Sandnet
The Institute for Internet Security developed Sandnet as a system to analyze the network behavior of malware. Technically speaking, Sandnet is a configuration that we use to infect virtualized Windows hosts with recent samples of malicious software (malware). Sandnet is a controlled environment, meaning that we limit the potential damage of a malware, while guaranteeing that the infected system appears as normal as possible to the malware. For a more detailed description of the system please refer to our recent research article at the BADGERS workshop, published in April 2011.
Sandnet is used to generate statistics and shows trends on the network behavior of malware. This website gives an overview of some important observations that we made analyzing more than 100.000 malware samples in an analysis period of 12 months.
Network Activity of Malware
Our analysis has shown that most malware authors make use of DNS for resolving domain names into IP addresses. While in the early days of botnets IP addresses tend to be hard-coded into malware binaries, nowadays DNS is used by more than 9 out of 10 malware samples as a reliable and flexible way to contact servers.
In addition, we have identified HTTP as a prevalent protocol among 59% of all malware samples. While HTTP is far more prevelant, we also identified that 12% of malware sample use the encrypted variant via SSL/TLS for communication. Figure 1 gives an overview of which other network protocols malware use for communication.
- Figure 1: Network protocols used by malware samples in Sandnet
Analysis of HTTP Traffic
HTTP is the most prevalent application-layer network protocol observed in Sandnet. We inspected this HTTP traffic and identified C&C channels, click fraud, Web 2.0 spam, email address harvesting and downloads of more recent malicious binaries as malicious actions carried via HTTP. However, there is other potential in abusing the HTTP protocol by malware authors. Figure 2 shows the number of HTTP requests that malware samples typically perform during our analysis period of one hour.
In collaboration with the VU University of Amsterdam and the University of Erlangen, if(is) published a research article at the BADGERS 2011 workshop. BADGERS - Building Analysis Datasets and Gathering Experience Returns for Security - was a workshop held in April 2011 specifically intended to encourage the development of large scale security-related data collection and analysis initiatives. For further Sandnet analysis results we refer to our paper "Sandnet - Network Traffic Analysis of Malicious Software".
- Figure 2: Number of HTTP requests per malware sample
Future Work and Contact Details
We currently use and expand sandnet for our research activities. As part of our future work, we plan to perform clustering analysis on the network behavior to show similarity among different malware samples. Similarly, we plan to integrate the analysis of system-level activities to Sandnet, such as linking process information to network activity. In addition, we try to explore ways how to detect malicious activities in mixed traffic based on Sandnet data. We further strive to a more accurate view on the analysis data, particularly to distinguish benign from malicious communication endpoints.
We hope our ongoing research to be of a great value to researchers and practitioners to help them acquiring a more detailed understanding of malware behaviors. If you have further ideas on how to use Sandnet or its data for other research activities, please feel free to contact Christian J. Dietrich or Christian Rossow via email. We are also open to analyze specific malware binaries. Should you feel that a particular malware family needs special treatment, please do not hesitate contacting us for analyzing it. We are always happy to get feedback on our work or input for new research areas.
Joint Work
During the analysis of Sandnet traffic, if(is) collaborated with the following universities:
Top
print
