There are two sides to everything

How to detect and prevent attackers from using these different methods

Obfuscation is an important technique for protecting software that also carries risks, especially when used by malware authors. In this article, we examine obfuscation, its implications, and responses to it.

What is obfuscation?

Obfuscation is a method of intentionally making information difficult to read, especially in computer coding. An important use case is data obfuscation, where sensitive data is rendered unrecognizable to protect it from unauthorized access. Various methods are used for this.

For example, often only the last four digits of a credit card number are displayed, with X’s or asterisks replacing the rest of the digits. In contrast, encryption involves converting data into an unreadable form that can only be decrypted with a special key.

Obfuscation in code

When computer code is confusing, it uses complex language and redundant logic to make the code difficult to understand. The goal? To fool both readers and programs like decompilers. To do this, parts of the code are encrypted, metadata is removed, or meaningful names are replaced with meaningless ones. Inserting unused or meaningless code is also a common practice to disguise the actual code.

A so-called obfuscator can automate these processes and change the source code so that it still works but is more difficult to understand.

Other obfuscation techniques include compressing the entire program, making the code unreadable, and altering the flow of control to create unstructured logic that is difficult to maintain.

It is also common to insert dummy code that does not affect the logic or output of the program.

To achieve a multi-layered effect and increase security, several techniques are often combined.

The reverse side

Unfortunately, obfuscation is not only a defense, but also a challenge. Obfuscation is used not only by legitimate software developers, but also by malware authors. The goal of obfuscation is to anonymize attackers, reduce the risk of detection, and hide malware by changing the common signature and fingerprint of the malicious code—even if the payload is a known threat. A signature is a hash, a unique alphanumeric representation of a malware element. Signatures are very often hashed, but they can also be another short representation of the unique code in the malware element.

Rather than trying to create a new signature by modifying the malware itself, obfuscation focuses on deployment mechanisms to fool antivirus solutions that rely on signatures. Contrast this with the use of machine learning, predictive analytics, and artificial intelligence to improve defenses.

Obfuscation or obfuscation of code can be both “good” and “bad”. In the case of “bad” obfuscation, hackers combine different techniques to hide malware and create multiple layers of obfuscation. One such technique is packers. These are software packages that compress malicious programs to hide their presence and make the source code unreadable. Additionally, there are cryptographers who encrypt malware or pieces of software to limit access to code that might alert anti-virus programs.

Another method is to insert dead code. This involves inserting useless code into the malware to disguise the appearance of the program. Attackers can also use command modification, which involves changing command codes in malicious programs. This changes the appearance of the code, but not its behavior.

Obfuscating the code, as we’ve seen, is only the first step, because no matter how much work a hacker puts into obfuscating the code to bypass EDR, the malware must communicate within the network and with the outside world to be “successful.” This means that communication must also be confusing. Unlike in the past, when networks were scanned quickly and immediately attempted to extract data in the terabyte range, today’s attackers speak more quietly so that the sensors and switches of monitoring tools are not hit.

The goal of obtaining IP addresses through scanning, for example, is now done more slowly to stay under the radar. Intelligence, in which threat actors attempt to gather data about targeted victims, for example through their network architecture, is also becoming slower and more obscure.

A common obfuscation method is exclusive OR (XOR). This method hides the data so that it can only be read by people who associate the code with the 0x55 XOR. ROT13 is another trick in which letters are replaced by a code.

Blasts from the past:

• A famous example of obfuscation is the SolarWinds attack in 2020. Hackers used obfuscation to bypass defenses and hide their attacks.
• Another interesting example is PowerShell, a Microsoft Windows tool abused by attackers. Malware that uses PowerShell hides its activity through techniques such as string encoding, command obfuscation, dynamic code execution, and more.
• Another example is the XLS.HTML attack. Here, hackers used sophisticated obfuscation techniques to hide their malicious activity. They changed encryption methods at least ten times during the year to avoid detection. Their tactics included plain text, source encoding, Base64 encoding, and even Morse code.
• In another threat, attackers used vulnerabilities in ThinkPHP to execute remote code on servers. They installed a cloaked web shell called “Dama” that allowed constant access and further attacks.

Why not just rely on signatures

Signature-based detection is like an old friend – it’s reliable when it comes to known threats. But when it comes to new, unknown threats, it can sometimes be in the dark. Here are a few reasons why you shouldn’t rely on signatures alone:

1. Malware authors are true masters of hiding. They use various methods to disguise their malware. Even small changes to the code can cause signature detection to fail.
2. With polymorphic malware, the malware behaves like a chameleon. It constantly changes its structure to avoid detection. The code looks different each time it is executed.
3. Static signatures? No chance! Metamorphic malware is even more sophisticated. It adapts at runtime and changes its code dynamically, making it virtually impossible to catch with static signatures.
4. Also, zero-day exploits behave like the “new guy”: they’re fresh and unknown, and signature-based systems have no chance of recognizing them.
5. Also, if a signature-based solution returns too many false positives, it becomes inefficient. Too many false alerts in day-to-day business affects your security team and wastes valuable resources.

In short, signature detection, such as in EDR, is a useful tool, but by itself it is not sufficient to reject all threats. A more comprehensive security strategy that also includes behavioral analysis, machine learning and other modern techniques is essential.

Why NDR tools are so important

Anomaly-based IDS solutions are like detectives that monitor normal system behavior and sound the alarm when unusual activity is detected. But Network Detection and Response (NDR) tools. even go a step further: they constantly adapt to stay one step ahead of the changing cyber threat landscape and offer a much higher level of security than traditional signature-based approaches thanks to advanced analysis and integration. They are able to detect and defend against both known and unknown threats.

Here’s how they do it:

• Behavior analysis: NDR tools monitor network traffic and analyze behavior. They detect unusual patterns that may indicate command and control (C&C) communications, such as irregular data transmissions.
• Protocol monitoring: They examine HTTP requests, DNS traffic, and other protocols to detect suspicious behavior or communication that may be associated with obfuscated malware.
• Metadata Analysis: NDR tools analyze metadata to detect unusual patterns that indicate suspicious activity. Machine learning models help identify typical obfuscation techniques visible through suspicious behavior in network traffic.
• Long-term communication monitoring: Since hackers are now critical to obfuscating communications, as they use slower and stealthier methods to avoid detection and collect data inside and outside networks, it is helpful that NDR also considers longer time periods, such as 3 days, in addition to the ability to do batch runs for example over a few minutes to have benchmarks and monitor and detect violations and real time alerting will result in a lot of alerts if a ping scan is detected every minute or so. But is every ping an attack? Of course not!
• Miter ATT&CK and ZEEK: these protocols provide valuable information about threats that use obfuscation. Their integration with NDR tools greatly improves threat detection capabilities.
• Threat data sharing: NDR tools share threat data with other security solutions. This allows for faster detection of known obfuscation techniques and suspicious behavior. Integration with EDR tools allows them to correlate suspicious endpoint activity with network traffic, greatly improving security analysis.

More details why NDR is a critical security tool and how it detects even the most advanced threats and sophisticated forms of obfuscation, download our technical book to Advanced Persistent Threat Detection (APT).

To see how NDR works in your corporate network and exactly how it detects and responds to APTs, watch our recorded APT detection video.