Advertisement

Reconstructing C2 Servers for Remote Access Trojans with Symbolic Execution

  • Luca Borzacchiello
  • Emilio CoppaEmail author
  • Daniele Cono D’Elia
  • Camil Demetrescu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11527)

Abstract

The analysis of a malicious piece of software that involves a remote counterpart that instructs it can be troublesome for security professionals, as they may have to unravel the communication protocol in use to figure out what actions can be carried out on the victim’s machine. The possibility to recur to dynamic analysis hinges on the availability of an active remote counterpart, a requirement that may be difficult to meet in several scenarios. In this paper we explore how symbolic execution techniques can be used to synthesize a command-and-control server for a remote access trojan, enabling in-vivo analysis by malware analysts. We evaluate our ideas against two real-world malware instances.

Keywords

Malware analysis Symbolic execution Protocol reversing 

Notes

Acknowledgments

This work is supported in part by a grant of the Italian Presidency of the Council of Ministers.

References

  1. 1.
    Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput. 75(2), 87–106 (1987).  https://doi.org/10.1016/0890-5401(87)90052-6MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Baldoni, R., Coppa, E., D’Elia, D.C., Demetrescu, C.: Assisting malware analysis with symbolic execution: a case study. In: Dolev, S., Lodha, S. (eds.) CSCML 2017. LNCS, vol. 10332, pp. 171–188. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-60080-2_12CrossRefGoogle Scholar
  3. 3.
    Baldoni, R., Coppa, E., D’Elia, D.C., Demetrescu, C., Finocchi, I.: A survey of symbolic execution techniques. ACM Comput. Surv. 51(3), 50:1–50:39 (2018).  https://doi.org/10.1145/3182657CrossRefGoogle Scholar
  4. 4.
    Banescu, S., Collberg, C., Ganesh, V., Newsham, Z., Pretschner, A.: Code obfuscation against symbolic execution attacks. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, pp. 189–200 (2016).  https://doi.org/10.1145/2991079.2991114
  5. 5.
    Beddoe, M.A.: Network protocol analysis using bioinformatics algorithms. Toorcon (2004)Google Scholar
  6. 6.
    Bugalho, M., Oliveira, A.L.: Inference of regular languages using state merging algorithms with search. Pattern Recogn. 38(9), 1457–1467 (2005).  https://doi.org/10.1016/j.patcog.2004.03.027CrossRefzbMATHGoogle Scholar
  7. 7.
    Chipounov, V., Kuznetsov, V., Candea, G.: The S2E platform: design, implementation, and applications. ACM Trans. Comput. Syst. (TOCS) 30(1), 2:1–2:49 (2012).  https://doi.org/10.1145/2110356.2110358CrossRefGoogle Scholar
  8. 8.
    Cho, C.Y., Babić, D., Shin, E.C.R., Song, D.: Inference and analysis of formal models of botnet command and control protocols. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 426–439. ACM (2010).  https://doi.org/10.1145/1866307.1866355
  9. 9.
    Cho, C.Y., Babić, D., Poosankam, P., Chen, K.Z., Wu, E.X., Song, D.: MACE: model-inference-assisted concolic exploration for protocol and vulnerability discovery. In: Proceedings of the 20th USENIX Conference on Security, pp. 10–10 (2011)Google Scholar
  10. 10.
    Comparetti, P.M., Wondracek, G., Kruegel, C., Kirda, E.: Prospex: protocol specification extraction. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, SP 2009 (2009).  https://doi.org/10.1109/SP.2009.14
  11. 11.
    Coppa, E., D’Elia, D.C., Demetrescu, C.: Rethinking pointer reasoning in symbolic execution. In: Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering, ASE 2017 (2017).  https://doi.org/10.1109/ASE.2017.8115671
  12. 12.
    Cui, W., Kannan, J., Wang, H.J.: Discoverer: automatic protocol reverse engineering from network traces. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium (2007). http://dl.acm.org/citation.cfm?id=1362903.1362917
  13. 13.
    Duchêne, J., Le Guernic, C., Alata, E., Nicomette, V., Kaaniche, M.: Stateof the art of network protocol reverse engineering tools. J. Comput. Virol. Hacking Tech. 14, 53–68 (2017).  https://doi.org/10.1007/s11416-016-0289-8CrossRefGoogle Scholar
  14. 14.
    Jiang, D., Omote, K.: An approach to detect remote access trojan in the early stage of communication. In: 2015 IEEE 29th International Conference on Advanced Information Networking and Applications, pp. 706–713, March 2015.  https://doi.org/10.1109/AINA.2015.257
  15. 15.
    Lin, Z., Jiang, X., Xu, D., Zhang, X.: Automatic protocol format reverse engineering through context-aware monitored execution. In: 15th Symposium on Network And Distributed System Sexurity (NDSS) (2008)Google Scholar
  16. 16.
    Computer Incident Response Center Luxembourg: TR-23 Analysis - NetWiredRC malware (2014). https://www.circl.lu/pub/tr-23/
  17. 17.
    SecureWorks: NetWire RAT Steals Payment Card Data (2016). https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data
  18. 18.
    Severi, G., Leek, T., Dolan-Gavitt, B.: Malrec: compact full-trace malware recording for retrospective deep analysis. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 3–23. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-93411-2_1CrossRefGoogle Scholar
  19. 19.
    Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice - automatic detection of authentication bypass vulnerabilities in binary firmware. In: Proceedings of the 2015 Network and Distributed System Security Symposium, NDSS 2015 (2015).  https://doi.org/10.14722/ndss.2015.23294
  20. 20.
    Shoshitaishvili, Y., et al.: SoK: (state of) the art of war: offensive techniques in binary analysis. In: IEEE Symposium on Security and Privacy, SP 2016, pp. 138–157 (2016).  https://doi.org/10.1109/SP.2016.17
  21. 21.
    Song, D., et al.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-89862-7_1CrossRefGoogle Scholar
  22. 22.
    Stephens, N., et al.: Driller: augmenting fuzzing through selective symbolic execution. In: Proceedings of the 2016 Network and Distributed System Security Symposium, NDSS 2016 (2016).  https://doi.org/10.14722/ndss.2016.23368
  23. 23.
    Villeneuve, N., Sancho, D.: The “Lurid” Downloader. Trend Micro Incorporated (2011). http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf
  24. 24.
    Yadegari, B., Debray, S.: Symbolic execution of obfuscated code. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015 (2015).  https://doi.org/10.1145/2810103.2813663

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Luca Borzacchiello
    • 1
  • Emilio Coppa
    • 1
    Email author
  • Daniele Cono D’Elia
    • 1
  • Camil Demetrescu
    • 1
  1. 1.Sapienza University of RomeRomeItaly

Personalised recommendations