Obfuscation is an important technique for protecting software that also carries risks, especially when used by malware authors. In this article, we examine obfuscation, its effects, and responses to it.
Obfuscation is the technique of intentionally making information difficult to read, especially in computer coding. An important use case is data obfuscation, in which sensitive data is made unrecognizable to protect it from unauthorized access. Various methods are used for this.
For example, only the last four digits of a credit card number are often displayed, while the remaining digits are replaced by Xs or asterisks. In contrast, encryption involves converting data into an unreadable form that can only be decrypted using a special key.
When computer code is obfuscated, complex language and redundant logic are used to make the code difficult to understand. The aim? To deceive both human readers and programs such as decompilers. To do this, parts of the code are encrypted, metadata is removed, or meaningful names are replaced by meaningless ones. Inserting unused or meaningless code is also a common practice to disguise the actual code.
A so-called obfuscator can automate these processes and modify the source code so that it still works but is more difficult to understand.
Other methods of obfuscation include compressing the entire program, making the code unreadable, and changing the control flow to create unstructured, difficult-to-maintain logic.
Inserting dummy code that does not affect the logic or the program’s result is also common.
Several techniques are often combined to achieve a multi-layered effect and increase security.
Unfortunately, obfuscation is not only a protection, it is also a challenge. Obfuscation is not only used by legitimate software developers, but also by malicious software authors. The goal of obfuscation is to anonymize cyber attackers, reduce the risk of detection, and hide malware by changing the overall signature and fingerprint of the malicious code – even if the payload is a known threat. The signature is a hash, a unique alphanumeric representation of a malware element. Signatures are very often hashed, but they can also be another short representation of a unique code within a malware element.
Rather than trying to create a new signature by modifying the malware itself, obfuscation focuses on deployment mechanisms to fool antivirus solutions that rely on signatures. Compare this to the use of machine learning, predictive analysis, and artificial intelligence to improve defenses.
Obfuscation, or the disguising of code, can be both “good” and “bad”. In the case of “bad” obfuscation, hackers combine various techniques to hide malware and create multiple layers of disguise. One of these techniques is packers. These are software packages that compress malware to hide its presence and make the original code unreadable. Then there are cryptographers who encrypt malware or parts of software to restrict access to code that could alert antivirus programs.
Another method is the insertion of dead code. This involves inserting useless code into the malware to disguise the program’s appearance. Attackers can also use command modification, which involves changing the command codes in malware programs. This changes the appearance of the code, but not its behavior.
Obfuscation in the code is, as we have seen, only the first step because no matter how much work the hacker puts into obfuscating the code to bypass EDR, malware must communicate within the network and to the outside world to be “successful”. This means that communication must also be obfuscated. In contrast to the past, when networks were scanned quickly, and attempts were immediately made to extract data in the terabyte range at once, attackers today communicate more quietly so that the sensors and switches for the monitoring tools do not strike.
The aim to get IP addresses via scanning, for example, is now followed more slowly to stay under the radar. Reconnaissance, in which the threat actors try to collect data about their targeted victims, e.g. via their network architecture, is also becoming slower and more obscure.
A common obfuscation method is Exclusive OR (XOR). This method hides data in such a way that it can only be read by people who link the code with 0x55 XOR. ROT13 is another trick in which letters are replaced by a code.
Signature-based detection is like an old friend–it’s reliable when it comes to known threats. But when it comes to new, unknown threats, it can sometimes be in the dark. Here are a few reasons why you shouldn’t rely solely on signatures:
In short, signature detection, e.g., in an EDR, is a useful tool, but it’s not enough on its own to ward off all threats. A more comprehensive security strategy that also includes behavioral analysis, machine learning, and other modern techniques is essential.
Anomaly-based IDS solutions are like detectives who keep an eye on a system’s normal behavior and sound the alarm when they detect unusual activity. But Network Detection and Response (NDR) tools even go a step further: they constantly adapt to stay one step ahead of the changing cyber threat landscape and offer a significantly higher level of security than traditional signature-based approaches through their advanced analysis and integration. They are able to detect and defend against both known and unknown threats.
For more on why NDR is a crucial security tool and how it detects even the most advanced threats and complex forms of obfuscation, download our whitepaper on Advanced Persistent Threat (APT) detection.
To see how NDR acts in your corporate network, and precisely how it detects and responds to APTs, watch our recorded APT detection video.
