It then packages the compressed executable inside the code required to decompress itself at runtime. This is done with the help of software, which compresses an executable to reduce its size. In many instances, the whole program is obfuscated to keep everyone from detecting the malware code until it is inserted in memory. It can also be configured to rotate a distinctive number of characters, such as ROT15. It leverages simple letter substitution for delivering an obfuscated output, where ROT acts as an ASM instruction that says “rotate.” Hence, ROT13 is another name for “rotate 13.”Īdversaries, therefore, would need to rotate a letter by thirteen to encode it, which means they would need to count the next 13 letters of the alphabet until they reach “n.” ROT13 capitalizes on a simple letter substitution for jumbling the text. ROT13Īnother popular malware obfuscation technique is ROT13. For combating the insertion, signature-based antivirus solutions need to wipe off the instructions before conducting analysis. ![]() However, it doesn’t alert the program’s behavior. Dead code insertionĭead code insertion is a rudimentary tactic that inserts some ineffective code into a program to modify its appearance. The technique is trivial to decode if it can be recognized. The encoding functions by taking 3 characters and stringing them with each other to create a 24-bit string that’s later broken into 4 chunks of 6-bits, which are then translated into one of the characters from Base64. ![]() Characters a-z, A-Z, + and /, and 0-9 are also present in the alphabet. It’s basically an encoding technique that involves 64 characters, with the padding character being the = (equal) sign. Base64Īnother well-known obfuscation technique utilized by adversaries is Base64. To apply the technique, the malware first decompiles the program into manageable elements, adding itself between them, and then reassembles the injected code into a new variant. Code integrationįirst seen in the Zmist/Win95 malware (known as Zmist), code integration instructs a malicious code to knit itself to the code of the target program. Which will be the same as MOV EBX, 0A609832Ah.Įach of these techniques makes the malware difficult to read unless a trained reverse engineer applies 0x55 XOR values to the code. For example, XORing with all 1s is not equal to NOT: Other techniques include adding a value, then modifying it with XOR. For example, they can compare EAX ESP, run a number of instructions and then finally test EBX, EAX. For example, INC EBX can be overwritten as MOV EBX, 59F67CD5h.Īdversaries can also run comparisons, then ignore the flags that are set. It does this by swapping the contents of two variables inside the code, such as:Īnother method is to assign junk values, which will compose values that are simply overwritten later on. This popular method of obfuscation conceals data so it cannot be analyzed. ![]() Below is a breakdown of the techniques they commonly use to steer clear of security defenses. Malware creators routinely utilize obfuscation to complicate the detection of their code. What are some popular malware obfuscation techniques? Sometimes they go a step further and use special tools called “packers” to obfuscate the entire program, which makes reverse engineering and analysis much more difficult. Examples of these strings would be registry keys and infected URLs.Īdversaries commonly use encryption/encoding techniques to conceal the data from security programs. It helps adversaries hide critical words (known as strings) a program uses because they reveal patterns of the malware’s behavior. Malware obfuscation is a process that makes textual and binary data difficult to understand. One of the most commonly used methods is obfuscation.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |