Skip to main content
SpringerLink
Log in

On Exploiting Symbolic Execution to Improve the Analysis of RAT Samples with angr

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14551))

Included in the following conference series:

  • 48 Accesses

Abstract

This article presents new contributions for Remote Access Trojan (RAT) analysis using symbolic execution techniques. The first part of the article identifies the challenges in the application of such an analysis, as well as the procedures put in place to address these challenges. The second part of the article presents a practical analysis of samples from known RAT families with the help of the SEMA toolchain.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abuse.ch: Malwarebazaar (2023). https://bazaar.abuse.ch/

  2. Afianian, A., Niksefat, S., Sadeghiyan, B., Baptiste, D.: Malware dynamic analysis evasion techniques: a survey. ACM Comput. Surv. 52(6), 1–28 (2019)

    Article  Google Scholar 

  3. Aghakhani, H., et al.: When malware is packin’ heat; limits of machine learning classifiers based on static analysis features. In: Network and Distributed Systems Security (NDSS) Symposium 2020 (2020)

    Google Scholar 

  4. Amer, E., Zelinka, I.: A dynamic windows malware detection and prediction method based on contextual understanding of API call sequence. Comput. Secur. 92, 101760 (2020)

    Article  Google Scholar 

  5. Bertrand Van Ouytsel, C.-H., Crochet, C., Legay, A., Lucca, S.: SEMA-ToolChain. GitHub. GitHub repository. https://github.com/csvl/SEMA-ToolChain

  6. Avllazagaj, E., Zhu, Z., Bilge, L., Balzarotti, D., Dumitras, T.: When malware changed its mind: an empirical study of variable program behaviors in the real world. In: USENIX Security Symposium, pp. 3487–3504 (2021)

    Google Scholar 

  7. Baldoni, R., Coppa, E., D’Elia, D.C., Demetrescu, C.: Assisting malware analysis with symbolic execution: a case study. In: Dolev, S., Lodha, S. (eds.) Cyber Security Cryptography and Machine Learning. CSCML 2017. LNCS, vol. 10332, pp. 171–188. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60080-2_12

  8. Bertrand Van Ouytsel, C.-H., Crochet, C., Dam, K.H.T., Legay, A.: Tool paper - SEMA: symbolic execution toolchain for malware analysis. In: Kallel, S., Jmaiel, M., Zulkernine, M., Hadj Kacem, A., Cuppens, F., Cuppens, N. (eds.) Risks and Security of Internet and Systems, CRiSIS 2022, pp. 62–68. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-31108-6_5

  9. Bertrand Van Ouytsel, C., Legay, A.: Malware analysis with symbolic execution and graph kernel. In: Reiser, H.P., Kyas, M. (eds.) Secure IT Systems - 27th Nordic Conference, NordSec 2022. LNCS, vol. 13700, pp. 292–310. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22295-5_16

  10. Biondi, F., Given-Wilson, T., Legay, A., Puodzius, C., Quilbeuf, J.: Tutorial: an overview of malware detection and evasion techniques. In: Margaria, T., Steffen, B. (eds.) Leveraging Applications of Formal Methods, Verification and Validation. Modeling - 8th International Symposium, ISoLA 2018. LNCS, vol. 11244, pp. 565–586. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03418-4_34

  11. Blokhin, K., Saxe, J., Mentis, D.: Malware similarity identification using call graph based system call subsequence features. In: 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops, pp. 6–10. IEEE (2013)

    Google Scholar 

  12. Borzacchiello, L., Coppa, E., D’Elia, D.C., Demetrescu, C.: Reconstructing C2 servers for remote access Trojans with symbolic execution. In: Dolev, S., Hendler, D., Lodha, S., Yung, M. (eds.) Cyber Security Cryptography and Machine Learning. CSCML 2019. LNCS, vol. 11527, pp. 121–140. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-20951-3_12

  13. Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection, pp. 65–88. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-68768-1_4

  14. Calleja, A., Tapiador, J., Caballero, J.: The malsource dataset: quantifying complexity and code reuse in malware development. IEEE Trans. Inf. Forens. Secur. 14(12), 3175–3190 (2018)

    Article  Google Scholar 

  15. Chen, J., et al.: \(\{\)SYMSAN\(\}\): time and space efficient concolic execution via dynamic data-flow analysis. In: 31st USENIX Security Symposium (USENIX Security 22), pp. 2531–2548 (2022)

    Google Scholar 

  16. Dataprot: A Not-So-Common Cold: Malware Statistics in 2022 (2023). https://dataprot.net/statistics/malware-statistics/

  17. Godefroid, P.: Test generation using symbolic execution. In: D’Souza, D., Kavitha, T., Radhakrishnan, J. (eds.) IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science, FSTTCS 2012. LIPIcs, vol. 18, pp. 24–33. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2012)

    Google Scholar 

  18. Gorecki, C., Freiling, F.C., Kührer, M., Holz, T.: TrumanBox: improving dynamic malware analysis by emulating the internet. In: Défago, X., Petit, F., Villain, V. (eds.) Stabilization, Safety, and Security of Distributed Systems, pp. 208–222. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24550-3_17

  19. HackTricks. Common API used in malware (2023). https://book.hacktricks.xyz/reversing-and-exploiting/common-api-used-in-malware

  20. Massarelli, L., Di Luna, G.A., Petroni, F., Querzoni, L., Baldoni, R.: Function representations for binary similarity. IEEE Trans. Depend. Secure Comput. 19(4), 2259–2273 (2021)

