Practical Containment for Measuring Modern Malware Systems

Measurement and analysis of modern malware systems such as botnets relies crucially on execution of specimens in a setting that enables them to communicate with other systems across the Internet. Ethical, legal, and technical constraints however demand containment of resulting network activity in order to prevent the malware from harming others while still ensuring that it exhibits its inherent behavior. Current best practices in this space are sorely lacking: measurement researchers often treat containment superficially, sometimes ignoring it altogether. In this paper we present GQ, a malware execution “farm” that uses explicit containment primitives to enable analysts to develop containment policies naturally, iteratively, and safely. We discuss GQ’s architecture and implementation, our methodology for developing containment policies, and our experiences gathered from six years of development and operation of the system.