GQ: Practical Containment for Measuring Modern Malware Systems Christian Kreibich Nicholas Weaver Chris Kanich ICSI & UC Berkeley ICSI & UC Berkeley UC San Diego
[email protected] [email protected] [email protected] Weidong Cui Vern Paxson Microsoft Research ICSI & UC Berkeley
[email protected] [email protected] Abstract their behavior, sometimes only for seconds at a time (e.g., to un- Measurement and analysis of modern malware systems such as bot- derstand the bootstrapping behavior of a binary, perhaps in tandem nets relies crucially on execution of specimens in a setting that en- with static analysis), but potentially also for weeks on end (e.g., to ables them to communicate with other systems across the Internet. conduct long-term botnet measurement via “infiltration” [13]). Ethical, legal, and technical constraints however demand contain- This need to execute malware samples in a laboratory setting ex- ment of resulting network activity in order to prevent the malware poses a dilemma. On the one hand, unconstrained execution of the from harming others while still ensuring that it exhibits its inher- malware under study will likely enable it to operate fully as in- ent behavior. Current best practices in this space are sorely lack- tended, including embarking on a large array of possible malicious ing: measurement researchers often treat containment superficially, activities, such as pumping out spam, contributing to denial-of- sometimes ignoring it altogether. In this paper we present GQ, service floods, conducting click fraud, or obscuring other attacks a malware execution “farm” that uses explicit containment prim- by proxying malicious traffic.