Design and Implementation of an Isolated Sandbox
|
Figure 1 shows a functional image of our proposed environment. We discuss these functions in detail below.
Figure 1: Functional Image of Proposed Environment
In the sections below, we use the term target host to mean the targeted host of malwares checking reachability. According to the model of the end-host view of the Internet, if we could emulate the behavior, number of gateways, and link qualities of each target host and gateway, malwares would misidentify as themselves on the real Internet. Therefore, our proposed mimetic Internet will be composed of:
Figure 2: End-Host View of Internet
Figure 3 shows an overview of the implementation.
Figure 3: Overview of Implementation
Figure 4 shows a concept of the parallel sandboxing.
Figure 4: Parallel Sandboxing
We had been collecting 581 specimens, which included 73 unknown specimens, on Nepenthes from November 10, 2006 to March 2, 2007. We analyzed all of 581 specimens, all of which are Windows or MS-DOS executables. We should note that this experiment did not focus to the renewable actual nodes for reducing required re-experiment time interval.
Table 1: Classification of Specimens
Classifications Counts Collected specimens (unified by MD5) 581 Windows (or MS-DOS) executables 581 Known specimens (scanned by ClamAV) 508 (Known variants) 168 Unknown specimens (filtered out by ClamAV) 73
Table 2 shows observed behaviors of specimens. We observed that 21 specimens, which included 8 unknown specimens filtered out by ClamAV, fooled by our mimetic global sites and global servers, accessed our mimetic Internet. In the observations, the expected behaviors, accessing Google or Microsoft.com via HTTP, were observed in some specimens. In another behavior, which was expected and observed but not addressed, 349 specimens, which included 36 unknown specimens, attempted to retrieve DNS each specific target. This shows that our mimetic Internet can fool malwares and that dynamically introducing targets is an important issue. And some expected behaviors, accessing Yahoo! via HTTP or time.windows.com via NTP, were not observed from all specimens. Furthermore, we should notice that an another expected behavior, attempts to probe network routes, did not analyzed whether did or not on this experiment.
Table 2: Observed Behavior
Behavior # (Unknown) HTTP access to Google 14 5 HTTP access to Microsoft.com 7 3 HTTP access to Yahoo! 0 0 NTP access to time.windows.com 0 0 DNS retrieve specific hosts 351 37
# of specimens
Table 3 shows a number of specimens, which were observed different behavior between without the mimetic Internet and with the mimetic Internet, about a number of packets by each protocol. The column “Increase#” shows a number of specimens, which a number of packets increased in observing with the mimetic Internet, “Decrease#” shows decreased with the mimetic Internet, and “Same#” mean same number of packets. This result shows that almost malwares, except only one specimen5, would change behavior according to result of checking connectivity to the Internet, and our mimetic Internet can fool them.
Table 3: Without vs. with Mimetic Internet (differences in # of packets)
Protocol Increase# Same# Decrease# ARP 508 56 17 ICMP 103 441 37 UDP 578 1 2 TCP 215 366 0 (Total) 569 1 11
# of specimens
Finally, Table 4 shows a number of specimens, which were observed retrieve DNS without/with the mimetic Internet. The line “unknown” shows unknown specimens which filtered out by ClamAV, “Microsoft.com” shows specimens which attempt accessing Microsoft.com web site, and “www.google.com” shows specimens which attempt accessing Google web site. The column “w/o” shows a number of specimens which retrieve DNS without the mimetic Internet, and “w/” shows them with the mimetic Internet. Numbers into a couple of bracket shows a number of retrieved DNS domains. This result shows would change behavior about retrieving DNS according to result of checking connectivity to the Internet, and our mimetic Internet can fool them. Thus, we can conclude that the mimetic Internet is capable of changing behaviors of some malwares, which have mechanisms of checking connectivity to the begin. However, to insure that these changes of behaviors equal being fooled, we have to analyze in detail behaviors of each malware. We also aware that this experiment and results could be confirmed our concept is whether effective or not, but also did not be confirmed it could be satisfied or not.
Table 4: Without vs. with Mimetic Internet (# of retrieved domains)
Specimens w/o w/ unknown 6 (12) 37 (102) Microsoft.com 0 (0) 7 (26) www.google.com 0 (0) 14 (28) Total 107 (123) 351 (658)
# of specimens (# of retrieved DNS domains)
This document was translated from LATEX by HEVEA.