English

Malware MultiVerse: From Automatic Logic Bomb Identification to Automatic Patching and Tracing

Cryptography and Security 2021-09-14 v1

Abstract

Malware and other suspicious software often hide behaviors and components behind logic bombs and context-sensitive execution paths. Uncovering these is essential to react against modern threats, but current solutions are not ready to detect these paths in a completely automated manner. To bridge this gap, we propose the Malware Multiverse (MalVerse), a solution able to inspect multiple execution paths via symbolic execution aiming to discover function inputs and returns that trigger malicious behaviors. MalVerse automatically patches the context-sensitive functions with the identified symbolic values to allow the software execution in a traditional sandbox. We implemented MalVerse on top of angr and evaluated it with a set of Linux and Windows evasive samples. We found that MalVerse was able to generate automatic patches for the most common evasion techniques (e.g., ptrace checks).

Keywords

Cite

@article{arxiv.2109.06127,
  title  = {Malware MultiVerse: From Automatic Logic Bomb Identification to Automatic Patching and Tracing},
  author = {Marcus Botacin and André Grégio},
  journal= {arXiv preprint arXiv:2109.06127},
  year   = {2021}
}
R2 v1 2026-06-24T05:55:35.171Z