    Article  Google Scholar 

  21. Microsoft: Programming reference for the win32 API (2023). https://learn.microsoft.com/en-us/windows/win32/api/

  22. Namani, N., Khan, A.: Symbolic execution based feature extraction for detection of malware. In: 2020 5th International Conference on Computing, Communication and Security (ICCCS), pp. 1–6. IEEE (2020)

    Google Scholar 

  23. NSA. Ghidra (2023). https://ghidra-sre.org/

  24. Obdržálek, J., Trtík, M.: Efficient loop navigation for symbolic execution. In: Bultan, T., Hsiung, PA. (eds.) Automated Technology for Verification and Analysis. ATVA 2011. LNCS, vol. 6996, pp. 453–462. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24372-1_34

  25. Park, K., et al.: Identifying behavior dispatchers for malware analysis. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, pp. 759–773 (2021)

    Google Scholar 

  26. Said, N.B., et al.: Detection of Mirai by syntactic and behavioral analysis. In: Ghosh, S., Natella, R., Cukic, B., Poston, R.S., Laranjeiro, N. (eds.) 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018, Memphis, 15–18 October 2018, pp. 224–235. IEEE Computer Society (2018)

    Google Scholar 

  27. Schrittwieser, S., Katzenbeisser, S.: Code obfuscation against static and dynamic reverse engineering. In: Filler, T., Pevný, T., Craver, S., Ker, A. (eds.) Information Hiding, pp. 270–284. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24178-9_19

  28. Schrittwieser, S., Kochberger, P., Pucher, M., Lawitschka, C., König, P., Weippl, E.R.: Obfuscation-resilient semantic functionality identification through program simulation. In: Reiser, H.P., Kyas, M. (eds) Secure IT Systems. NordSec 2022. LNCS, vol. 13700, pp. 273–291. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-22295-5_15

  29. Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: 2010 IEEE Symposium on Security and Privacy, pp. 317–331. IEEE (2010)

    Google Scholar 

  30. Sebastio, S., et al.: Optimizing symbolic execution for malware behavior classification. Comput. Secur. 93, 101775 (2020)

    Google Scholar 

  31. Shoshitaishvili, Y., et al.: Sok:(state of) the art of war: offensive techniques in binary analysis. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 138–157. IEEE (2016)

    Google Scholar 

  32. Talos, C.: Magicrat: Lazarus’ Latest Gateway into Victim Networks (2022). https://blog.talosintelligence.com/lazarus-magicrat/

  33. Team, Y.: Yararules (2023). https://github.com/Yara-Rules/rules

  34. TrendMicro: Indicators of Compromise (2023). https://www.trendmicro.com/vinfo/us/security/definition/indicators-of-compromise

  35. Valeros, V., Garcia, S.: Growth and commoditization of remote access trojans. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS &PW), pp. 454–462. IEEE (2020)

    Google Scholar 

  36. Vasilescu, M., Gheorghe, L., Tapus, N.: Practical malware analysis based on sandboxing. In: 2014 RoEduNet Conference 13th Edition: Networking in Education and Research Joint Event RENAM 8th Conference, pp. 1–6. IEEE (2014)

    Google Scholar 

  37. Yan, X., Han, J.: gspan: Graph-based substructure pattern mining. In: 2002 IEEE International Conference on Data Mining, 2002, pp. 721–724. IEEE (2002)

    Google Scholar 

  38. Yun, I., Lee, S., Xu, M., Jang, Y., Kim, T.: \(\{\)QSYM\(\}\): a practical concolic execution engine tailored for hybrid fuzzing. In: 27th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 18), pp. 745–761 (2018)

    Google Scholar 

Download references

Acknowledgments

This research is supported by the Walloon region’s CyberExcellence program (Grant #2110186).

Author information

Authors and Affiliations

  1. INGI, ICTEAM, Universite Catholique de Louvain, Place Sainte Barbe 2, LG05.02,01, 1348, Louvain-La-Neuve, Belgium

    Serena Lucca, Christophe Crochet, Charles-Henry Bertrand Van Ouytsel & Axel Legay

Authors
  1. Serena Lucca
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christophe Crochet
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Charles-Henry Bertrand Van Ouytsel
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Axel Legay
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Serena Lucca .

Editor information

Editors and Affiliations

  1. University of Bordeaux, Bordeaux, France

    Mohamed Mosbah

  2. Toulouse III - Paul Sabatier University, Toulouse, France

    Florence Sèdes

  3. Université Laval, Québec, QC, Canada

    Nadia Tawbi

  4. University of Bordeaux, Bordeaux, France

    Toufik Ahmed

  5. Polytechnique Montréal, Montreal, QC, Canada

    Nora Boulahia-Cuppens

  6. Telecom SudParis, Palaiseau, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lucca, S., Crochet, C., Bertrand Van Ouytsel, CH., Legay, A. (2024). On Exploiting Symbolic Execution to Improve the Analysis of RAT Samples with angr. In: Mosbah, M., Sèdes, F., Tawbi, N., Ahmed, T., Boulahia-Cuppens, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2023. Lecture Notes in Computer Science, vol 14551. Springer, Cham. https://doi.org/10.1007/978-3-031-57537-2_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-57537-2_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-57536-5

  • Online ISBN: 978-3-031-57537-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation