Obfuscation: The Art of Creating Undetectable Malware

01-05-2009

Registered User

26,240, 27

Join Date: Sep 2000

Last Activity: 1 August 2008, 3:09 PM EDT

Posts: 26,240

Thanks Given: 0

Thanked 27 Times in 26 Posts

Obfuscation: The Art of Creating Undetectable Malware

Do not expect that your system would start misbehaving once it is infected by a malware. Malwares can perform their functions without showing any symptoms for days, months or years. New malwares are capable of hiding themselves even from powerful Antivirus scan engines. They can also perform their jobs without affecting the normal functionalities of the system.

Obfuscation helps malware writers to hide the malicious code on their programs. There are different types of obfuscation techniques like polymorphism, runtime packing, junk code injection etc. Obfuscation can also be as simple as code transposition or renaming the variable.

Obfuscation makes it time-consuming for an Antivirus program to analyze a malware program and when obfuscation is combined with encryption, it makes the malware more resistant to analysis. And it would be difficult for an Antivirus program to detect malicious code in an obfuscated program.

When we analyze the latest malware threats, what we can see is most of the recent malwares are variants of old malware programs. When you insert junk code into a malware program, the pattern and execution methods might change but the functionality would be the same. And an Antivirus scan engine would find it difficult to detect any matching patterns in the signature database.

A malware writer can create a malware program and then by inserting junk code into it he can create 100 unique malwares with the same functionality. And when you use encryption and runtime packaging, it makes more difficult for an anti virus scan engine to detect matching patterns in the malware code. Some Antivirus software use sandboxing technique to detect malicious functions in a obfuscated programs. But we should also understand that new malwares are intelligent enough to detect a sandbox environment and they can change the behavior during runtime.

Application Authentication: First line of defense against Obfuscation

Instead of analyzing the code patterns, Antivirus software should be using application fingerprinting and authentication methods to identify genuine applications.

The simple rule of security should always be - Deny every thing and only allow authenticated/authorized applications to execute and access the data. Application authentication should be the first line of defense against malwares and Anti-Malware softwares should be able to provide this functionality.