worm blog: An Environment for Controlled Worm Replication and Analysis

« New Worm Brewing in Japan? | Main | Computers and Epidemiology »

An Environment for Controlled Worm Replication and Analysis

I actually did something like this for worm detection testing and sample data while I wrote the worm book back 02 and 03. I found a number of things difficult to do with the resources I had available t ome, but this paper shows a much more mature approach to the problem.

So-called 'worms' have been a feature of the malware landscape since the beginning, and yet have been largely ignored by anti-virus companies until comparatively recently. However, the near-complete connectivity of computers in today's western world, coupled with the largely Win32-centric base of installed operating systems make the rise of worms inevitable.
The author will describe techniques and mechanisms for constructing and utilising an environment enabling the automatic examination of worms and network-aware viruses. Whilst these techniques are being developed for incorporation into the IBM/Symantec Immune System for Cyberspace, the paper is not intended to be a discussion of the Immune System concept. Instead, the intent is to describe an approach that has been applied to the problem with some measure of success.
The approach involves building a virtual SOHO network, which is in turn connected to a virtual Internet. Both the virtual LAN and WAN are populated with virtual machines. The suspected worm is introduced into this environment, and executed therein. The whole system is closely monitored as execution progresses in the isolated environment, and data is amassed describing what the suspected worm did as it executed. This data is then processed by the system in an attempt to automatically determine whether or not the suspect programming is performing actions indicative of a worm or internet-aware malware.

Source: An Environment for Controlled Worm Replication and Analysis or: Internet-inna-Box, Ian Whalley Bill Arnold, David Chess, John Morar, Alla Segal, Morton Swimmer.

It turns out that one of the major problems in such an approach is ensuring that a worm host can quickly encounter another vulnerable system in a reasonable amount of time. You may have to play with routing, condense and reverse NAT hosts (ie whole /8 networks to a single host or virtual host), or modify the worm code. This is a tricky act, but it's vital to understand why your worm isn't propagating in your virtual host environment.

January 30, 2005 in papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit