Hamish O'Dea Computer Associates Australia
A good test environment has long been one of the most useful tools at the disposal of a malware researcher. While static disassembly of malicious code is the basis of understanding how it behaves, accurate information can often be derived faster by running the code in an isolated test environment.
The prominence of Internet-aware malicious software has led to several changes in the way malware is analysed. First, the speed at which a threat, such as an Internet worm, can spread, demands immediate information on just how dangerous it is and how it can be mitigated. On top of this, malware tends to rely more on Internet services in order to function. This complicates the process of testing the code in a secure, isolated system.
This paper will discuss using VMWare to create a test environment for malicious code. It will look at using VMWare systems for both automated and manual analysis, specifically concentrating on attempting to create a "virtual Internet". The aim is to fool malware into behaving as it would on the real Internet.
The paper will outline the advantages of such a "Virtual Net" - as well as some of the limitations - when analysing viruses, worms, IRC bots, DDoS agents, "blended threats" and more.