Skip to main content
SpringerLink
Log in

Reconstructing C2 Servers for Remote Access Trojans with Symbolic Execution

  • Conference paper
  • First Online:
Cyber Security Cryptography and Machine Learning (CSCML 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11527))

Abstract

The analysis of a malicious piece of software that involves a remote counterpart that instructs it can be troublesome for security professionals, as they may have to unravel the communication protocol in use to figure out what actions can be carried out on the victim’s machine. The possibility to recur to dynamic analysis hinges on the availability of an active remote counterpart, a requirement that may be difficult to meet in several scenarios. In this paper we explore how symbolic execution techniques can be used to synthesize a command-and-control server for a remote access trojan, enabling in-vivo analysis by malware analysts. We evaluate our ideas against two real-world malware instances.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 74.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    An analyst may desire to test whether the RAT can execute a speculated sequence of APIs that they build by combining insights from previous observations.

  2. 2.

    Addresses of taken branches seem of little interest and are thus omitted.

References

  1. Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput. 75(2), 87–106 (1987). https://doi.org/10.1016/0890-5401(87)90052-6

    Article  MathSciNet  MATH  Google Scholar 

  2. Baldoni, R., Coppa, E., D’Elia, D.C., Demetrescu, C.: Assisting malware analysis with symbolic execution: a case study. In: Dolev, S., Lodha, S. (eds.) CSCML 2017. LNCS, vol. 10332, pp. 171–188. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60080-2_12

    Chapter  Google Scholar 

  3. Baldoni, R., Coppa, E., D’Elia, D.C., Demetrescu, C., Finocchi, I.: A survey of symbolic execution techniques. ACM Comput. Surv. 51(3), 50:1–50:39 (2018). https://doi.org/10.1145/3182657

    Article  Google Scholar 

  4. Banescu, S., Collberg, C., Ganesh, V., Newsham, Z., Pretschner, A.: Code obfuscation against symbolic execution attacks. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, pp. 189–200 (2016). https://doi.org/10.1145/2991079.2991114

  5. Beddoe, M.A.: Network protocol analysis using bioinformatics algorithms. Toorcon (2004)

    Google Scholar 

  6. Bugalho, M., Oliveira, A.L.: Inference of regular languages using state merging algorithms with search. Pattern Recogn. 38(9), 1457–1467 (2005). https://doi.org/10.1016/j.patcog.2004.03.027

    Article  MATH  Google Scholar 

  7. Chipounov, V., Kuznetsov, V., Candea, G.: The S2E platform: design, implementation, and applications. ACM Trans. Comput. Syst. (TOCS) 30(1), 2:1–2:49 (2012). https://doi.org/10.1145/2110356.2110358

    Article  Google Scholar 

  8. Cho, C.Y., Babić, D., Shin, E.C.R., Song, D.: Inference and analysis of formal models of botnet command and control protocols. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 426–439. ACM (2010). https://doi.org/10.1145/1866307.1866355

  9. Cho, C.Y., Babić, D., Poosankam, P., Chen, K.Z., Wu, E.X., Song, D.: MACE: model-inference-assisted concolic exploration for protocol and vulnerability discovery. In: Proceedings of the 20th USENIX Conference on Security, pp. 10–10 (2011)

    Google Scholar 

  10. Comparetti, P.M., Wondracek, G., Kruegel, C., Kirda, E.: Prospex: protocol specification extraction. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, SP 2009 (2009). https://doi.org/10.1109/SP.2009.14

  11. Coppa, E., D’Elia, D.C., Demetrescu, C.: Rethinking pointer reasoning in symbolic execution. In: Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering, ASE 2017 (2017). https://doi.org/10.1109/ASE.2017.8115671

  12. Cui, W., Kannan, J., Wang, H.J.: Discoverer: automatic protocol reverse engineering from network traces. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium (2007). http://dl.acm.org/citation.cfm?id=1362903.1362917

  13. Duchêne, J., Le Guernic, C., Alata, E., Nicomette, V., Kaaniche, M.: Stateof the art of network protocol reverse engineering tools. J. Comput. Virol. Hacking Tech. 14, 53–68 (2017). https://doi.org/10.1007/s11416-016-0289-8

    Article  Google Scholar 

  14. Jiang, D., Omote, K.: An approach to detect remote access trojan in the early stage of communication. In: 2015 IEEE 29th International Conference on Advanced Information Networking and Applications, pp. 706–713, March 2015. https://doi.org/10.1109/AINA.2015.257

  15. Lin, Z., Jiang, X., Xu, D., Zhang, X.: Automatic protocol format reverse engineering through context-aware monitored execution. In: 15th Symposium on Network And Distributed System Sexurity (NDSS) (2008)

    Google Scholar 

  16. Computer Incident Response Center Luxembourg: TR-23 Analysis - NetWiredRC malware (2014). https://www.circl.lu/pub/tr-23/

  17. SecureWorks: NetWire RAT Steals Payment Card Data (2016). https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data

  18. Severi, G., Leek, T., Dolan-Gavitt, B.: Malrec: compact full-trace malware recording for retrospective deep analysis. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 3–23. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93411-2_1

    Chapter  Google Scholar 

  19. Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice - automatic detection of authentication bypass vulnerabilities in binary firmware. In: Proceedings of the 2015 Network and Distributed System Security Symposium, NDSS 2015 (2015). https://doi.org/10.14722/ndss.2015.23294

  20. Shoshitaishvili, Y., et al.: SoK: (state of) the art of war: offensive techniques in binary analysis. In: IEEE Symposium on Security and Privacy, SP 2016, pp. 138–157 (2016). https://doi.org/10.1109/SP.2016.17

  21. Song, D., et al.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89862-7_1

    Chapter  Google Scholar 

  22. Stephens, N., et al.: Driller: augmenting fuzzing through selective symbolic execution. In: Proceedings of the 2016 Network and Distributed System Security Symposium, NDSS 2016 (2016). https://doi.org/10.14722/ndss.2016.23368

  23. Villeneuve, N., Sancho, D.: The “Lurid” Downloader. Trend Micro Incorporated (2011). http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf

  24. Yadegari, B., Debray, S.: Symbolic execution of obfuscated code. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015 (2015). https://doi.org/10.1145/2810103.2813663

Download references

Acknowledgments

This work is supported in part by a grant of the Italian Presidency of the Council of Ministers.

Author information

Authors and Affiliations

  1. Sapienza University of Rome, Rome, Italy

    Luca Borzacchiello, Emilio Coppa, Daniele Cono D’Elia & Camil Demetrescu

Authors
  1. Luca Borzacchiello
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Emilio Coppa
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Daniele Cono D’Elia
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Camil Demetrescu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Emilio Coppa .

Editor information

Editors and Affiliations

  1. Ben-Gurion University of the Negev, Beer-Sheva, Israel

    Shlomi Dolev

  2. Ben-Gurion University of the Negev, Beer-Sheva, Israel

    Danny Hendler

  3. Tata Consultancy Services, Chennai, India

    Sachin Lodha

  4. Columbia University and Google, New York, NY, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Borzacchiello, L., Coppa, E., D’Elia, D.C., Demetrescu, C. (2019). Reconstructing C2 Servers for Remote Access Trojans with Symbolic Execution. In: Dolev, S., Hendler, D., Lodha, S., Yung, M. (eds) Cyber Security Cryptography and Machine Learning. CSCML 2019. Lecture Notes in Computer Science(), vol 11527. Springer, Cham. https://doi.org/10.1007/978-3-030-20951-3_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-20951-3_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-20950-6

  • Online ISBN: 978-3-030-20951-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation