Malware analysis

What is Malware Obfuscation?

Dan Virgillito
February 6, 2020 by
Dan Virgillito

Introduction

Malware has been a threat to companies and individuals since the 1970s, when the Creeper virus was first discovered. Since then, the globe has faced threats from hundreds of thousands of malware variants, all with the intent of flying silently under the radar and causing as much damage as possible.

How does malware conceal itself from modern threat-detection solutions? Well, threat actors often use a variety of methods to hide malicious code and to modify the target program’s content to thwart detection and analysis.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

One of the most commonly used methods is obfuscation.

Malware obfuscation is a process that makes textual and binary data difficult to understand. It helps adversaries hide critical words (known as strings) a program uses because they reveal patterns of the malware’s behavior. Examples of these strings would be registry keys and infected URLs.

Adversaries commonly use encryption/encoding techniques to conceal the data from security programs. Sometimes they go a step further and use special tools called “packers” to obfuscate the entire program, which makes reverse engineering and analysis much more difficult.

What are some popular malware obfuscation techniques? 

Malware creators routinely utilize obfuscation to complicate the detection of their code. Below is a breakdown of the techniques they commonly use to steer clear of security defenses.

XOR

This popular method of obfuscation conceals data so it cannot be analyzed. It does this by swapping the contents of two variables inside the code, such as:

  • XOR EBX, EAX
  • XOR EAX, EBX
  • XOR EBX, EAX

Another method is to assign junk values, which will compose values that are simply overwritten later on. For example, INC EBX can be overwritten as MOV EBX, 59F67CD5h.

Adversaries can also run comparisons, then ignore the flags that are set. For example, they can compare EAX ESP, run a number of instructions and then finally test EBX, EAX.

Other techniques include adding a value, then modifying it with XOR. For example, XORing with all 1s is not equal to NOT:

  • XOR EAX, 0FFFFFFFH
  • MOV EBX, 59F67CD5h

Which will be the same as MOV EBX, 0A609832Ah.

Each of these techniques makes the malware difficult to read unless a trained reverse engineer applies 0x55 XOR values to the code.

Code integration

First seen in the Zmist/Win95 malware (known as Zmist), code integration instructs a malicious code to knit itself to the code of the target program. To apply the technique, the malware first decompiles the program into manageable elements, adding itself between them, and then reassembles the injected code into a new variant.

Base64 

Another well-known obfuscation technique utilized by adversaries is Base64. It's basically an encoding technique that involves 64 characters, with the padding character being the = (equal) sign. Characters a-z, A-Z, + and /, and 0-9 are also present in the alphabet.

The encoding functions by taking 3 characters and stringing them with each other to create a 24-bit string that’s later broken into 4 chunks of 6-bits, which are then translated into one of the characters from Base64. The technique is trivial to decode if it can be recognized.

Dead code insertion

Dead code insertion is a rudimentary tactic that inserts some ineffective code into a program to modify its appearance. However, it doesn’t alert the program’s behavior. For combating the insertion, signature-based antivirus solutions need to wipe off the instructions before conducting analysis. 

ROT13 

Another popular malware obfuscation technique is ROT13. It leverages simple letter substitution for delivering an obfuscated output, where ROT acts as an ASM instruction that says “rotate.” Hence, ROT13 is another name for “rotate 13.”

Adversaries, therefore, would need to rotate a letter by thirteen to encode it, which means they would need to count the next 13 letters of the alphabet until they reach “n.” ROT13 capitalizes on a simple letter substitution for jumbling the text. It can also be configured to rotate a distinctive number of characters, such as ROT15.

Packers

In many instances, the whole program is obfuscated to keep everyone from detecting the malware code until it is inserted in memory. This is done with the help of software, which compresses an executable to reduce its size. It then packages the compressed executable inside the code required to decompress itself at runtime. The process of decompression ensures the executive file doesn’t look anything like its original self.

Even though there are legitimate benefits of using packers, such as reducing the size of the executables or making it difficult for pirates to engage in reverse engineering, malware often leverages packed executables to attempt to hide from security defenses. Malware creators may also develop custom packers that defeat unpacking scripts and forces reverse engineers to unpack the program to see what it is doing.

Conclusion

For as long as malware thrives, so too will obfuscation. Adversaries know that it’s a highly reliable technique that everyday users can do little about. With that said, it is crucial for organizations to take proactive measures for timely detection and analysis. One of the first steps toward better defenses is to familiarize yourself with the latest techniques threat actors are leveraging.  

 

Sources

  1. Malware Obfuscation Techniques: A Brief Survey, ResearchGate
  2. Malware hiding and evasion techniques, So Long, and Thanks for All the Fish
  3. The latest from Mimecast Research Labs includes a malware technique never observed previously., Mimecast
Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.