SysTaint: Assisting Reversing of Malicious Network Communications

Gabriele Viglianisi, Michele Carminati, Mario Polino, Andrea Continella, Stefano Zanero

Research output: Contribution to conferencePaperAcademicpeer-review

Abstract

The ever-increasing number of malware samples demands for automated tools that aid the analysts in the reverse engineering of complex malicious binaries. Frequently, malware communicates over an encrypted channel with external network resources under the control of malicious actors, such as Command and Control servers that control the botnet of infected machines. Hence, a key aspect in malware analysis is uncovering and understanding the semantics of network communications.

In this paper we present SysTaint, a semi-automated tool that runs malware samples in a controlled environment and analyzes their execution to support the analyst in identifying the functions involved in the communication and the exchanged data.

Our evaluation on four banking Trojan samples from different families shows that SysTaint is able to handle and inspect encrypted network communications, obtaining useful information on the data being sent and received, on how each sample processes this data, and on the inner portions of code that deal with the data processing.
Original languageEnglish
Number of pages12
DOIs
Publication statusPublished - 2018
Externally publishedYes
Event8th Software Security, Protection, and Reverse Engineering Workshop, SSPREW 2018 - Condado Plaza Hilton, San Juan, Puerto Rico
Duration: 3 Dec 20184 Dec 2018
Conference number: 8
http://www.pprew.org/2018-8/default.htm

Conference

Conference8th Software Security, Protection, and Reverse Engineering Workshop, SSPREW 2018
Abbreviated titleSSPREW 2018
CountryPuerto Rico
CitySan Juan
Period3/12/184/12/18
Internet address

Keywords

  • Malware analysis
  • software reverse engineering
  • virtualization
  • communication protocol
  • botnet

Cite this