What is Malware Obfuscation?

Introduction

Malware has been a threat to companies and individuals since the 1970s, when the Creeper virus was first discovered. Since then, the globe has faced threats from hundreds of thousands of malware variants, all with the intent of flying silently under the radar and causing as much damage as possible.

How does malware conceal itself from modern threat-detection solutions? Well, threat actors often use a variety of methods to hide malicious code and to modify the target program’s content to thwart detection and analysis.

One of the most commonly used methods is obfuscation.

Malware obfuscation is a process that makes textual and binary data difficult to understand. It helps adversaries hide critical words (known as strings) a program uses because they reveal patterns of the malware’s behavior. Examples of these strings would be registry keys and infected URLs.

Adversaries commonly use encryption/encoding techniques to conceal the data from security programs. Sometimes they go a step further and use special tools called “packers” to obfuscate the entire program, which makes reverse engineering and analysis much more difficult.

What are some popular malware obfuscation techniques? 

Malware creators routinely utilize obfuscation to complicate the detection of their code. Below is a breakdown of the techniques they commonly use to steer clear of security defenses.

XOR

This popular method of obfuscation conceals data so it cannot be analyzed. It does this by swapping the contents of two variables inside the code, such as:

  • XOR EBX, EAX
  • XOR EAX, EBX
  • XOR EBX, EAX

Another method is to assign junk values, which will compose values that are simply overwritten later on. For example, INC EBX can be overwritten as MOV EBX, 59F67CD5h.

Adversaries can also run comparisons, then ignore the flags that are set. For example, they can compare EAX ESP, run a number (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Dan Virgillito. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/BZfeK6G6vHY/