Malware Obfuscation

The RaceToZero ( http://www.racetozero.net) event to be held in Las Vegas this year has created a big stir from many different communities as to the impact such an event will have upon the perceived state of malware detection. The event has a very simple concept: contestants will be given a malicious binary, which they will then modify in such a way that it performs the exact same malicious activity, but is no longer identified as malicious by a number of anti-virus vendors, the more vendors the better.

For some end-users, this might come as somewhat of a shock; “it only takes minor modifications in order to completely circumvent an anti-virus product?”. Although we would like to set these users at ease, the fact is that the answer is (for the most part) “yes”, especially of those AV vendors that rely on their signature-based detection as the primary method of malware identification.

Code obfuscation (or in the security industry, code packing) is the modification of code in such a way that would make it difficult to reverse code engineer (RCE). With regards to malware, the most common intention of obfuscating the malicious binary is in order to prevent a pre-existing AV signature from identifying the binary. In the simplest form, a packing process might resemble the following:



This does not require that the packed file is larger than the original; many times this is actually the contrary. However, the general premise is that the new binary, once packed, no longer shows its functionality in an easily identifiable manner.

There are many different commercial, open-source, and public “packer tools” available to malware authors as well as attackers for them to use in order to circumvent AV detection. By using some public websites or personal systems with AV systems installed, they can ensure that their packed malware goes undetected by the target AV vendor prior to ever releasing it in the wild. This ensures the attacker that, for at least a short amount of time, a signature does not exist for this malicious binary they are in the process of rolling out, and it will likely execute its malicious payload without detection.

AV vendors are having a very difficult time keeping up with attackers that are utilizing different packers, sometimes ones that they have created themselves or are not publicly available. Furthermore, many legitimate software applications utilize packing functions to avoid reverse code engineering (RCE), so a simple “blacklist for all packers” is an unreasonable option.

The graph below shows some simple statistics for Off the Shelf (OTS) packers available for any attacker. This study was part of a Topical Analysis Report delivered to the eEye Preview customer base to alert them of the technical details and impact of such a threat. There were 32 different AV vendors used in this sample set against 5 separate well-known trojan applications. The details have been scrubbed from this public report:



As obviously shown, packers are a very serious threat for end-users and, at this time in the AV industry, are not being shielded in full. Even some of the most common and “simplest” packers that have been known to the security industry for a while, combined with very well-known malicious binaries ended up in surprising non-detection results.

Some AV vendors have started introducing more generic concepts for protection. These innovative ideas include mechanisms such as sandbox environments, run-time analysis, packer signature detection, as well as packer blacklisting completely. While none of these mechanisms are a silver-bullet for this quickly escalating issue, they are however steps in the right direction. Furthermore, based upon the documentation released at the CARO workshop recently, it is likely that new concepts are likely to be released in the near future that will help end-users be protected from all variants of a piece of malware, regardless of the obfuscation methods introduced.

The next time end-users are reviewing a potential AV solution, they should take some time to verify that the solution is standing up to at least a subset of the OTS packer obfuscation methods used by attackers. At this time, most end-users would be surprised by who is not performing due-diligence in this realm, and with regard to malware, if detection does not exist then neither does protection.

Source: Andre Derek Protas, Director of Research and Preview Services

How Secure Is Your Company?
"To protect your business, think like a thief. Proactive network security measures hardly ever get the attention and commitment they deserve, yet in almost every case an ounce of prevention is worth a pound—or more—of cure." Full Article

Virus Bulletin Product Review: eEye Digital Security Blink Professional 4.0
"Blink Professional 4.0 Product Review" Full Article

Expert eGuide: Best Practices for Integrated Threat Management
"Networks and endpoint devices are targets for sophisticated, malicious attacks that have the ability to avoid detection by traditional security solutions. What is required for today's threat landscape is the use of a multi-layered integrated threat management system that protects company assets - from the networks and endpoints to the operating systems and applications. Integrated threat management solutions not only offer comprehensive protection for sensitive data, but also help to reduce costs and aid in achieving regulatory compliance." Full Article

View All Media Coverage
"eEye and its security solutions have been covered by numerous press and media associations." Full Article

Q: What is the most secure browser?

A: Actually, at eEye, a lot of us use different browsers. Some are more useful than others, some have more published vulnerabilities than others, and some may be less secure than others...however these three attributes are mostly unrelated in our experience.

In essence, the most secure browser is one that a)the user wholly understands what it is capable of and what it's potential security risks are (i.e. browser plug-in’s), b) that it can be appropriately configured for the appropriate environment by administrators, and c) it has additional security mechanisms on the system designed to block attacks against it (i.e. host-based protection). eEye Research would speculate that multiple browsers fit this model, but it's more reliant on the administrative team and users within an environment.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

eEye Adds Vista, Windows 2008 Support to Blink 4.0
eEye Digital Security announces the availability of Blink 4.0, now with Vista and Windows 2008 support, to its popular and award-winning endpoint protection platform. Full Article

eEye Blink 4.0 Receives Coveted Industry Recognition in Virus Bulletin Review
eEye Blink 4.0 Receives Review in Virus Bulletin Full Article

eEye Expands Line of Security Management Appliances
Retina 651 Scanner Combats Cyber-Crime; Aids SMB and Large Organizations Full Article

View All Articles and Announcements
eEye and its security solutions set have introduced a number of newsworthy security advisories and security technology deliveries that have been covered by the press. Select any of the links below to view more details regarding our most recent articles and announcements. Full Article

Stay Up-to-Date with eEye Research
eEye Research has seen some staggering results from the recent influx in Blink Personal/Neighborhood Watch users. This data is offering eEye Research a distinct insight into host-based vulnerability and attack trends to offer enhanced protection into Blink. Keep an eye on the eEye Research Portal http://research.eeye.com/ for future projects that have arisen because of the mass use of Blink Personal including Neighborhood Watch reports and attack trends. More

Vulnerability Expert Forums
The monthly Vulnerability Expert Forum focuses on recently announced critical vulnerabilities - from Microsoft and other software vendors. eEye's Internet security experts will describe the actions necessary to protect your systems from the threats that target these vulnerabilities. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.