Secplicity – Security Simplified

Hacker Hide & Seek: Malware Obfuscation and How to Detect It

There’s a reason malicious software mutates as it multiplies, evading even the oldest, most-mature antivirus (AV) solutions. Hackers at all levels are successfully evading security defenses with obfuscation techniques designed to distribute malware without detection, and they’re achieving this by making well-known threats look “new again.” Below are excerpts from WatchGuard CTO Corey Nachreiner’s recent two-part series for Dark Reading outlining the basic and sophisticated techniques cybercriminals use to hide malware.

  1. Basic Obfuscation: There are millions of malware variants, and most come from hackers using malware evasion techniques. The four basic methods include packers, crypters, polymorphic malware, and downloaders (also called droppers and staged loaders). As Corey notes:

“There are some issues with both packers and crypters. For instance, both techniques mostly protect malware from static analysis but not necessarily dynamic analysis. Static analysis means malware detection techniques you perform on a file that has not executed yet. Because you want to stop malware before it gets onto systems, many AV products scan files as they pass through networks or get copied onto a computer’s file system. However, static analysis limits what AV can learn about the particular file since those files could be packed or crypted.”

  1. Advanced Obfuscation: Today hackers are moving beyond the basics, using more advanced methods and tactics when hiding malware. This includes antidisassembly and debugging, rootkits, and code, process and DLL injection. Corey explains:

Process or dynamic-link library (DLL) injection represents a variety of techniques a program can use to run code under the context of another process. Malware authors often leverage these techniques to get their malware code to run through a necessary and required Windows process. For instance, they might inject explorer.exe, svchost.exe, notepad.exe, or another legitimate Windows executable. By picking a process Windows requires, the malware can make itself more difficult for AV software to find and kill.

Unfortunately, there are many malware obfuscation techniques from basic to advanced. But there is a bright side. While malware may be able to change how it looks, it can’t change what it does, at least if it wants to accomplish its goals of infecting your computer, creating a back door, or encrypting your files.

So, many advanced detection solutions create a system that recognizes malware based on its behavior. In general, these solutions create a “sandbox” that acts like a victim’s computer, with all the normal accompanying software. When this system receives new and suspicious files, it executes them in these sandbox environments to see what they do. By monitoring for hundreds of known malware behaviors, including known evasion techniques, these solutions can accurately and proactively tell if the executable is malicious.

To learn more, read Corey’s articles on Dark Reading: Part 1 and Part 2. Or have some fun by checking out our “Top 5 Least Wanted Malware” infographic.

For the latest cybersecurity news and actionable information to combat emerging threats, stay tuned to Secplicity.