Joan Calvet LORIA
Pierre-Marc Bureau ESET
Jose M. Fernandez Ecole Polytechnique de Montréal
Jean-Yves Marion LORIA
download slides (PDF)
One of the most popular research areas in the anti-malware industry (second only to detection) is how to document malware characteristics and understand their operations. Most initiatives are based on the reverse engineering of malicious binaries so as to understand a threat's features. In order to fully understand the challenges faced by a malware operator, it is necessary to reproduce a scenario where researchers have to manage thousands of infected computers in order to reach a set of objectives.
In this paper, we will explain how we have set up an experimental environment in which to run large-scale malware experiments involving thousands of infected systems. We also describe our first set of experiments involving the Waledac botnet. The purpose of these experiments was to evaluate the performance of attacks against the botnet, namely to measure the impact on spam output when there is disruption of the peer-to-peer command and control channel. In this experiment, we not only measured the effectiveness of an attack against the botnet but also the quality of self defence features included in Waledac's communication protocol. We elaborate on the results of this experiment and explain the many technical details which slowed our progress but which also made this experience so fascinating. Finally, we discuss future experiments to evaluate realistic botnet defences such as increasing the number of infected hosts, updating binaries or detecting the intrusions of fake bots.