Malware MultiVerse: From Automatic Logic Bomb Identification to Automatic Patching and Tracing

TL;DR

MalVerse is an automated framework that uses symbolic execution to detect, patch, and trace logic bombs in malware, improving the ability to analyze evasive malicious software in sandbox environments.

Contribution

Introduces MalVerse, a novel automated system combining symbolic execution and patching to uncover and neutralize logic bombs in malware.

Findings

Successfully patches common evasion techniques like ptrace checks

Automates detection of context-sensitive malicious behaviors

Effective on Linux and Windows evasive samples

Abstract

Malware and other suspicious software often hide behaviors and components behind logic bombs and context-sensitive execution paths. Uncovering these is essential to react against modern threats, but current solutions are not ready to detect these paths in a completely automated manner. To bridge this gap, we propose the Malware Multiverse (MalVerse), a solution able to inspect multiple execution paths via symbolic execution aiming to discover function inputs and returns that trigger malicious behaviors. MalVerse automatically patches the context-sensitive functions with the identified symbolic values to allow the software execution in a traditional sandbox. We implemented MalVerse on top of angr and evaluated it with a set of Linux and Windows evasive samples. We found that MalVerse was able to generate automatic patches for the most common evasion techniques (e.g., ptrace checks).