LARGE-SCALE MALWARE EXPERIMENTS ... CALVET ET AL.

LARGE-SCALE MALWARE EXPERIMENTS: WHY, HOW, AND SO WHAT?
Joan Calvet, Jose M. Fernandez École Polytechnique de Montréal, Montréal, Canada Email {joan.calvet, jose.fernandez}@polymtl.ca Pierre-Marc Bureau ESET, Montréal, Canada Email pbureau@eset.com Jean-Yves Marion LORIA, Nancy, France Email jean-yves.marion@loria.fr

• Unlike with in-the-wild experiments [1], there are fewer ethical or legal issues to deal with than when performing arbitrary attacks against infected computers. • Having an in vitro environment provides us with a way to conduct computer security research in a scientific way: we can reproduce experiments and test the effect of various independent variables. We decided to use the Waledac botnet as a first experiment for the following reasons: • Thanks to prior reverse engineering [2], we had in-depth knowledge of this threat family. • This malware does not replicate, thus limiting the risk of running an experiment that might get out of control. • There exists a set of vulnerabilities in Waledac’s peer-topeer protocol that were worth investigating. We wanted to evaluate the impact of a mitigation scheme against the botnet.

ABSTRACT
One of the most popular research areas in the anti-malware industry (second only to detection) is to document malware characteristics and understand their operations. Most initiatives are based on reverse engineering of malicious binaries so as to understand a threat’s features. In order to fully understand the challenges faced by a malware operator, it is sometimes necessary to reproduce a scenario where researchers have to manage thousands of infected computers in order to reach a set of objectives. In this paper, we first discuss the reasons why one would want to replicate a botnet and perform experiments while managing it. In our case, our objective was to emulate the Waledac botnet and assess the performance of a mitigation scheme against its peer-topeer