Trapping worms in a virtual net

Hamish O'Dea Computer Associates Australia

A good test environment has long been one of the most useful tools at the disposal of a malware researcher. While static disassembly of malicious code is the basis of understanding how it behaves, accurate information can often be derived faster by running the code in an isolated test environment.

The prominence of Internet-aware malicious software has led to several changes in the way malware is analysed. First, the speed at which a threat, such as an Internet worm, can spread, demands immediate information on just how dangerous it is and how it can be mitigated. On top of this, malware tends to rely more on Internet services in order to function. This complicates the process of testing the code in a secure, isolated system.

This paper will discuss using VMWare to create a test environment for malicious code. It will look at using VMWare systems for both automated and manual analysis, specifically concentrating on attempting to create a "virtual Internet". The aim is to fool malware into behaving as it would on the real Internet.

The paper will outline the advantages of such a "Virtual Net" - as well as some of the limitations - when analysing viruses, worms, IRC bots, DDoS agents, "blended threats" and more.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.