GQ: Practical Containment for Measuring Modern Malware Systems
Measurement and analysis of modern malware systems such as botnets relies crucially on execution of specimens in a setting that enables them to communicate with other systems across the Internet. Ethical, legal, and technical constraints, however, demand containment of resulting network activity in order to prevent the malware from harming others while still ensuring that it exhibits its inherent behavior. Current best practices in this space are sorely lacking: measurement researchers often treat containment superficially, sometimes ignoring it altogether. In this paper, the authors present GQ, a malware execution "Farm" that uses explicit containment primitives to enable analysts to develop containment policies naturally, iteratively, and safely.