2012 Volume 20 Issue 4 Pages 835-845
Recent malware communicate with remote hosts in the Internet for receiving C&C commands and updating themselves, etc., and their behaviors can be diverse depending on the behaviors of the remote hosts. Thus, when analyzing these malware by sandbox analysis, it is important not only to focus behaviors of a malware sample itself but also those of the remote servers that are controlled by attackers. A simple solution to achieve this is to observe the live sample by an Internet-connected sandbox for a long period of time. However, since we do not know when these servers will send meaningful responses, we need to keep the sample being executed in the sandbox, which is indeed a costly operation. Also, leaving the live malware in the Internet-connected sandbox increases the risk that its attacks spill out of the sandbox and induce secondary infections. In this paper, we propose a novel sandbox analysis method using a dummy client, an automatically generated lightweight script to interact with the remote servers instead of the malware sample itself. In the proposed method, at first we execute a malware sample in the sandbox that is connected to the real Internet and Internet Emulator. Secondly, we inspect the traffic observed in the sandbox and filter out high-risk communications. The rest of the traffic data is then used by the dummy client to interact with the remote servers instead of the sample itself and effectively collects the responses from the servers. The collected server responses are then fed back to the Internet Emulator in the sandbox and will be used for improving observability of malware sandbox analysis. In the experiment with malware samples captured in the wild, we indeed observed a considerable number of changes in the responses from the remote servers that were obtained by our dummy client. Also, in comparison with the simple Internet-connected sandbox, the proposed sandbox could improve observability of malware sandbox analysis.
