Abstract
In a world where computer infections crawl from every corner of the web, reliable technological assets must be developed for fighting against the swarm of ever-increasing number of malicious software. With reliability and automation as our primary goals, we developed a framework environment based on real hardware. Within this environment one can automate most of the quality assurance and malware analysis tools that require accurate behavior of malware samples and cannot otherwise be obtained in operating systems running in virtual machines. One of the hard constraints we had in building this system was the speed of reverting from the infected operating system to the clean snapshot or even to a brand new operating system altogether. To overcome this step, we choose to boot the test machines over network from a repository server that manages the hard-drive allocation. The snapshotting, cloning and destroying hard disk images logic was built on top of the ZFS File System running as a Free BSD kernel module. Using this design, we managed to have a negligible delay time from shutting down one operating system to booting from a brand new hard-drive. Another important requirement was to have an unattended, scalable and secure system. We discuss some of the interesting challenges we confronted with in achieving these tasks such as: scripting language controlled Power Distribution Units, video monitoring of client machines over network or private networking between each drone and its managing server. We present here step by step our progress in developing this framework including the choice of existing technologies, the needed changes and usage scenarios that range from modifying network interface card firmware, redesigning the AoE transmission protocol and drivers for every supported client operating system, to designing a web application for user interaction.
Similar content being viewed by others
References
Stewart, J.: http://www.secureworks.com/research/tools/truman
JoeBox: http://www.joesecurity.org
Branco, R.R.: Architecture for automation of malware analysis. In: 5th International Conference on Malicious and Unwanted Software, MALWARE 2010, pp. 106–112
Hsien-De, H., Chang-Shing, L., Hung-Yu, K., Yi-Lang, T., Chang, J.G.: Malware behavioral analysis system: TWMAN, 2011 IEEE Symposium on Intelligent Agent (IA)
Nabholz, B.J.: Design of an automated malware analysis system
Clonezilla: http://www.clonezilla.org
Gavrilut, D., Cimpoesu, M., Anton, D., Ciortuz, L.: Malware detection using machine learning, IMCSIT 2009:735–741
Gavrilut, D., Cimpoesu, M., Anton, D., Ciortuz, L.: Malware detection using perceptrons and support vector machines, computation world: future computing, service computation, cognitive, adaptive, content, patterns, pp. 283–288 (2009)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Cimpoesu, M., Popa, C. Dronezilla: designing an accurate malware behavior retrieval system. J Comput Virol 8, 109–116 (2012). https://doi.org/10.1007/s11416-012-0170-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-012-0170-3