Abstract
The analysis of a malicious piece of software that involves a remote counterpart that instructs it can be troublesome for security professionals, as they may have to unravel the communication protocol in use to figure out what actions can be carried out on the victim’s machine. The possibility to recur to dynamic analysis hinges on the availability of an active remote counterpart, a requirement that may be difficult to meet in several scenarios. In this paper we explore how symbolic execution techniques can be used to synthesize a command-and-control server for a remote access trojan, enabling in-vivo analysis by malware analysts. We evaluate our ideas against two real-world malware instances.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
An analyst may desire to test whether the RAT can execute a speculated sequence of APIs that they build by combining insights from previous observations.
- 2.
Addresses of taken branches seem of little interest and are thus omitted.
References
Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput. 75(2), 87–106 (1987). https://doi.org/10.1016/0890-5401(87)90052-6
Baldoni, R., Coppa, E., D’Elia, D.C., Demetrescu, C.: Assisting malware analysis with symbolic execution: a case study. In: Dolev, S., Lodha, S. (eds.) CSCML 2017. LNCS, vol. 10332, pp. 171–188. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60080-2_12
Baldoni, R., Coppa, E., D’Elia, D.C., Demetrescu, C., Finocchi, I.: A survey of symbolic execution techniques. ACM Comput. Surv. 51(3), 50:1–50:39 (2018). https://doi.org/10.1145/3182657
Banescu, S., Collberg, C., Ganesh, V., Newsham, Z., Pretschner, A.: Code obfuscation against symbolic execution attacks. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, pp. 189–200 (2016). https://doi.org/10.1145/2991079.2991114
Beddoe, M.A.: Network protocol analysis using bioinformatics algorithms. Toorcon (2004)
Bugalho, M., Oliveira, A.L.: Inference of regular languages using state merging algorithms with search. Pattern Recogn. 38(9), 1457–1467 (2005). https://doi.org/10.1016/j.patcog.2004.03.027
Chipounov, V., Kuznetsov, V., Candea, G.: The S2E platform: design, implementation, and applications. ACM Trans. Comput. Syst. (TOCS) 30(1), 2:1–2:49 (2012). https://doi.org/10.1145/2110356.2110358
Cho, C.Y., Babić, D., Shin, E.C.R., Song, D.: Inference and analysis of formal models of botnet command and control protocols. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 426–439. ACM (2010). https://doi.org/10.1145/1866307.1866355
Cho, C.Y., Babić, D., Poosankam, P., Chen, K.Z., Wu, E.X., Song, D.: MACE: model-inference-assisted concolic exploration for protocol and vulnerability discovery. In: Proceedings of the 20th USENIX Conference on Security, pp. 10–10 (2011)
Comparetti, P.M., Wondracek, G., Kruegel, C., Kirda, E.: Prospex: protocol specification extraction. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, SP 2009 (2009). https://doi.org/10.1109/SP.2009.14
Coppa, E., D’Elia, D.C., Demetrescu, C.: Rethinking pointer reasoning in symbolic execution. In: Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering, ASE 2017 (2017). https://doi.org/10.1109/ASE.2017.8115671
Cui, W., Kannan, J., Wang, H.J.: Discoverer: automatic protocol reverse engineering from network traces. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium (2007). http://dl.acm.org/citation.cfm?id=1362903.1362917
Duchêne, J., Le Guernic, C., Alata, E., Nicomette, V., Kaaniche, M.: Stateof the art of network protocol reverse engineering tools. J. Comput. Virol. Hacking Tech. 14, 53–68 (2017). https://doi.org/10.1007/s11416-016-0289-8
Jiang, D., Omote, K.: An approach to detect remote access trojan in the early stage of communication. In: 2015 IEEE 29th International Conference on Advanced Information Networking and Applications, pp. 706–713, March 2015. https://doi.org/10.1109/AINA.2015.257
Lin, Z., Jiang, X., Xu, D., Zhang, X.: Automatic protocol format reverse engineering through context-aware monitored execution. In: 15th Symposium on Network And Distributed System Sexurity (NDSS) (2008)
Computer Incident Response Center Luxembourg: TR-23 Analysis - NetWiredRC malware (2014). https://www.circl.lu/pub/tr-23/
SecureWorks: NetWire RAT Steals Payment Card Data (2016). https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data
Severi, G., Leek, T., Dolan-Gavitt, B.: Malrec: compact full-trace malware recording for retrospective deep analysis. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 3–23. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93411-2_1
Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice - automatic detection of authentication bypass vulnerabilities in binary firmware. In: Proceedings of the 2015 Network and Distributed System Security Symposium, NDSS 2015 (2015). https://doi.org/10.14722/ndss.2015.23294
Shoshitaishvili, Y., et al.: SoK: (state of) the art of war: offensive techniques in binary analysis. In: IEEE Symposium on Security and Privacy, SP 2016, pp. 138–157 (2016). https://doi.org/10.1109/SP.2016.17
Song, D., et al.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89862-7_1
Stephens, N., et al.: Driller: augmenting fuzzing through selective symbolic execution. In: Proceedings of the 2016 Network and Distributed System Security Symposium, NDSS 2016 (2016). https://doi.org/10.14722/ndss.2016.23368
Villeneuve, N., Sancho, D.: The “Lurid” Downloader. Trend Micro Incorporated (2011). http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf
Yadegari, B., Debray, S.: Symbolic execution of obfuscated code. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015 (2015). https://doi.org/10.1145/2810103.2813663
Acknowledgments
This work is supported in part by a grant of the Italian Presidency of the Council of Ministers.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Borzacchiello, L., Coppa, E., D’Elia, D.C., Demetrescu, C. (2019). Reconstructing C2 Servers for Remote Access Trojans with Symbolic Execution. In: Dolev, S., Hendler, D., Lodha, S., Yung, M. (eds) Cyber Security Cryptography and Machine Learning. CSCML 2019. Lecture Notes in Computer Science(), vol 11527. Springer, Cham. https://doi.org/10.1007/978-3-030-20951-3_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-20951-3_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-20950-6
Online ISBN: 978-3-030-20951-3
eBook Packages: Computer ScienceComputer Science (R0)