Full Program »
Towards Network Containment in Malware Analysis Systems
network interaction generated by malware samples in dynamic analysis environments such as sandboxes. A currently
unsolved problem consists in the existing dependency between the execution of a malware sample and the external
network hosts (e.g. C&C servers). This dependency affects
the repeatability of the analysis, since the state of these external hosts is out of the control of the sandbox and affects the malware execution. The dependency is also associated to containment concerns, since the network interaction generated by a malware sample is potentially of malicious nature and should not be allowed to reach its targets.
The approach proposed in this paper addressed both the
above concerns by exploring the usefulness of protocol learning techniques for the emulation of the external network environment a malware depends on upon execution. We show that protocol learning techniques, if properly used and configured, can be successfully used to handle the network interaction with malware. We present our solution, Mozzie, and show its ability to autonomously learn the network interaction associated to recent malware samples without requiring a-priori knowledge of the protocol characteristics. The system can be therefore used for the contained and repeatable analysis of unknown samples possibly relying on custom protocols for their communication with external hosts.
Symantec Research Labs