spam e-mails through a hard-coded SMTP server that was known to accept public relays. If the hard-coded SMTP is no longer functioning, a dynamic analysis of the malware will fail to reveal the full picture of the malware’s behavior. In our experiments, we were able use our
35
system to retarget the SMTP traffic of such a spam-ware and extract both the recipient list and the mail content (including a backdoor program in the attachment part) from the spam-ware.
From the second case study, we can see some cases of malware may be unexpected in our design. In the future work, we will attempt to execute more malware samples and apply different stateful modules for each protocol in different case. Besides, in our experiment, we use a simple dynamic malware analysis. It may be observed more meaningful activities by using a sophisticated dynamic malware analysis environment.
References
[1] "Symantec Malware Threat Explorer," [online], available from World Wide Web;
http://www.symantec.com/business/security_response/threatexplorer/index.jsp.
[2] "Kaspersky Monthly Malware Statistics," [online], available from World Wide Web; http://usa.kaspersky.com/resources/knowledge-center/statistics. transformations," Department of Computer Science, The University of Auckland, New Zealand, 1997.
[6] C. Greamo and A. Ghosh, "Sandboxing and Virtualization: Modern Tools for Combating Malware," Security Privacy, IEEE, vol. 9, pp. 79 -82, 2011.
[7] X. Chen, J. Andersen, Z. Mao, M. Bailey, and J. Nazario, "Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware," Dependable Systems and Networks With FTCS and DCC, 2008. DSN 2008. IEEE International Conference on, pp. 177-186, 2008.
[8] P. Ferrie, "Attacks on more virtual machine emulators," Symantec Technology Exchange, 2007.
[9] M. Carpenter, T. Liston, and others, "Hiding virtualization from attackers and malware," IEEE Security and Privacy, Published by the IEEE Computer Society, pp. 62-65, 2007.
[10] U. Bayer, A. Moser, C. Kruegel, and E. Kirda, "Dynamic analysis of malicious code," Journal in Computer Virology, Springer, vol. 2, pp. 67-77, 2006.
[11] C. Willems, T. Holz, and F. Freiling, "Toward automated dynamic malware analysis using cwsandbox," IEEE Security & Privacy, IEEE Computer Society, pp.
32-39, 2007.
[12] U. Bayer, C. Kruegel, and E. Kirda, "TTAnalyze: A tool for analyzing malware,"
15th Annual Conference of the European Institute for Computer Antivirus Research (EICAR), 2006.
[13] R. Puri, "Bots & botnet: An overview," SANS Institute 2003, .
[14] P. Barford and V. Yegneswaran, "An inside look at botnets," Malware Detection, Springer, pp. 171-191, 2007.
[15] K. Yoshioka, Y. Hosobuchi, T. Orii, and T. Matsumoto, "Vulnerability in Public Malware Sandbox Analysis Systems," 2010 10th Annual International
37
Symposium on Applications and the Internet, pp. 265-268, 2010.
[16] J. Crandall, G. Wassermann, D. de Oliveira, Z. Su, S. Wu, and F. Chong,
"Temporal search: Detecting hidden malware timebombs with virtual machines,"
ACM SIGARCH Computer Architecture News, ACM, vol. 34, pp. 25-36, 2006.
[17] D. Dagon, G. Gu, C. Zou, J. Grizzard, S. Dwivedi, W. Lee, and R. Lipton, "A taxonomy of botnets," Unpublished paper, c, Citeseer, 2005.
[18] "Norman Sandbox," [online], available from World Wide Web;
http://www.norman.com/security_center/security_tools/.
[19] "The Reusable Unknown Malware Analysis Net," [online], available from World Wide Web; http://www.secureworks.com/research/tools/truman/.
[20] M. Kim, M. Kim, and Y. Mun, "Design and Implementation of the HoneyPot System with Focusing on the Session Redirection," Computational Science and Its Applications--ICCSA 2004, Springer, pp. 262-269, 2004.
[21] I. Kim and M. Kim, "The DecoyPort: redirecting hackers to honeypots,"
Network-Based Information Systems, Springer, pp. 59-68, 2007.
[22] L. Spitzner, "The honeynet project: Trapping the hackers," IEEE Security and Privacy, Published by the IEEE Computer Society, pp. 15-23, 2003.
[23] I. Alberdi, E. Alata, V. Nicomette, P. Owezarski, and M. Kaâniche, "Shark: Spy Honeypot with Advanced Redirection Kit," IEEE Workshop on Monitoring, Attack Detection and Mitigation (MonAM’07), pp. 47-52, 2007.
[24] E. Alata, I. Alberdi, V. Nicomette, P. Owezarski, and M. Kaâniche, "Internet attacks monitoring with dynamic connection redirection mechanisms," Journal in Computer Virology, Springer, vol. 4, pp. 127-136, 2008.
[25] J. Grizzard, V. Sharma, C. Nunnery, B. Kang, and D. Dagon, "Peer-to-peer botnets: Overview and case study," Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, pp. 1-1, 2007.
[26] G. Starnberger, C. Kruegel, and E. Kirda, "Overbot: a botnet protocol based on Kademlia," Proceedings of the 4th international conference on Security and privacy in communication netowrks, pp. 1-9, 2008.
[27] K. Chiang and L. Lloyd, "A case study of the rustock rootkit and spam bot," The First Workshop in Understanding Botnets, 2007.
[28] G. Berger-Sabbatel and A. Duda, "Analysis of Malware Network Activity,"
Multimedia Communications, Services and Security, Springer, pp. 207-215, 2011.
[29] "Netfiler," [online], available from World Wide Web; http://www.netfilter.org/.
[30] "Snort," [online], available from World Wide Web; http://www.snort.org/.
[31] "SMB Packet Header," [online], available from World Wide Web;
http://www.protocols.com/pbook/ibm.htm.
[32] "MS-NLMP - NT LAN MANAGER (NTLM) Authentication Protocol
Specification," [online], available from World Wide Web;
http://msdn2.microsoft.com/en-us/library/cc207842.aspx.
[33] P. Baecher, M. Koetter, T. Holz, M. Dornseif, and F. Freiling, "The nepenthes platform: An efficient approach to collect malware," Recent Advances in Intrusion Detection, pp. 165-184, 2006.
[34] "Kaspersky Securelist," [online], available from World Wide Web;
http://www.securelist.com/en/find.
[35] "TCPDUMP," [online], available from World Wide Web;
http://www.tcpdump.org/.
[36] "421 4.16.55 [TS01] Messages from x.x.x.x temporarily deferred due to excessive user complaints," [online], available from World Wide Web;
http://help.yahoo.com/l/us/yahoo/mail/postmaster/errors/421-ts01.html.