TrumanBox: Improving Dynamic Malware Analysis by Emulating the Internet

  • Christian Gorecki
  • Felix C. Freiling
  • Marc Kührer
  • Thorsten Holz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6976)


Dynamic analysis of malicious software (malware) is a powerful tool in countering modern threats on the Internet. In dynamic analysis, a malware sample is executed in a controlled environment and its actions are logged. Through dynamic analysis, an analyst can quickly obtain an overview of malware behavior and can decide whether or not to indulge into tedious manual analysis of the sample. However, usual dynamic analysis exposes the Internet to the threats of an executed malware (like portscans) because advanced concealment techniques of malware often require full Internet access. For example, a missing link to the Internet or the unavailability of a specific server often causes the malware to not trigger its malicious behavior. In this paper, we present TrumanBox, a technique to emulate relevant parts of the Internet to enhance dynamic malware analysis. We show that TrumanBox not only prevents many threats but also enlarges the scope of the types of malware that can be analyzed dynamically.


Original Server Incoming Connection Malicious Software Login Attempt Full Emulation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Barford, P., Blodgett, M.: Toward botnet mesocosms. In: Proceedings of the USENIX First Workshop on Hot Topics in Understanding Botnets, HotBots I (April 2007)Google Scholar
  2. 2.
    Bayer, U., Moser, A., Krügel, C., Kirda, E.: Dynamic analysis of malicious code. Journal in Computer Virology 2(1), 67–77 (2006)CrossRefGoogle Scholar
  3. 3.
    Chamales, G.: The Honeywall CD-ROM. IEEE Security & Privacy Magazine 2(2), 77–79 (2004)CrossRefGoogle Scholar
  4. 4.
    Gorecki, C.: TrumanBox – Internet Emulation (2011),
  5. 5.
    Flux Group. Emulab: Network emulation testbed home, Internet: (accessed July 2007)
  6. 6.
    Hungenberg, T., Eckert, M.: INetSim – Internet Simulation (2011),
  7. 7.
    International Secure Systems Lab. Anubis: Analyzing unknown binaries (2011),
  8. 8.
    Morris, J.: libipq: iptables userspace packet queuing library, Internet: (accessed July 2007)
  9. 9.
    Claus, R.F.: Overbeck. Botspy – efficient observation of botnets. Presentation at (October 2007)Google Scholar
  10. 10.
    The Honeynet Project. Know Your Enemy: Learning About Security Threats, 2nd edn. Addison-Wesley, Reading (2004)Google Scholar
  11. 11.
    Provos, N.: A Virtual Honeypot Framework. In: Proceedings of the 13th USENIX Security Symposium, pp. 1–14 (2004)Google Scholar
  12. 12.
    Provos, N., Holz, T.: Virtual Honeypots: From Botnet Tracking to Intrusion Detection, 1st edn. Addison-Wesley, Reading (2007)Google Scholar
  13. 13.
    Willems, C., Holz, T., Freiling, F.C.: Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security & Privacy Magazine 5(2), 32–39 (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Christian Gorecki
    • 1
  • Felix C. Freiling
    • 2
  • Marc Kührer
    • 3
  • Thorsten Holz
    • 3
  1. 1.AGTGermany
  2. 2.Friedrich-Alexander-University Erlangen-NurembergGermany
  3. 3.Ruhr-University BochumGermany

Personalised recommendations