IRIS - Institutional Research Information System

The analysis of a malicious piece of software that involves a remote counterpart that instructs it can be troublesome for security professionals, as they may have to unravel the communication protocol in use to figure out what actions can be carried out on the victim’s machine. The possibility to recur to dynamic analysis hinges on the availability of an active remote counterpart, a requirement that may be difficult to meet in several scenarios. In this paper we explore how symbolic execution techniques can be used to synthesize a command-and-control server for a remote access trojan, enabling in-vivo analysis by malware analysts. We evaluate our ideas against two real-world malware instances.

Reconstructing C2 Servers for Remote Access Trojans with Symbolic Execution / Borzacchiello, Luca; Coppa, Emilio; D'Elia, Daniele Cono; Demetrescu, Camil. - Cyber Security Cryptography and Machine Learning Third International Symposium, CSCML 2019, Beer-Sheva, Israel, June 27–28, 2019, Proceedings, (2019), pp. 121-140. (3rd International Symposium on Cyber Security Cryptography and Machine Learning (CSCML 2019), Beer-Sheva; Israel, 2-3 Luglio 2019). [10.1007/978-3-030-20951-3_12].

Reconstructing C2 Servers for Remote Access Trojans with Symbolic Execution

Borzacchiello, Luca;Coppa, Emilio;D'Elia, Daniele Cono;Demetrescu, Camil

2019

Abstract

The analysis of a malicious piece of software that involves a remote counterpart that instructs it can be troublesome for security professionals, as they may have to unravel the communication protocol in use to figure out what actions can be carried out on the victim’s machine. The possibility to recur to dynamic analysis hinges on the availability of an active remote counterpart, a requirement that may be difficult to meet in several scenarios. In this paper we explore how symbolic execution techniques can be used to synthesize a command-and-control server for a remote access trojan, enabling in-vivo analysis by malware analysts. We evaluate our ideas against two real-world malware instances.

Scheda breve

Scheda completa

Scheda completa (DC)

	Anno del convegno
	
			2019
		
	Codice ISBN
	
			978-3-030-20950-6
		
	Parole chiave
	
			Malware analysis, Symbolic execution, Protocol reversing
		
	Appare nelle tipologie:
	
			04.1 - Contributo in Atti di convegno (Paper in Proceedings)

File in questo prodotto:

File	Dimensione	Formato
Borzacchiello_Reconstructing-C2_2019.pdf Solo gestori archivio Tipologia: Versione dell'editore Licenza: Tutti i diritti riservati Dimensione 1.34 MB Formato Adobe PDF Visualizza/Apri	1.34 MB	Adobe PDF	Visualizza/Apri

Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11385/236280

Citazioni

8

5

social impact