Malware and other suspicious software often hide behaviors and components behind logic bombs and context-sensitive execution paths. Uncovering these is essential to react against modern threats, but current solutions are not ready to detect these paths in a completely automated manner. To bridge this gap, we propose the Malware Multiverse (MalVerse), a solution able to inspect multiple execution paths via symbolic execution aiming to discover function inputs and returns that trigger malicious behaviors. MalVerse automatically patches the context-sensitive functions with the identified symbolic values to allow the software execution in a traditional sandbox. We implemented MalVerse on top of angr and evaluated it with a set of Linux and Windows evasive samples. We found that MalVerse was able to generate automatic patches for the most common evasion techniques (e.g., ptrace checks).
翻译:Malware和其他可疑软件往往隐藏逻辑炸弹和对背景敏感的执行路径背后的行为和组件。 将这些功能和组件隐藏在逻辑炸弹和背景敏感的执行路径后面。 将这些功能和组件隐藏起来对于应对现代威胁至关重要, 但目前的解决方案尚未完全自动化地准备以完全自动化的方式检测这些路径。 为了缩小这一差距,我们提议了 Malware MulVerse (MalVerse), 这是一种能够通过象征性执行来检查多个执行路径的解决方案, 目的是发现触发恶意行为的功能输入和返回。 MalVerse 自动将上下文敏感功能与已识别的象征值相补, 以便在传统的沙箱中执行软件。 我们用一组Linux 和 Windows 蒸发样本在喷发器上应用了 MalVerse, 并用一套 Linux 和 Windows 蒸发样本对它进行了评估 。 我们发现 MalVerse 能够生成最常见的规避技术的自动补丁( 例如 ptraces check)。
相关内容
微信扫码咨询专知VIP会员