SBN

Network traffic analysis for IR: Content deobfuscation

Introduction to obfuscation

Encoding and encryption techniques are used for a variety of purposes. Some of these are legitimate, like the use of encoding to enable passing of raw data in an ASCII-only protocol, while others are malicious.

Malware authors commonly make use of obfuscation technologies in their command-and-control traffic. In most cases, these authors don’t have a choice about whether or not to communicate over the network; however, they’re also aware of the fact that network analysts and incident responders will commonly collect and monitor network traffic for indicators of compromise. By making valuable data as difficult as possible to identify, they raise the difficulty of extracting valuable data from network traffic.

Common types of obfuscation

Obfuscation refers to the practice of making data unreadable. In practice, there are two main types of obfuscation used by hackers and malware authors: encoding and encryption.

Encoding techniques were initially designed for legitimate purposes: making non-printable characters fit into ASCII-only protocols. However, they’ve also been adopted by malware authors to slightly raise the bar for those trying to identify and read command and control traffic. Encoding algorithms can be reversed by anyone who can identify the algorithm.

Encryption algorithms, on the other hand, require knowledge of a secret key for deobfuscation. If done properly, this means that the obfuscated data is completely protected from eavesdroppers. However, some commonly used encryption algorithms are extremely weak, making it possible for a network traffic analyst to extract the protected data.

There are a variety of different encoding and encryption algorithms in use for command-and-control traffic. However, there are only a few that are both commonly used and easily breakable.

Base64 encoding

Base64 encoding is an algorithm designed to make non-printable data printable. This is accomplished by mapping a set of three bytes to a set (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/__aERAAYvuw/