GQ: practical containment for measuring modern malware systems

Measurement and analysis of modern malware systems such as botnets relies crucially on execution of specimens in a setting that enables them to communicate with other systems across the Internet. Ethical, legal, and technical constraints however demand containment of resulting network activity in order to prevent the malware from harming others while still ensuring that it exhibits its inherent behavior. Current best practices in this space are sorely lacking: measurement researchers often treat containment superficially, sometimes ignoring it altogether. In this paper we present GQ, a malware execution "farm" that uses explicit containment primitives to enable analysts to develop containment policies naturally, iteratively, and safely. We discuss GQ's architecture and implementation, our methodology for developing containment policies, and our experiences gathered from six years of development and operation of the system.

[1]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[2]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[3]  John C. Klensin,et al.  Simple Mail Transfer Protocol , 2001, RFC.

[4]  Xuxian Jiang,et al.  Collapsar: A VM-Based Architecture for Network Attack Detention Center , 2004, USENIX Security Symposium.

[5]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[6]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .

[7]  V. Paxson,et al.  GQ : Realizing a System to Catch Worms in a Quarter Million Places , 2006 .

[8]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[9]  Paul Barford,et al.  Toward Botnet Mesocosms , 2007, HotBots.

[10]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[11]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[12]  Xu Chen,et al.  Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[13]  Chris Kanich,et al.  On the Spam Campaign Trail , 2008, LEET.

[14]  Dawn Xiaodong Song,et al.  Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering , 2009, CCS.

[15]  Arvind Krishnamurthy,et al.  Studying Spamming Botnets Using Botlab , 2009, NSDI.

[16]  Chris Kanich,et al.  Spamcraft: An Inside Look At Spam Campaign Orchestration , 2009, LEET.

[17]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2009, CACM.

[18]  W. Timothy Strayer,et al.  SLINGbot: A System for Live Investigation of Next Generation Botnets , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[19]  Jean-Yves Marion,et al.  The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet , 2010, ACSAC '10.

[20]  Terry V. Benzel,et al.  The DETER project: Advancing the science of cyber security experimentation and test , 2010, 2010 IEEE International Conference on Technologies for Homeland Security (HST).

[21]  Chris Kanich,et al.  Botnet Judo: Fighting Spam with Itself , 2010, NDSS.

[22]  Christopher Krügel,et al.  Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries , 2010, 2010 IEEE Symposium on Security and Privacy.

[23]  Vern Paxson,et al.  What's Clicking What? Techniques and Innovations of Today's Clickbots , 2011, DIMVA.

[24]  Vern Paxson,et al.  Measuring Pay-per-Install: The Commoditization of Malware Distribution , 2011, USENIX Security Symposium.

[25]  A. Snoeren,et al.  Universal Honeyfarm Containment , 2022 .