動態惡意程式分析環境中安全及透明的網路流量之重播、重導及轉送

Abstract

典型的動態分析會搭配封閉的網路環境以避免惡意程式在分析過程攻擊到網際網路上的機器。然而，現今的惡意程式大多需要連線到網際網路以運作。由於連線到網際網路的流量被阻擋，搭配封閉網路的分析環境用途遭受限制。我們提出一個系統，允許動態惡意程式分析環境擁有看似無限制的網際網路存取權，並且透明地將惡意流量導向系統內的誘捕器，同時允許無害的控制流量存取網際網路。在2000多隻可疑的惡意程式中，我們首先選擇被四套防毒軟體標記的124隻惡意程式。接著，我們排除那些沒有網路行為或者無法成功連線到它們設計好的機器的惡意程式。最後，我們總共有12隻惡意程式樣本。實驗結果顯示，我們的系統可以看到的網路行為平均是封閉網路的3.35倍，在分析發送垃圾信件的惡意程式的情況下，我們甚至更勝於開放網路環境。同時，網際網路的安全性也會被改善。

Dynamic analysis is typically performed in a closed network environment to prevent malware under analysis from attacking machines on the Internet. However, many of today’s malware require Internet connections to operate. A closed network analysis environment will be of limited use for such malware as Internet bound connections are blocked. We propose a system to allow malware in a dynamic analysis environment to have seemingly unrestricted Internet access. Our system transparently retargets malicious network connections to compatible decoys within our system while allowing Internet access for harmless control traffic in unknown protocols. Among more than 2000 suspicious malwares, we first select 124 malwares that are flagged by all anti-virus scanners from 4 different vendors. Then, we exclude those malwares that exhibit no network activities or cannot connect to their designed machines on the Internet. Finally, we have 12 malware samples. The evaluation result shows that our system can allow the malware to exhibit more network activities than a closed network environment (3.35 times more on average) and even outperform a baseline open network environment for the case of spammer-type malwares. In the meantime, Internet security is significantly improved.