ABSTRACT
Measurement and analysis of modern malware systems such as botnets relies crucially on execution of specimens in a setting that enables them to communicate with other systems across the Internet. Ethical, legal, and technical constraints however demand containment of resulting network activity in order to prevent the malware from harming others while still ensuring that it exhibits its inherent behavior. Current best practices in this space are sorely lacking: measurement researchers often treat containment superficially, sometimes ignoring it altogether. In this paper we present GQ, a malware execution "farm" that uses explicit containment primitives to enable analysts to develop containment policies naturally, iteratively, and safely. We discuss GQ's architecture and implementation, our methodology for developing containment policies, and our experiences gathered from six years of development and operation of the system.
- P. Barford and M. Blodgett. Toward botnet mesocosms. In Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Berkeley, CA, USA, 2007. USENIX Association. Google ScholarDigital Library
- U. Bayer, C. Kruegel, and E. Kirda. TTAnalyze: A tool for analyzing malware. In 15th Annual Conference of the European Institute for Computer Antivirus Research (EICAR), 2006.Google Scholar
- J. Caballero, C. Grier, C. Kreibich, and V. Paxson. Measuring Pay-per-Install: The Commoditization of Malware Distribution. In Proceedings of the 20th USENIX Security Symposium, San Francisco, CA, USA, August 2011. Google ScholarDigital Library
- J. Caballero, P. Poosankam, C. Kreibich, and D. Song. Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In Proceedings of the 16th ACM CCS, pages 621--634, Chicago, IL, USA, November 2009. Google ScholarDigital Library
- J. Calvet, C. R. Davis, J. M. Fernandez, J.-Y. Marion, P.-L. St-Onge, W. Guizani, P.-M. Bureau, and A. Somayaji. The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet. In Proceedings of the 26th ACSAC Conference, pages 141--150, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- CBL. Composite Blocking List. http://cbl.abuseat.org, 2003.Google Scholar
- J. Chen, J. McCullough, and A. C. Snoeren. Universal Honeyfarm Containment. Technical Report CS2007-0902, UCSD, September 2007.Google Scholar
- X. Chen, J. Andersen, Z. Mao, M. Bailey, and J. Nazario. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In Proceedings of the 38th Conference on Dependable Systems and Networks (DSN), pages 177--186. IEEE, 2008.Google Scholar
- W. Cui, V. Paxson, and N. Weaver. GQ: Realizing a System to Catch Worms in a Quarter Million Places. Technical Report TR-06-004, International Computer Science Institute, September 2006.Google Scholar
- A. W. Jackson, D. Lapsley, C. Jones, M. Zatko, C. Golubitsky, and W. T. Strayer. SLINGbot: A System for Live Investigation of Next Generation Botnets. In Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security, pages 313--318, Washington, DC, USA, 2009. IEEE Computer Society. Google ScholarDigital Library
- X. Jiang and D. Xu. Collapsar: A VM-based architecture for network attack detention center. In Proceedings of the 13th USENIX Security Symposium, page 2. USENIX Association, 2004. Google ScholarDigital Library
- J. John, A. Moshchuk, S. Gribble, and A. Krishnamurthy. Studying spamming botnets using Botlab. In Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation, pages 291--306. USENIX Association, 2009. Google ScholarDigital Library
- C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage. Spamalytics: An empirical analysis of spam marketing conversion. In Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 3--14, Alexandria, Virginia, USA, October 2008. Google ScholarDigital Library
- T. Kerremans and B. Verstricht. Trinity Rescue Kit. http://trinityhome.org.Google Scholar
- D. Koblas. SOCKS. In Proceedings of the 3rd USENIX Security Symposium. USENIX Association, September 1992.Google Scholar
- E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. Kaashoek. The Click modular router. ACM Transactions on Computer Systems (TOCS), 18(3):263--297, 2000. Google ScholarDigital Library
