Obfuscation: The Art of Creating Undetectable Malware

iBot · #1 (**permalink**) 01-05-2009

Do not expect that your system would start misbehaving once it is infected by a malware. Malwares can perform their functions without showing any symptoms for days, months or years. New malwares are capable of hiding themselves even from powerful Antivirus scan engines. They can also perform their jobs without affecting the normal functionalities of the system.

Obfuscation helps malware writers to hide the malicious code on their programs. There are different types of obfuscation techniques like polymorphism, runtime packing, junk code injection etc. Obfuscation can also be as simple as code transposition or renaming the variable.

Obfuscation makes it time-consuming for an Antivirus program to analyze a malware program and when obfuscation is combined with encryption, it makes the malware more resistant to analysis. And it would be difficult for an Antivirus program to detect malicious code in an obfuscated program.

When we analyze the latest malware threats, what we can see is most of the recent malwares are variants of old malware programs. When you insert junk code into a malware program, the pattern and execution methods might change but the functionality would be the same. And an Antivirus scan engine would find it difficult to detect any matching patterns in the signature database.

A malware writer can create a malware program and then by inserting junk code into it he can create 100 unique malwares with the same functionality. And when you use encryption and runtime packaging, it makes more difficult for an anti virus scan engine to detect matching patterns in the malware code. Some Antivirus software use sandboxing technique to detect malicious functions in a obfuscated programs. But we should also understand that new malwares are intelligent enough to detect a sandbox environment and they can change the behavior during runtime.

Application Authentication: First line of defense against Obfuscation

Instead of analyzing the code patterns, Antivirus software should be using application fingerprinting and authentication methods to identify genuine applications.

The simple rule of security should always be - Deny every thing and only allow authenticated/authorized applications to execute and access the data. Application authentication should be the first line of defense against malwares and Anti-Malware softwares should be able to provide this functionality.

More...

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
Future of Malware Defense	iBot	IT Security RSS	0	01-03-2009 10:50 AM
Malware trends	iBot	IT Security RSS	0	08-08-2008 11:10 AM
String hash/obfuscation in ksh	StHalcyon	Shell Programming and Scripting	2	04-29-2008 12:02 PM
Good malware hunting for Linux	iBot	UNIX and Linux RSS News	0	03-11-2008 03:20 PM
USB drives find malware favour - Australian IT	iBot	UNIX and Linux RSS News	0	07-26-2007 12:00 AM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode	Rate This Thread:


	Powered by