Malware Obfuscation, Encoding and Encryption

Introduction

Malware is complex and meant to confuse. Many computer users think malware is just another word for “virus” when a virus is actually a type of malware. And in addition to viruses, malware includes all sorts of malicious and unwanted code, including spyware, adware, Trojans and worms. Malware has been known to shut down power grids, steal identities and hold government secrets for ransom. 

The swift detection and extraction of malware is always called for, but malware isn’t going to make it easy. Malware is mischievous and slippery, using tricks like obfuscation, encoding and encryption to evade detection.

Malware obfuscation

Understanding obfuscation is easier than pronouncing it. Malware obfuscation makes data unreadable. Nearly every piece of malware uses it. 

The incomprehensible data usually contains important words, called “strings.” Some strings hold identifiers like the malware programmer’s name or the URL from which the destructive code is pulled. Most malware has obfuscated strings that hide the instructions that tell the infected machine what to do and when to do it. 

Obfuscation conceals the malware data so well that static code analyzers simply pass by. Only when the malware is executed is the true code revealed.

Simple malware obfuscation techniques 

Simple malware obfuscation techniques like exclusive OR (XOR), Base64, ROT13 and codepacking are commonly used. These techniques are easy to implement and even easier to overlook. Obfuscation can be as simple as interposed text or extra padding within a string. Even trained eyes often miss obfuscated code.

The malware mimics everyday use cases until it is executed. Upon execution, the malicious code is revealed, spreading rapidly through the system. 

Advanced malware obfuscation techniques 

Next-level malware obfuscation is active and evasive. Advanced malware techniques, like environmental awareness, confusing automated tools, timing-based evasion, and obfuscating internal data, allow (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Tiffany Lewis. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/xJrnbq4--QA/