Security analysts spend days or even weeks in trying to understand the inner workings of malicious software, using a plethora of manually orchestrated tools. Devising automated tools and techniques to assist and speed up the analysis process remains a major endeavor in computer security. While manual intervention will likely remain a key ingredient in the short and mid term, the recent advances in static and dynamic analysis techniques have the potential to significantly impact the malware analysis practice. In this paper we show how an analyst cause symbolic execution techniques to unveil critical behavior of a remote access trojan (RAT). Using a tool we implemented in the Angr framework, we analyze a sample drawn from a well-known RAT family that leverages thread injection vulnerabilities in the Microsoft Win32 API. Our case study shows how to automatically derive the list of commands supported by the RAT and the sequence of system calls that are activated for each of them, systematically exploring the stealthy communication protocol with the server and yielding clues to potential threats that may pass unnoticed by a manual inspection.
Assisting Malware Analysis with Symbolic Execution: a Case Study / Baldoni, R; Coppa, Emilio; D’Elia, D; Demetrescu, C. - Cyber Security Cryptography and Machine Learning: First International Conference, CSCML 2017, Beer-Sheva, Israel, June 29-30, 2017, Proceedings, (2017), pp. 171-188. (CSCML 2017: Cyber Security Cryptography and Machine Learning, Be'er Sheva, Israel, June 29-30, 2017,). [10.1007/978-3-319-60080-2_12].
Assisting Malware Analysis with Symbolic Execution: a Case Study
Coppa E
;
2017
Abstract
Security analysts spend days or even weeks in trying to understand the inner workings of malicious software, using a plethora of manually orchestrated tools. Devising automated tools and techniques to assist and speed up the analysis process remains a major endeavor in computer security. While manual intervention will likely remain a key ingredient in the short and mid term, the recent advances in static and dynamic analysis techniques have the potential to significantly impact the malware analysis practice. In this paper we show how an analyst cause symbolic execution techniques to unveil critical behavior of a remote access trojan (RAT). Using a tool we implemented in the Angr framework, we analyze a sample drawn from a well-known RAT family that leverages thread injection vulnerabilities in the Microsoft Win32 API. Our case study shows how to automatically derive the list of commands supported by the RAT and the sequence of system calls that are activated for each of them, systematically exploring the stealthy communication protocol with the server and yielding clues to potential threats that may pass unnoticed by a manual inspection.
| File | Dimensione | Formato | |
|---|---|---|---|
|
baldoni2017.pdf
Solo gestori archivio
Tipologia:
Versione dell'editore
Licenza:
Tutti i diritti riservati
Dimensione
827.84 kB
Formato
Adobe PDF
|
827.84 kB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
