Learning from Authoritative Security Experiment Results

The 2017 LASER Workshop

Understanding Malware’s Network Behaviors using Fantasm

Xiyue Deng, Hao Shi and Jelena Mirkovic

{fxiyueden,shihao,mirkovicg}@isi.edu
Information Sciences Institute

Abstract

Background. There is very little data about how often contemporary malware communicates with the Internet and how essential this communication is for malware’s functionality.

Aim. We aim to quantify what fraction of contemporary malware samples are environment-sensitive and will exhibit very few behaviors when analyzed under full containment. We then seek to understand the purpose of the malware’s use of communication channel and if malware communication patterns could be used to understand its purpose.

Method. We analyze malware communication behavior by running contemporary malware samples on bare-metal machines in the DeterLab testbed, either in full containment or with some limited connectivity, and recording and analyzing all their network traffic. We carefully choose which communication to allow, and we monitor all connections that are let into the Internet. This way we can guarantee safety to Internet hosts, while exposing interesting malware behaviors that do not show under full containment.

Results. We find that 58% of samples exhibit some network activity within the first five minutes of running. We further find that 78% of these samples exhibit more network behaviors when ran under our limited containment, than when ran under full containment, which means that 78% of samples are environment-sensitive. Most common communication patterns involve DNS, ICMP ECHO and HTTP traffic toward mostly nonpublic destinations. Likely purpose of this traffic is botnet command and control. We further show that malware’s network behaviors can be used to determine its purpose with 85–89% accuracy.

Conclusions. Ability to communicate with outside hosts seems to be essential to contemporary malware. This calls for better design of malware analysis environments, which enable safe and controlled communication to expose more interesting malware behaviors.

Important Dates

04/18 Call for Papers
07/15 Submissions Due
09/01 Authors Notified
09/11 Registration Open
          Accepting Student Grant Apps
09/15 Program Announced
09/29 Student Grant Application Deadline
09/22
Hotel reservation deadline
09/29 Pre-workshop papers due
*** EXTENDED ONE WEEK
10/07 Early Bird Registration Closes
*** EXTENDED ONE WEEK
10/18-10/19 Workshop
11/22 Final Papers Due

Apply for student travel grant LASER Venue

Important Links

LASER Workshop Home

Past Workshops

LASER Mailing List

Further Information

If you have questions or comments about LASER, or if you would like additional information about the workshop, contact us at: info@laser-workshop.org.

Join the LASER mailing list to stay informed of LASER news.