Virtual Playgrounds for Worm Behavior Investigation

To detect and defend against Internet worms, researchers have long hoped to have a safe convenient environment to unleash and run real-world worms for close observation of their infection, damage, and propagation. However, major challenges exist in realizing such “worm playgrounds”, including the playgrounds’

fidelity, confinement, scalability

, as well as

convenience

in worm experiments. In this paper, we present a

virtualization-based

platform to create virtual worm playgrounds, called

vGrounds

, on top of a physical infrastructure. A vGround is an all-software virtual environment dynamically created for a worm attack. It has realistic end-hosts and network entities, all realized as virtual machines (VMs) and confined in a virtual network (VN). The salient features of vGround include: (1)

high fidelity

supporting real worm codes exploiting real vulnerable services, (2)

strict confinement

making the real Internet totally invisible and unreachable from inside a vGround, (3)

high resource efficiency

achieving sufficiently large scale of worm experiments, and (4)

flexible and efficient worm experiment control

enabling fast (tens of seconds) and automatic generation, re-installation, and final tear-down of vGrounds. Our experiments with real-world worms (including

multi-vector worms and polymorphic worms

) have successfully exhibited their probing and propagation patterns, exploitation steps, and malicious payloads, demonstrating the value of vGrounds for worm detection and defense research.