Security analysts spend days or even weeks in trying to understand the inner workings of malicious software, using a plethora of manually orchestrated tools. Devising automated tools and techniques to assist and speed up the analysis process remains a major endeavor in computer security. While manual intervention will likely remain a key ingredient in the short and mid term, the recent advances in static and dynamic analysis techniques have the potential to significantly impact the malware analysis practice. In this paper we show how an analyst can use symbolic execution techniques to unveil critical behavior of a remote access trojan (RAT). Using a tool we implemented in the Angr framework, we analyze a sample drawn from a well-known RAT family that leverages thread injection vulnerabilities in the Microsoft Win32 API. Our case study shows how to automatically derive the list of commands supported by the RAT and the sequence of system calls that are activated for each of them, systematically exploring the stealthy communication protocol with the server and yielding clues to potential threats that may pass unnoticed by a manual inspection.

Assisting malware analysis with symbolic execution: A case study / Baldoni, Roberto; Coppa, Emilio; D’Elia, Daniele Cono; Demetrescu, Camil. - STAMPA. - 10332:(2017), pp. 171-188. (Intervento presentato al convegno 1st International Conference on Cyber Security Cryptography and Machine Learning, CSCML 2017 tenutosi a Beer-Sheva; Israel nel 2017) [10.1007/978-3-319-60080-2_12].

Assisting malware analysis with symbolic execution: A case study

Baldoni, Roberto;Coppa, Emilio;D’Elia, Daniele Cono
;
Demetrescu, Camil
2017

Abstract

Security analysts spend days or even weeks in trying to understand the inner workings of malicious software, using a plethora of manually orchestrated tools. Devising automated tools and techniques to assist and speed up the analysis process remains a major endeavor in computer security. While manual intervention will likely remain a key ingredient in the short and mid term, the recent advances in static and dynamic analysis techniques have the potential to significantly impact the malware analysis practice. In this paper we show how an analyst can use symbolic execution techniques to unveil critical behavior of a remote access trojan (RAT). Using a tool we implemented in the Angr framework, we analyze a sample drawn from a well-known RAT family that leverages thread injection vulnerabilities in the Microsoft Win32 API. Our case study shows how to automatically derive the list of commands supported by the RAT and the sequence of system calls that are activated for each of them, systematically exploring the stealthy communication protocol with the server and yielding clues to potential threats that may pass unnoticed by a manual inspection.
2017
1st International Conference on Cyber Security Cryptography and Machine Learning, CSCML 2017
ANGR; APT; Malware; RAT; Symbolic execution; Theoretical Computer Science; Computer Science (all)
04 Pubblicazione in atti di convegno::04b Atto di convegno in volume
Assisting malware analysis with symbolic execution: A case study / Baldoni, Roberto; Coppa, Emilio; D’Elia, Daniele Cono; Demetrescu, Camil. - STAMPA. - 10332:(2017), pp. 171-188. (Intervento presentato al convegno 1st International Conference on Cyber Security Cryptography and Machine Learning, CSCML 2017 tenutosi a Beer-Sheva; Israel nel 2017) [10.1007/978-3-319-60080-2_12].
File allegati a questo prodotto
File Dimensione Formato  
Baldoni_Assisting-Malware-Analysis_2017.pdf

solo gestori archivio

Tipologia: Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 827.84 kB
Formato Adobe PDF
827.84 kB Adobe PDF   Contatta l'autore

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11573/1072972
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 19
  • ???jsp.display-item.citation.isi??? 10
social impact