Integrated honeypot based malware collection and analysis
Todays most disruptive cyber threats can be attributed to botnet-connected malware. Thus, timely intelligence on emerging trends in the malicious landscape is an essential prerequisite for successful malware defense. This is commonly gained by collection and examination of current real-world attack data and a preferably meticulous analysis of the most recent malware samples. However, the ongoing sophistication of malware led to intensive obfuscation and anti-debugging measures and also resulted in a complex and multi-staged malware execution life-cycle. In this thesis we present a novel approach for integrated honeypot based malware col- lection and analysis, which extends the functionalities of existing approaches. Speciﬁcally our approach addresses the separation of coll ection and analysis, the limitations of ser- vice emulation and the operational risk of high-interaction honeypots. Our overall goal is to capture and analyze malware at a large-scale while covering the entire execution life- cycle of a given malware. This should happen in a preferably automated fashion within a controlled environment while being able to handle novel malware and the respective command-and-control (C&C) communication as well. Contrary to purely network-based approaches, we aim towards retrieving information about the malwares logics at runtime on a collection and analysis system. Thus we can provide the currently being analyzed malware with all requested resources in time, despite it is executed within an isolated environment. Our assumption is that being able to track the entire malware execution life-cycle enables a better understanding of current and emerging malware. In addition we develop a concept for providing emulated services to a malware sample under analysis thereby fulﬁlling possible liability constraints. In particular we focus on the issue of handling unknown trafﬁc patterns, such as C&C protocols, within our approach. To this end we present a proof of concept implementation leveraging ﬁnite state machines for generating service emulation scripts intended to spawn an emulated C&C service. We evaluate the feasibility of our proof of concept using C&C trafﬁc from a self-made minimal botnet.
Hagen, Fernuniv., Master Thesis, 2012