Malware MultiVerse: From Automatic Logic Bomb Identification to Automatic Patching and Tracing
This addresses the challenge of automated malware analysis for security professionals, though it is incremental as it builds on existing symbolic execution tools.
The paper tackles the problem of automatically detecting and patching logic bombs in malware by proposing MalVerse, which uses symbolic execution to identify and patch context-sensitive functions, enabling traditional sandbox analysis and successfully patching common evasion techniques like ptrace checks.
Malware and other suspicious software often hide behaviors and components behind logic bombs and context-sensitive execution paths. Uncovering these is essential to react against modern threats, but current solutions are not ready to detect these paths in a completely automated manner. To bridge this gap, we propose the Malware Multiverse (MalVerse), a solution able to inspect multiple execution paths via symbolic execution aiming to discover function inputs and returns that trigger malicious behaviors. MalVerse automatically patches the context-sensitive functions with the identified symbolic values to allow the software execution in a traditional sandbox. We implemented MalVerse on top of angr and evaluated it with a set of Linux and Windows evasive samples. We found that MalVerse was able to generate automatic patches for the most common evasion techniques (e.g., ptrace checks).