Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/11/2013
07:55 PM
50%
50%

How Attackers Thwart Malware Investigation

A researcher at Black Hat USA this month will dissect a recent attack, showing off attackers' techniques for making malware analysis harder and intelligence gathering more time consuming

Black-hat budgeting -- attempting to skew the economics of hacking against attackers by raising the cost of compromise -- has become a common defensive strategy for companies.

Click here for more of Dark Reading's Black Hat articles.

Yet attackers have also focused on making defenders pay dearly for gathering digital intelligence on their attacks: From domain-name generation to more subtle code obfuscation, attackers are adopting techniques to raise the cost to defenders of detecting attacks, analyzing malware, and gathering intelligence.

In a presentation at the Black Hat Security Briefings in Las Vegas, Jason Geffner, a senior security researcher with security-services firm CrowdStrike, plans to perform an end-to-end analysis of a recent malware sample showing off some of the latest techniques that attackers use to make malware analysis and identification more difficult. As part of the presentation, Geffner plans to release a tool to help analysts remove the junk code used by attackers to camouflage the inner workings of malware.

"When it comes to obfuscation -- whether for obfuscating malware or for DRM purposes -- it is always going to be a cat-and-mouse game," Geffner says. "The people who apply obfuscation know that, given enough time, a researcher will be able to get around the techniques."

The malware whose analysis Geffner will present at the conference comes from a mass customized attack, likely created by a criminal organization, aimed at stealing money and information from corporate victims. The attack used a domain-generation algorithm -- a method for making malware communications difficult to cut off -- and padded parts of the program with junk code to make analysis more difficult.

The general level of obfuscation is getting better, Geffner says. Encrypting or packing too much of a program can tip off automated systems that the software is likely malicious. Instead, judicious obfuscation can avoid setting alarms and still make reverse engineering the code much more difficult. Such techniques are part of the movement on the part of attackers toward making analysis harder to do, which then raises the time and cost required by the defenders to respond to attack, said Dean De Beer, chief technology officer for ThreatGRID, which provides a cloud service for aiding malware analysis.

"The attackers are making it as hard as possible," he says. "If you have obfuscated code and it is a custom packer or encryptor, you have to load it into the debugger, set the break points, and try and figure out the encryption code. And not every organization has someone that can reverse engineer, who has the time to run the analysis and pull out what needs to be blocked each day."

[Malware writers go low-tech in their latest attempt to escape detection, waiting for human input -- a mouse click -- before running their code. See Automated Malware Analysis Under Attack.]

The malware analyzed by CrowdStrike used five times as much junk code in some sections of the program as legitimate code to hide functionality, CrowdStrike's Geffner says. The tool to be released by CrowdStrike will automatically remove the junk code from malware that uses this particular obfuscation technique.

While attackers will likely quickly modify their tools and malware to make automated deobfuscation more difficult, forcing attackers to change their habits is another way to raise the cost to attackers, Geffner says.

"If attackers have to keep changing their ways, then that increases the effort that they have to put in," he says. "So if you can't reduce the reward, at least you are able to increase the risk -- in terms of time and effort -- that the attackers put in."

Yet if the attackers find better ways of hiding their code and making analysis more difficult for defenders, it could result is less intelligence on attackers tools and techniques, ThreatGRID's De Beer says.

"Ultimately, all of these things can be decoded and decrypted and figured out over time, whether it be through dynamic or static means, but the goal on the attackers' side is to increase the workload to the extent where it becomes a very difficult thing to scale," De Beer says. "If you can't scale your analysis and you can't scale your ability to produce actionable content and threat intelligence, then they have an advantage over you at any point in time."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1990
PUBLISHED: 2020-04-08
A stack-based buffer overflow vulnerability in the management server component of PAN-OS allows an authenticated user to upload a corrupted PAN-OS configuration and potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 8.1 versions before 8.1.13; 9.0 versions be...
CVE-2020-1991
PUBLISHED: 2020-04-08
An insecure temporary file vulnerability in Palo Alto Networks Traps allows a local authenticated Windows user to escalate privileges or overwrite system files. This issue affects Palo Alto Networks Traps 5.0 versions before 5.0.8; 6.1 versions before 6.1.4 on Windows. This issue does not affect Cor...
CVE-2020-1992
PUBLISHED: 2020-04-08
A format string vulnerability in the Varrcvr daemon of PAN-OS on PA-7000 Series devices with a Log Forwarding Card (LFC) allows remote attackers to crash the daemon creating a denial of service condition or potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 9...
CVE-2020-10978
PUBLISHED: 2020-04-08
GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public project and then moved to a private project through Web-UI and GraphQL API.
CVE-2020-10979
PUBLISHED: 2020-04-08
GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pipelines metrics to unauthorized users.