NDSS 2025 – Hitchhiking Vaccine: Enhancing Botnet Remediation With Remote Code Deployment Reuse
None
<p>SESSION<br> Session 3C: Mobile Security</p><p></p><center data-preserve-html-node="true"><br> <center data-preserve-html-node="true">———–<br> <center data-preserve-html-node="true"> <p></p><center data-preserve-html-node="true"><iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen="" src="https://www.youtube-nocookie.com/embed/G86w5GFo9X8?si=E1R74BDZnWeZ8ZpO" width="560" frameborder="0" data-preserve-html-node="true" title="YouTube video player" height="315"></iframe> <p></p><center data-preserve-html-node="true"><br> <center data-preserve-html-node="true">———–<br> <center data-preserve-html-node="true"> <p></p><center data-preserve-html-node="true">Authors, Creators & Presenters: Runze Zhang (Georgia Institute of Technology), Mingxuan Yao (Georgia Institute of Technology), Haichuan Xu (Georgia Institute of Technology), Omar Alrawi (Georgia Institute of Technology), Jeman Park (Kyung Hee University), Brendan Saltaformaggio (Georgia Institute of Technology) <p></p><center data-preserve-html-node="true"><br> <center data-preserve-html-node="true">———–<br> <center data-preserve-html-node="true"> <p>PAPER<br> Hitchhiking Vaccine: Enhancing Botnet Remediation With Remote Code Deployment Reuse<br> For decades, law enforcement and commercial entities have attempted botnet takedowns with mixed success. These efforts, relying on DNS sink-holing or seizing C&C infrastructure, require months of preparation and often omit the cleanup of left-over infected machines. This allows botnet operators to push updates to the bots and re-establish their control. In this paper, we expand the goal of malware takedowns to include the covert and timely removal of frontend bots from infected devices. Specifically, this work proposes seizing the malware’s built-in update mechanism to distribute crafted remediation payloads. Our research aims to enable this necessary but challenging remediation step after obtaining legal permission. We developed ECHO, an automated malware forensics pipeline that extracts payload deployment routines and generates remediation payloads to disable or remove the frontend bots on infected devices. Our study of 702 Android malware shows that 523 malware can be remediated via ECHO’s takedown approach, ranging from covertly warning users about malware infection to uninstalling the malware.</p> <p></p><center data-preserve-html-node="true"><br> <center data-preserve-html-node="true">———–<br> <center data-preserve-html-node="true"> <p></p><center data-preserve-html-node="true">ABOUT NDSS<br> <center data-preserve-html-node="true">The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies. <p></p><center data-preserve-html-node="true"><br> <center data-preserve-html-node="true">———–<br> <center data-preserve-html-node="true"> <p></p><center data-preserve-html-node="true">Our thanks to the **[Network and Distributed System Security (NDSS) Symposium][1]** for publishing their Creators, Authors and Presenter’s superb **[NDSS Symposium 2025 Conference][2]** content on the **[organization’s’][1]** **[YouTube][3]** channel. <p></p></center></center></center></center></center></center></center></center></center></center></center></center></center></center></center></center></center></center></center></center><p><a href="https://www.infosecurity.us/blog/2025/11/20/ndss-2025-hitchhiking-vaccine-enhancing-botnet-remediation-with-remote-code-deployment-reuse">Permalink</a></p><p> </p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/ndss-2025-hitchhiking-vaccine-enhancing-botnet-remediation-with-remote-code-deployment-reuse/" data-a2a-title="NDSS 2025 – Hitchhiking Vaccine: Enhancing Botnet Remediation With Remote Code Deployment Reuse"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fndss-2025-hitchhiking-vaccine-enhancing-botnet-remediation-with-remote-code-deployment-reuse%2F&linkname=NDSS%202025%20%E2%80%93%20Hitchhiking%20Vaccine%3A%20Enhancing%20Botnet%20Remediation%20With%20Remote%20Code%20Deployment%20Reuse" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fndss-2025-hitchhiking-vaccine-enhancing-botnet-remediation-with-remote-code-deployment-reuse%2F&linkname=NDSS%202025%20%E2%80%93%20Hitchhiking%20Vaccine%3A%20Enhancing%20Botnet%20Remediation%20With%20Remote%20Code%20Deployment%20Reuse" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fndss-2025-hitchhiking-vaccine-enhancing-botnet-remediation-with-remote-code-deployment-reuse%2F&linkname=NDSS%202025%20%E2%80%93%20Hitchhiking%20Vaccine%3A%20Enhancing%20Botnet%20Remediation%20With%20Remote%20Code%20Deployment%20Reuse" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fndss-2025-hitchhiking-vaccine-enhancing-botnet-remediation-with-remote-code-deployment-reuse%2F&linkname=NDSS%202025%20%E2%80%93%20Hitchhiking%20Vaccine%3A%20Enhancing%20Botnet%20Remediation%20With%20Remote%20Code%20Deployment%20Reuse" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fndss-2025-hitchhiking-vaccine-enhancing-botnet-remediation-with-remote-code-deployment-reuse%2F&linkname=NDSS%202025%20%E2%80%93%20Hitchhiking%20Vaccine%3A%20Enhancing%20Botnet%20Remediation%20With%20Remote%20Code%20Deployment%20Reuse" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.infosecurity.us/">Infosecurity.US</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Marc Handelman">Marc Handelman</a>. Read the original post at: <a href="https://www.youtube-nocookie.com/embed/G86w5GFo9X8?si=E1R74BDZnWeZ8ZpO">https://www.youtube-nocookie.com/embed/G86w5GFo9X8?si=E1R74BDZnWeZ8ZpO</a> </p>