Dronezilla: designing an accurate malware behavior retrieval system

Abstract

In a world where computer infections crawl from every corner of the web, reliable technological assets must be developed for fighting against the swarm of ever-increasing number of malicious software. With reliability and automation as our primary goals, we developed a framework environment based on real hardware. Within this environment one can automate most of the quality assurance and malware analysis tools that require accurate behavior of malware samples and cannot otherwise be obtained in operating systems running in virtual machines. One of the hard constraints we had in building this system was the speed of reverting from the infected operating system to the clean snapshot or even to a brand new operating system altogether. To overcome this step, we choose to boot the test machines over network from a repository server that manages the hard-drive allocation. The snapshotting, cloning and destroying hard disk images logic was built on top of the ZFS File System running as a Free BSD kernel module. Using this design, we managed to have a negligible delay time from shutting down one operating system to booting from a brand new hard-drive. Another important requirement was to have an unattended, scalable and secure system. We discuss some of the interesting challenges we confronted with in achieving these tasks such as: scripting language controlled Power Distribution Units, video monitoring of client machines over network or private networking between each drone and its managing server. We present here step by step our progress in developing this framework including the choice of existing technologies, the needed changes and usage scenarios that range from modifying network interface card firmware, redesigning the AoE transmission protocol and drivers for every supported client operating system, to designing a web application for user interaction.