Reconstructing C2 Servers for Remote Access Trojans with Symbolic Execution

  • Luca Borzacchiello
  • Emilio CoppaEmail author
  • Daniele Cono D’Elia
  • Camil Demetrescu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11527)


The analysis of a malicious piece of software that involves a remote counterpart that instructs it can be troublesome for security professionals, as they may have to unravel the communication protocol in use to figure out what actions can be carried out on the victim’s machine. The possibility to recur to dynamic analysis hinges on the availability of an active remote counterpart, a requirement that may be difficult to meet in several scenarios. In this paper we explore how symbolic execution techniques can be used to synthesize a command-and-control server for a remote access trojan, enabling in-vivo analysis by malware analysts. We evaluate our ideas against two real-world malware instances.


Malware analysis Symbolic execution Protocol reversing 



This work is supported in part by a grant of the Italian Presidency of the Council of Ministers.


  1. 1.
    Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput. 75(2), 87–106 (1987). Scholar
  2. 2.
    Baldoni, R., Coppa, E., D’Elia, D.C., Demetrescu, C.: Assisting malware analysis with symbolic execution: a case study. In: Dolev, S., Lodha, S. (eds.) CSCML 2017. LNCS, vol. 10332, pp. 171–188. Springer, Cham (2017). Scholar
  3. 3.
    Baldoni, R., Coppa, E., D’Elia, D.C., Demetrescu, C., Finocchi, I.: A survey of symbolic execution techniques. ACM Comput. Surv. 51(3), 50:1–50:39 (2018). Scholar
  4. 4.
    Banescu, S., Collberg, C., Ganesh, V., Newsham, Z., Pretschner, A.: Code obfuscation against symbolic execution attacks. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, pp. 189–200 (2016).
  5. 5.
    Beddoe, M.A.: Network protocol analysis using bioinformatics algorithms. Toorcon (2004)Google Scholar
  6. 6.
    Bugalho, M., Oliveira, A.L.: Inference of regular languages using state merging algorithms with search. Pattern Recogn. 38(9), 1457–1467 (2005). Scholar
  7. 7.
    Chipounov, V., Kuznetsov, V., Candea, G.: The S2E platform: design, implementation, and applications. ACM Trans. Comput. Syst. (TOCS) 30(1), 2:1–2:49 (2012). Scholar
  8. 8.
    Cho, C.Y., Babić, D., Shin, E.C.R., Song, D.: Inference and analysis of formal models of botnet command and control protocols. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 426–439. ACM (2010).
  9. 9.
    Cho, C.Y., Babić, D., Poosankam, P., Chen, K.Z., Wu, E.X., Song, D.: MACE: model-inference-assisted concolic exploration for protocol and vulnerability discovery. In: Proceedings of the 20th USENIX Conference on Security, pp. 10–10 (2011)Google Scholar
  10. 10.
    Comparetti, P.M., Wondracek, G., Kruegel, C., Kirda, E.: Prospex: protocol specification extraction. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, SP 2009 (2009).
  11. 11.
    Coppa, E., D’Elia, D.C., Demetrescu, C.: Rethinking pointer reasoning in symbolic execution. In: Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering, ASE 2017 (2017).
  12. 12.
    Cui, W., Kannan, J., Wang, H.J.: Discoverer: automatic protocol reverse engineering from network traces. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium (2007).
  13. 13.
    Duchêne, J., Le Guernic, C., Alata, E., Nicomette, V., Kaaniche, M.: Stateof the art of network protocol reverse engineering tools. J. Comput. Virol. Hacking Tech. 14, 53–68 (2017). Scholar
  14. 14.
    Jiang, D., Omote, K.: An approach to detect remote access trojan in the early stage of communication. In: 2015 IEEE 29th International Conference on Advanced Information Networking and Applications, pp. 706–713, March 2015.
  15. 15.
    Lin, Z., Jiang, X., Xu, D., Zhang, X.: Automatic protocol format reverse engineering through context-aware monitored execution. In: 15th Symposium on Network And Distributed System Sexurity (NDSS) (2008)Google Scholar
  16. 16.
    Computer Incident Response Center Luxembourg: TR-23 Analysis - NetWiredRC malware (2014).
  17. 17.
    SecureWorks: NetWire RAT Steals Payment Card Data (2016).
  18. 18.
    Severi, G., Leek, T., Dolan-Gavitt, B.: Malrec: compact full-trace malware recording for retrospective deep analysis. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 3–23. Springer, Cham (2018). Scholar
  19. 19.
    Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice - automatic detection of authentication bypass vulnerabilities in binary firmware. In: Proceedings of the 2015 Network and Distributed System Security Symposium, NDSS 2015 (2015).
  20. 20.
    Shoshitaishvili, Y., et al.: SoK: (state of) the art of war: offensive techniques in binary analysis. In: IEEE Symposium on Security and Privacy, SP 2016, pp. 138–157 (2016).
  21. 21.
    Song, D., et al.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008). Scholar
  22. 22.
    Stephens, N., et al.: Driller: augmenting fuzzing through selective symbolic execution. In: Proceedings of the 2016 Network and Distributed System Security Symposium, NDSS 2016 (2016).
  23. 23.
    Villeneuve, N., Sancho, D.: The “Lurid” Downloader. Trend Micro Incorporated (2011).
  24. 24.
    Yadegari, B., Debray, S.: Symbolic execution of obfuscated code. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015 (2015).

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Luca Borzacchiello
    • 1
  • Emilio Coppa
    • 1
    Email author
  • Daniele Cono D’Elia
    • 1
  • Camil Demetrescu
    • 1
  1. 1.Sapienza University of RomeRomeItaly

Personalised recommendations