Large-scale malware experiments, why, how, and so what? presented at Virus Bulletin 2010

by Joan Calvet (Loria),


Summary : "
One of the most popular research areas in the anti-malware industry (second only to detection) is how to document malware
characteristics and understand their operations. Most initiatives are based on the reverse engineering of malicious binaries
so as to understand a threat's features. In order to fully understand the challenges faced by a malware operator, it is
necessary to reproduce a scenario where researchers have to manage thousands of infected computers in order to reach a set
of objectives. In this paper, we will explain how we have set up an experimental environment in which to run large-scale malware experiments
involving thousands of infected systems. We also describe our first set of experiments involving the Waledac botnet. The
purpose of these experiments was to evaluate the performance of attacks against the botnet, namely to measure the impact on
spam output when there is disruption of the peer-to-peer command and control channel. In this experiment, we not only measured
the effectiveness of an attack against the botnet but also the quality of self defence features included in Waledac's
communication protocol. We elaborate on the results of this experiment and explain the many technical details
which slowed our progress but which also made this experience so fascinating. Finally, we discuss future experiments to
evaluate realistic botnet defences such as increasing the number of infected hosts, updating binaries or detecting the
intrusions of fake bots. "