Malware MultiVerse: From Automatic Logic Bomb Identification to Automatic Patching and Tracing
Malware and other suspicious software often hide behaviors and components behind logic bombs and context-sensitive execution paths. Uncovering these is essential to react against modern threats, but current solutions are not ready to detect these paths in a completely automated manner. To bridge thi...
Saved in:
| Main Authors | , |
|---|---|
| Format | Journal Article |
| Language | English |
| Published |
13.09.2021
|
| Subjects | |
| Online Access | Get full text |
Cover
Loading…
| Summary: | Malware and other suspicious software often hide behaviors and components
behind logic bombs and context-sensitive execution paths. Uncovering these is
essential to react against modern threats, but current solutions are not ready
to detect these paths in a completely automated manner. To bridge this gap, we
propose the Malware Multiverse (MalVerse), a solution able to inspect multiple
execution paths via symbolic execution aiming to discover function inputs and
returns that trigger malicious behaviors. MalVerse automatically patches the
context-sensitive functions with the identified symbolic values to allow the
software execution in a traditional sandbox. We implemented MalVerse on top of
angr and evaluated it with a set of Linux and Windows evasive samples. We found
that MalVerse was able to generate automatic patches for the most common
evasion techniques (e.g., ptrace checks). |
|---|---|
| DOI: | 10.48550/arxiv.2109.06127 |