research-article

GQ: practical containment for measuring modern malware systems

Authors:

Christian Kreibich,

Nicholas Weaver,

Weidong Cui, and

Vern PaxsonAuthors Info & Claims

IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

November 2011

Pages 397 - 412

https://doi.org/10.1145/2068816.2068854

Published: 02 November 2011 Publication History

Abstract

Measurement and analysis of modern malware systems such as botnets relies crucially on execution of specimens in a setting that enables them to communicate with other systems across the Internet. Ethical, legal, and technical constraints however demand containment of resulting network activity in order to prevent the malware from harming others while still ensuring that it exhibits its inherent behavior. Current best practices in this space are sorely lacking: measurement researchers often treat containment superficially, sometimes ignoring it altogether. In this paper we present GQ, a malware execution "farm" that uses explicit containment primitives to enable analysts to develop containment policies naturally, iteratively, and safely. We discuss GQ's architecture and implementation, our methodology for developing containment policies, and our experiences gathered from six years of development and operation of the system.

References

[1]

P. Barford and M. Blodgett. Toward botnet mesocosms. In Proceedings of the First Workshop on Hot Topics in Understanding Botnets, Berkeley, CA, USA, 2007. USENIX Association.

Digital Library

[2]

U. Bayer, C. Kruegel, and E. Kirda. TTAnalyze: A tool for analyzing malware. In 15th Annual Conference of the European Institute for Computer Antivirus Research (EICAR), 2006.

[3]

J. Caballero, C. Grier, C. Kreibich, and V. Paxson. Measuring Pay-per-Install: The Commoditization of Malware Distribution. In Proceedings of the 20th USENIX Security Symposium, San Francisco, CA, USA, August 2011.

Digital Library

[4]

J. Caballero, P. Poosankam, C. Kreibich, and D. Song. Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In Proceedings of the 16th ACM CCS, pages 621--634, Chicago, IL, USA, November 2009.

Digital Library

[5]

J. Calvet, C. R. Davis, J. M. Fernandez, J.-Y. Marion, P.-L. St-Onge, W. Guizani, P.-M. Bureau, and A. Somayaji. The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet. In Proceedings of the 26th ACSAC Conference, pages 141--150, New York, NY, USA, 2010. ACM.

Digital Library

[6]

CBL. Composite Blocking List. http://cbl.abuseat.org, 2003.

[7]

J. Chen, J. McCullough, and A. C. Snoeren. Universal Honeyfarm Containment. Technical Report CS2007-0902, UCSD, September 2007.

[8]

X. Chen, J. Andersen, Z. Mao, M. Bailey, and J. Nazario. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In Proceedings of the 38th Conference on Dependable Systems and Networks (DSN), pages 177--186. IEEE, 2008.

[9]

W. Cui, V. Paxson, and N. Weaver. GQ: Realizing a System to Catch Worms in a Quarter Million Places. Technical Report TR-06-004, International Computer Science Institute, September 2006.

[10]

A. W. Jackson, D. Lapsley, C. Jones, M. Zatko, C. Golubitsky, and W. T. Strayer. SLINGbot: A System for Live Investigation of Next Generation Botnets. In Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security, pages 313--318, Washington, DC, USA, 2009. IEEE Computer Society.

Digital Library

[11]

X. Jiang and D. Xu. Collapsar: A VM-based architecture for network attack detention center. In Proceedings of the 13th USENIX Security Symposium, page 2. USENIX Association, 2004.

Digital Library

[12]

J. John, A. Moshchuk, S. Gribble, and A. Krishnamurthy. Studying spamming botnets using Botlab. In Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation, pages 291--306. USENIX Association, 2009.

Digital Library

[13]

C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage. Spamalytics: An empirical analysis of spam marketing conversion. In Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 3--14, Alexandria, Virginia, USA, October 2008.

Digital Library

[14]

T. Kerremans and B. Verstricht. Trinity Rescue Kit. http://trinityhome.org.

[15]

D. Koblas. SOCKS. In Proceedings of the 3rd USENIX Security Symposium. USENIX Association, September 1992.

[16]

E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. Kaashoek. The Click modular router. ACM Transactions on Computer Systems (TOCS), 18(3):263--297, 2000.

Digital Library

[17]

C. Kolbitsch, T. Holz, C. Kruegel, and E. Kirda. Inspector Gadget: Automated extraction of proprietary gadgets from malware binaries. In 2010 IEEE Symposium on Security and Privacy, pages 29--44. IEEE, 2010.

Digital Library

[18]

C. Kreibich, C. Kanich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage. On the Spam Campaign Trail. In Proceedings of the First USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET), San Francisco, USA, April 2008.

Digital Library

[19]

C. Kreibich, C. Kanich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage. Spamcraft: An inside look at spam campaign orchestration. In Proceedings of the Second USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET), Boston, USA, April 2009.

Digital Library

[20]

N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner. OpenFlow: Enabling Innovation In Campus Networks. ACM SIGCOMM Computer Communication Review, 38(2):69--74, 2008.

Digital Library

[21]

B. Miller, P. Pearce, C. Grier, C. Kreibich, and V. Paxson. What's Clicking What? Techniques and Inovations of Today's Clickbots. In Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA). Springer, July 2011.

Digital Library

[22]

J. Mirkovic, T. V. Benzel, T. Faber, R. Braden, J. T. Wroclawski, and S. Schwab. The DETER project: Advancing the science of cyber security experimentation and test. In IEEE Intl. Conference on Technologies for Homeland Security (HST), page 7, November 2010.

[23]

Norman ASA. Norman SandBox. http://www.norman.com/security_center/security_tools/.

[24]

V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Proceedings of the 7th USENIX Security Symposium, pages 31--51, 1998.

Digital Library

[25]

A. Pitsillidis, K. Levchenko, C. Kreibich, C. Kanich, G. Voelker, V. Paxson, N. Weaver, and S. Savage. Botnet Judo: Fighting Spam with Itself . In Proceedings of the 17th Annual Network and Distributed System Security Symposium(NDSS), San Diego, CA, USA, March 2010.

[26]

J. Postel. Simple Mail Transfer Protocol. RFC 821, August 1982.

Digital Library

[27]

G. Tenebro. W32.Waledac Threat Analysis. http://www.symantec.com/content/en/us/enterprise/media/security_respons%e/whitepapers/W32_Waledac.pdf, 2009.

[28]

N. Villeneuve. Koobface: Inside a Crimeware Network. http://www.infowar-monitor.net/reports/iwm-koobface.pdf, November 2010.

[29]

M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. Snoeren, G. Voelker, and S. Savage. Scalability, fidelity, and containment in the potemkin virtual honeyfarm. ACM SIGOPS Operating Systems Review, 39(5):148--162, 2005.

Digital Library

[30]

Y. Wang, D. Beck, X. Jiang, and R. Roussev. Automated Web Patrol with Strider Honeymonkeys: Finding Web Sites that Exploit Browser Vulnerabilities. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, March 2006.

[31]

C. Willems, T. Holz, and F. Freiling. Toward automated dynamic malware analysis using CWSandbox. IEEE Security & Privacy, pages 32--39, 2007.

Digital Library

Cited By

Ceron JSteding-Jessen KHoepers CGranville LMargi C(2019)Improving IoT Botnet Investigation Using an Adaptive Network LayerSensors10.3390/s1903072719:3(727)Online publication date: 11-Feb-2019
https://doi.org/10.3390/s19030727
Kumar ALim T(2019)A Secure Contained Testbed for Analyzing IoT BotnetsTestbeds and Research Infrastructures for the Development of Networks and Communities10.1007/978-3-030-12971-2_8(124-137)Online publication date: 2-Feb-2019
https://doi.org/10.1007/978-3-030-12971-2_8
Akiyama MYagi THariu TKadobayashi Y(2018)HoneyCirculatorInternational Journal of Information Security10.1007/s10207-017-0361-517:2(135-151)Online publication date: 1-Apr-2018
https://dl.acm.org/doi/10.1007/s10207-017-0361-5
Show More Cited By

Index Terms

GQ: practical containment for measuring modern malware systems
1. Networks
  1. Network architectures

Recommendations

Defending against internet worms using honeyfarm
CUBE '12: Proceedings of the CUBE International Information Technology Conference

With new worms appearing at fast pace off late, conventional classification and defense techniques are not adequate to cover wide spectrum of recent worm attacks like stuxnet (2010), morto (June 2011), and DuQu (Oct 2011). Honeypots have been found to ...
Read More
Honeypot detection in advanced botnet attacks

Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
Read More
Social network-based botnet command-and-control: emerging threats and countermeasures
ACNS'10: Proceedings of the 8th international conference on Applied cryptography and network security

Botnets have become a major threat in cyberspace. In order to effectively combat botnets, we need to understand a botnet's Command-and-Control (C&C), which is challenging because C&C strategies and methods evolve rapidly. Very recently, botmasters have ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

November 2011

612 pages

ISBN:9781450310130

DOI:10.1145/2068816

Program Chairs:
Patrick Thiran
EPFL, Switzerland
,
Walter Willinger
AT&T Labs-Research, USA

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 November 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

IMC '11

Sponsor:

IMC '11: Internet Measurement Conference

November 2 - 4, 2011

Berlin, Germany

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Upcoming Conference

IMC '24

Sponsor:
sigcomm
sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

34
Total Citations
View Citations
391
Total Downloads

Downloads (Last 12 months)19
Downloads (Last 6 weeks)1

Other Metrics

View Author Metrics

Citations

Cited By

Ceron JSteding-Jessen KHoepers CGranville LMargi C(2019)Improving IoT Botnet Investigation Using an Adaptive Network LayerSensors10.3390/s1903072719:3(727)Online publication date: 11-Feb-2019
https://doi.org/10.3390/s19030727
Kumar ALim T(2019)A Secure Contained Testbed for Analyzing IoT BotnetsTestbeds and Research Infrastructures for the Development of Networks and Communities10.1007/978-3-030-12971-2_8(124-137)Online publication date: 2-Feb-2019
https://doi.org/10.1007/978-3-030-12971-2_8
Akiyama MYagi THariu TKadobayashi Y(2018)HoneyCirculatorInternational Journal of Information Security10.1007/s10207-017-0361-517:2(135-151)Online publication date: 1-Apr-2018
https://dl.acm.org/doi/10.1007/s10207-017-0361-5
Yin WZhou HYang C(2018)A Honeyfarm Data Control Mechanism and Forensic StudyCommunications and Networking10.1007/978-3-319-78139-6_37(362-372)Online publication date: 27-Mar-2018
https://doi.org/10.1007/978-3-319-78139-6_37
Shi HMirkovic JAlwabel A(2017)Handling Anti-Virtual Machine Techniques in Malicious SoftwareACM Transactions on Privacy and Security10.1145/313929221:1(1-31)Online publication date: 6-Dec-2017
https://dl.acm.org/doi/10.1145/3139292
Farinholt BRezaeirad MPearce PDharmdasani HYin HLe Blond SMcCoy DLevchenko K(2017)To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild2017 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2017.48(770-787)Online publication date: May-2017
https://doi.org/10.1109/SP.2017.48
Hsiao HTung SShih MSung W(2017)Using Botnet structure to construct the communication system of a real-time monitoring platform: Botnet structure for real-time monitoring platform2017 13th International Conference on Natural Computation, Fuzzy Systems and Knowledge Discovery (ICNC-FSKD)10.1109/FSKD.2017.8393235(2860-2865)Online publication date: Jul-2017
https://doi.org/10.1109/FSKD.2017.8393235
Pan XYegneswaran VChen YPorras PShin SAhn GGu GHu HShin S(2016)HogMapProceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization10.1145/2876019.2876023(7-12)Online publication date: 11-Mar-2016
https://dl.acm.org/doi/10.1145/2876019.2876023
Ceron JMargi CGranville L(2016)MARS: An SDN-based malware analysis solution2016 IEEE Symposium on Computers and Communication (ISCC)10.1109/ISCC.2016.7543792(525-530)Online publication date: Jun-2016
https://doi.org/10.1109/ISCC.2016.7543792
Pék GLázár ZVárnagy ZFélegyházi MButtyán L(2016)Membrane: A Posteriori Detection of Malicious Code Loading by Memory Paging AnalysisComputer Security – ESORICS 201610.1007/978-3-319-45744-4_10(199-216)Online publication date: 15-Sep-2016
https://doi.org/10.1007/978-3-319-45744-4_10
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents