Design and Implementation of an Isolated Sandbox with Mimetic Internet Used to Analyze Malwares

Recent viruses, worms, and bots, called malwares, often have anti-analysis functions such as mechanisms that confirm connectivity to certain Internet hosts and detect virtualized environments. We discuss how malwares can be kept alive in an analyzing environment by disabling their anti-analyzing mechanisms. To avoid any impacts to/from the Internet, we conclude that analyzing environments should be disconnected from the Internet but must be able to make malwares believe that they are connected to the real Internet. We also conclude that, for executing environments to analyze anti-virtualization malwares, they should not be virtualized but must be as easily re-constructable as a virtualized environment. To reconcile these cross-purposes, we designed an isolated sandbox that consists of a mimetic Internet and renewable actual nodes. We implemented a prototype system and conducted an experiment to test the efficiency of our sandbox.