- C. Kolbitsch, T. Holz, C. Kruegel, and E. Kirda. Inspector Gadget: Automated extraction of proprietary gadgets from malware binaries. In 2010 IEEE Symposium on Security and Privacy, pages 29--44. IEEE, 2010. Google ScholarDigital Library
- C. Kreibich, C. Kanich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage. On the Spam Campaign Trail. In Proceedings of the First USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET), San Francisco, USA, April 2008. Google ScholarDigital Library
- C. Kreibich, C. Kanich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage. Spamcraft: An inside look at spam campaign orchestration. In Proceedings of the Second USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET), Boston, USA, April 2009. Google ScholarDigital Library
- N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner. OpenFlow: Enabling Innovation In Campus Networks. ACM SIGCOMM Computer Communication Review, 38(2):69--74, 2008. Google ScholarDigital Library
- B. Miller, P. Pearce, C. Grier, C. Kreibich, and V. Paxson. What's Clicking What? Techniques and Inovations of Today's Clickbots. In Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA). Springer, July 2011. Google ScholarDigital Library
- J. Mirkovic, T. V. Benzel, T. Faber, R. Braden, J. T. Wroclawski, and S. Schwab. The DETER project: Advancing the science of cyber security experimentation and test. In IEEE Intl. Conference on Technologies for Homeland Security (HST), page 7, November 2010.Google ScholarCross Ref
- Norman ASA. Norman SandBox. http://www.norman.com/security_center/security_tools/.Google Scholar
- V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Proceedings of the 7th USENIX Security Symposium, pages 31--51, 1998. Google ScholarDigital Library
- A. Pitsillidis, K. Levchenko, C. Kreibich, C. Kanich, G. Voelker, V. Paxson, N. Weaver, and S. Savage. Botnet Judo: Fighting Spam with Itself . In Proceedings of the 17th Annual Network and Distributed System Security Symposium(NDSS), San Diego, CA, USA, March 2010.Google Scholar
- J. Postel. Simple Mail Transfer Protocol. RFC 821, August 1982. Google ScholarDigital Library
- G. Tenebro. W32.Waledac Threat Analysis. http://www.symantec.com/content/en/us/enterprise/media/security_respons%e/whitepapers/W32_Waledac.pdf, 2009.Google Scholar
- N. Villeneuve. Koobface: Inside a Crimeware Network. http://www.infowar-monitor.net/reports/iwm-koobface.pdf, November 2010.Google Scholar
- M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. Snoeren, G. Voelker, and S. Savage. Scalability, fidelity, and containment in the potemkin virtual honeyfarm. ACM SIGOPS Operating Systems Review, 39(5):148--162, 2005. Google ScholarDigital Library
- Y. Wang, D. Beck, X. Jiang, and R. Roussev. Automated Web Patrol with Strider Honeymonkeys: Finding Web Sites that Exploit Browser Vulnerabilities. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, March 2006.Google Scholar
- C. Willems, T. Holz, and F. Freiling. Toward automated dynamic malware analysis using CWSandbox. IEEE Security & Privacy, pages 32--39, 2007. Google ScholarDigital Library
Index Terms
- GQ: practical containment for measuring modern malware systems
Recommendations
Defending against internet worms using honeyfarm
CUBE '12: Proceedings of the CUBE International Information Technology ConferenceWith new worms appearing at fast pace off late, conventional classification and defense techniques are not adequate to cover wide spectrum of recent worm attacks like stuxnet (2010), morto (June 2011), and DuQu (Oct 2011). Honeypots have been found to ...
Honeypot detection in advanced botnet attacks
Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
Social network-based botnet command-and-control: emerging threats and countermeasures
ACNS'10: Proceedings of the 8th international conference on Applied cryptography and network securityBotnets have become a major threat in cyberspace. In order to effectively combat botnets, we need to understand a botnet's Command-and-Control (C&C), which is challenging because C&C strategies and methods evolve rapidly. Very recently, botmasters have ...
Comments