Abstract
Dynamic analysis of malicious software (malware) is a powerful tool in countering modern threats on the Internet. In dynamic analysis, a malware sample is executed in a controlled environment and its actions are logged. Through dynamic analysis, an analyst can quickly obtain an overview of malware behavior and can decide whether or not to indulge into tedious manual analysis of the sample. However, usual dynamic analysis exposes the Internet to the threats of an executed malware (like portscans) because advanced concealment techniques of malware often require full Internet access. For example, a missing link to the Internet or the unavailability of a specific server often causes the malware to not trigger its malicious behavior. In this paper, we present TrumanBox, a technique to emulate relevant parts of the Internet to enhance dynamic malware analysis. We show that TrumanBox not only prevents many threats but also enlarges the scope of the types of malware that can be analyzed dynamically.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Barford, P., Blodgett, M.: Toward botnet mesocosms. In: Proceedings of the USENIX First Workshop on Hot Topics in Understanding Botnets, HotBots I (April 2007)
Bayer, U., Moser, A., Krügel, C., Kirda, E.: Dynamic analysis of malicious code. Journal in Computer Virology 2(1), 67–77 (2006)
Chamales, G.: The Honeywall CD-ROM. IEEE Security & Privacy Magazine 2(2), 77–79 (2004)
Gorecki, C.: TrumanBox – Internet Emulation (2011), http://trumanbox.s6y.org
Flux Group. Emulab: Network emulation testbed home, Internet: http://www.emulab.net (accessed July 2007)
Hungenberg, T., Eckert, M.: INetSim – Internet Simulation (2011), http://www.inetsim.org
International Secure Systems Lab. Anubis: Analyzing unknown binaries (2011), http://anubis.iseclab.org
Morris, J.: libipq: iptables userspace packet queuing library, Internet: https://svn.netfilter.org/netfilter/trunk/iptables/libipq (accessed July 2007)
Claus, R.F.: Overbeck. Botspy – efficient observation of botnets. Presentation at Hack.lu (October 2007)
The Honeynet Project. Know Your Enemy: Learning About Security Threats, 2nd edn. Addison-Wesley, Reading (2004)
Provos, N.: A Virtual Honeypot Framework. In: Proceedings of the 13th USENIX Security Symposium, pp. 1–14 (2004)
Provos, N., Holz, T.: Virtual Honeypots: From Botnet Tracking to Intrusion Detection, 1st edn. Addison-Wesley, Reading (2007)
Willems, C., Holz, T., Freiling, F.C.: Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security & Privacy Magazine 5(2), 32–39 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gorecki, C., Freiling, F.C., Kührer, M., Holz, T. (2011). TrumanBox: Improving Dynamic Malware Analysis by Emulating the Internet. In: Défago, X., Petit, F., Villain, V. (eds) Stabilization, Safety, and Security of Distributed Systems. SSS 2011. Lecture Notes in Computer Science, vol 6976. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24550-3_17
Download citation
DOI: https://doi.org/10.1007/978-3-642-24550-3_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-24549-7
Online ISBN: 978-3-642-24550-3
eBook Packages: Computer ScienceComputer Science (R0)