Trapping worms in a virtual net
Hamish O'Dea Computer Associates Australia
Technical stream: Friday 01 Oct 2004, 16.20-17.00.
A good test environment has long been one of the most useful tools at the disposal of a malware researcher. While static
disassembly of malicious code is the basis of understanding how it behaves, accurate information can often be derived
faster by running the code in an isolated test environment.
The prominence of Internet-aware malicious software has led to several changes in the way malware is analysed. First, the
speed at which a threat, such as an Internet worm, can spread, demands immediate information on just how dangerous it is
and how it can be mitigated. On top of this, malware tends to rely more on Internet services in order to function. This
complicates the process of testing the code in a secure, isolated system.
This paper will discuss using VMWare to create a test environment for malicious code. It will look at using VMWare systems
for both automated and manual analysis, specifically concentrating on attempting to create a "virtual Internet". The aim
is to fool malware into behaving as it would on the real Internet.
The paper will outline the advantages of such a "Virtual Net" - as well as some of the limitations - when analysing
viruses, worms, IRC bots, DDoS agents, "blended threats" and more.
