How Attackers Thwart Malware Investigation

A researcher at Black Hat USA this month will dissect a recent attack, showing off attackers' techniques for making malware analysis harder and intelligence gathering more time consuming

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Black-hat budgeting -- attempting to skew the economics of hacking against attackers by raising the cost of compromise -- has become a common defensive strategy for companies.

Yet attackers have also focused on making defenders pay dearly for gathering digital intelligence on their attacks: From domain-name generation to more subtle code obfuscation, attackers are adopting techniques to raise the cost to defenders of detecting attacks, analyzing malware, and gathering intelligence.

In a presentation at the Black Hat Security Briefings in Las Vegas, Jason Geffner, a senior security researcher with security-services firm CrowdStrike, plans to perform an end-to-end analysis of a recent malware sample showing off some of the latest techniques that attackers use to make malware analysis and identification more difficult. As part of the presentation, Geffner plans to release a tool to help analysts remove the junk code used by attackers to camouflage the inner workings of malware.

"When it comes to obfuscation -- whether for obfuscating malware or for DRM purposes -- it is always going to be a cat-and-mouse game," Geffner says. "The people who apply obfuscation know that, given enough time, a researcher will be able to get around the techniques."

The malware whose analysis Geffner will present at the conference comes from a mass customized attack, likely created by a criminal organization, aimed at stealing money and information from corporate victims. The attack used a domain-generation algorithm -- a method for making malware communications difficult to cut off -- and padded parts of the program with junk code to make analysis more difficult.

The general level of obfuscation is getting better, Geffner says. Encrypting or packing too much of a program can tip off automated systems that the software is likely malicious. Instead, judicious obfuscation can avoid setting alarms and still make reverse engineering the code much more difficult. Such techniques are part of the movement on the part of attackers toward making analysis harder to do, which then raises the time and cost required by the defenders to respond to attack, said Dean De Beer, chief technology officer for ThreatGRID, which provides a cloud service for aiding malware analysis.

"The attackers are making it as hard as possible," he says. "If you have obfuscated code and it is a custom packer or encryptor, you have to load it into the debugger, set the break points, and try and figure out the encryption code. And not every organization has someone that can reverse engineer, who has the time to run the analysis and pull out what needs to be blocked each day."

[Malware writers go low-tech in their latest attempt to escape detection, waiting for human input -- a mouse click -- before running their code. See Automated Malware Analysis Under Attack.]

The malware analyzed by CrowdStrike used five times as much junk code in some sections of the program as legitimate code to hide functionality, CrowdStrike's Geffner says. The tool to be released by CrowdStrike will automatically remove the junk code from malware that uses this particular obfuscation technique.

While attackers will likely quickly modify their tools and malware to make automated deobfuscation more difficult, forcing attackers to change their habits is another way to raise the cost to attackers, Geffner says.

"If attackers have to keep changing their ways, then that increases the effort that they have to put in," he says. "So if you can't reduce the reward, at least you are able to increase the risk -- in terms of time and effort -- that the attackers put in."

Yet if the attackers find better ways of hiding their code and making analysis more difficult for defenders, it could result is less intelligence on attackers tools and techniques, ThreatGRID's De Beer says.

"Ultimately, all of these things can be decoded and decrypted and figured out over time, whether it be through dynamic or static means, but the goal on the attackers' side is to increase the workload to the extent where it becomes a very difficult thing to scale," De Beer says. "If you can't scale your analysis and you can't scale your ability to produce actionable content and threat intelligence, then they have an advantage over you at any point in time."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Read more about:

Black Hat News

About the Author

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights