Paper Info
Title
Malware Sandbox Analysis For Secure Observation Of Vulnerability Exploitation
Abstract
Exploiting vulnerabilities of remote systems is one of the fundamental behaviors of malware that determines their potential hazards. Understanding what kind of propagation tactics each malware uses is essential in incident response because such information directly links with countermeasures such as writing a signature for IDS. Although recently malware sandbox analysis has been studied intensively, little work is done on securely observing the vulnerability exploitation by malware. In this paper, we propose a novel sandbox analysis method for securely observing malware's vulnerability exploitation in a totally isolated environment. In our sandbox, we prepare two victim hosts. We first execute the sample malware on one of these hosts and then let it attack the other host which is running multiple vulnerable services. As a simple realization of the proposed method, we have implemented a sandbox using Nepenthes, a low-interaction honeypot, as the second victim. Because Nepenthes can emulate a variety of vulnerable services, we can efficiently observe the propagation of sample malware. In the experiments, among 382 samples whose scan capabilities are confirmed, 381 samples successfully started exploiting vulnerabilities of the second victim. This indicates the certain level of feasibility of the proposed method.
Year
DOI
Venue
2009
10.1587/transinf.E92.D.955
IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS
Keywords
Field
DocType
malware sandbox analysis, exploit code detection, low-interaction honeypot
Sandbox (computer security),Cryptovirology,Honeypot,Incident response,Computer security,Computer science,Malware,Isolated environment,Vulnerability
Journal
Volume
Issue
ISSN
E92D
5
1745-1361
Citations 
PageRank 
References 
2
0.41
6
Authors
6
Name
Order
Citations
PageRank
Katsunari Yoshioka114722.92
Daisuke Inoue220.41
Masashi Eto317016.36
Yuji Hoshizawa4302.53
Hiroki Nogawa5495.93
Koji Nakao619419.09