The analysis of a malicious piece of software that involves a remote counterpart that instructs it can be troublesome for security professionals, as they may have to unravel the communication protocol in use to figure out what actions can be carried out on the victim’s machine. The possibility to recur to dynamic analysis hinges on the availability of an active remote counterpart, a requirement that may be difficult to meet in several scenarios. In this paper we explore how symbolic execution techniques can be used to synthesize a command-and-control server for a remote access trojan, enabling in-vivo analysis by malware analysts. We evaluate our ideas against two real-world malware instances.
2019, Cyber Security Cryptography and Machine Learning, Pages 121-140 (volume: 11527)
Reconstructing C2 Servers for Remote Access Trojans with Symbolic Execution (04b Atto di convegno in volume)
Borzacchiello Luca, Coppa Emilio, D'Elia Daniele Cono, Demetrescu Camil
ISBN: 978-3-030-20950-6; 978-3-030-20951-3
Gruppo di ricerca: Cybersecurity