• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Hacker Hide & Seek: Malware Obfuscation and How to Detect It

August 31, 2017 By The Editor

There’s a reason malicious software mutates as it multiplies, evading even the oldest, most-mature antivirus (AV) solutions. Hackers at all levels are successfully evading security defenses with obfuscation techniques designed to distribute malware without detection, and they’re achieving this by making well-known threats look “new again.” Below are excerpts from WatchGuard CTO Corey Nachreiner’s recent two-part series for Dark Reading outlining the basic and sophisticated techniques cybercriminals use to hide malware.

  1. Basic Obfuscation: There are millions of malware variants, and most come from hackers using malware evasion techniques. The four basic methods include packers, crypters, polymorphic malware, and downloaders (also called droppers and staged loaders). As Corey notes:

“There are some issues with both packers and crypters. For instance, both techniques mostly protect malware from static analysis but not necessarily dynamic analysis. Static analysis means malware detection techniques you perform on a file that has not executed yet. Because you want to stop malware before it gets onto systems, many AV products scan files as they pass through networks or get copied onto a computer’s file system. However, static analysis limits what AV can learn about the particular file since those files could be packed or crypted.”

  1. Advanced Obfuscation: Today hackers are moving beyond the basics, using more advanced methods and tactics when hiding malware. This includes antidisassembly and debugging, rootkits, and code, process and DLL injection. Corey explains:

“Process or dynamic-link library (DLL) injection represents a variety of techniques a program can use to run code under the context of another process. Malware authors often leverage these techniques to get their malware code to run through a necessary and required Windows process. For instance, they might inject explorer.exe, svchost.exe, notepad.exe, or another legitimate Windows executable. By picking a process Windows requires, the malware can make itself more difficult for AV software to find and kill.”

Unfortunately, there are many malware obfuscation techniques from basic to advanced. But there is a bright side. While malware may be able to change how it looks, it can’t change what it does, at least if it wants to accomplish its goals of infecting your computer, creating a back door, or encrypting your files.

So, many advanced detection solutions create a system that recognizes malware based on its behavior. In general, these solutions create a “sandbox” that acts like a victim’s computer, with all the normal accompanying software. When this system receives new and suspicious files, it executes them in these sandbox environments to see what they do. By monitoring for hundreds of known malware behaviors, including known evasion techniques, these solutions can accurately and proactively tell if the executable is malicious.

To learn more, read Corey’s articles on Dark Reading: Part 1 and Part 2. Or have some fun by checking out our “Top 5 Least Wanted Malware” infographic.

For the latest cybersecurity news and actionable information to combat emerging threats, stay tuned to Secplicity.

Share This:

Related

Filed Under: Editorial Articles, Featured Tagged With: cyber security, Hacking, Malware

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • An Update on Section 230

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use