Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/11/2013
07:55 PM
50%
50%

How Attackers Thwart Malware Investigation

A researcher at Black Hat USA this month will dissect a recent attack, showing off attackers' techniques for making malware analysis harder and intelligence gathering more time consuming

Black-hat budgeting -- attempting to skew the economics of hacking against attackers by raising the cost of compromise -- has become a common defensive strategy for companies.

Click here for more of Dark Reading's Black Hat articles.

Yet attackers have also focused on making defenders pay dearly for gathering digital intelligence on their attacks: From domain-name generation to more subtle code obfuscation, attackers are adopting techniques to raise the cost to defenders of detecting attacks, analyzing malware, and gathering intelligence.

In a presentation at the Black Hat Security Briefings in Las Vegas, Jason Geffner, a senior security researcher with security-services firm CrowdStrike, plans to perform an end-to-end analysis of a recent malware sample showing off some of the latest techniques that attackers use to make malware analysis and identification more difficult. As part of the presentation, Geffner plans to release a tool to help analysts remove the junk code used by attackers to camouflage the inner workings of malware.

"When it comes to obfuscation -- whether for obfuscating malware or for DRM purposes -- it is always going to be a cat-and-mouse game," Geffner says. "The people who apply obfuscation know that, given enough time, a researcher will be able to get around the techniques."

The malware whose analysis Geffner will present at the conference comes from a mass customized attack, likely created by a criminal organization, aimed at stealing money and information from corporate victims. The attack used a domain-generation algorithm -- a method for making malware communications difficult to cut off -- and padded parts of the program with junk code to make analysis more difficult.

The general level of obfuscation is getting better, Geffner says. Encrypting or packing too much of a program can tip off automated systems that the software is likely malicious. Instead, judicious obfuscation can avoid setting alarms and still make reverse engineering the code much more difficult. Such techniques are part of the movement on the part of attackers toward making analysis harder to do, which then raises the time and cost required by the defenders to respond to attack, said Dean De Beer, chief technology officer for ThreatGRID, which provides a cloud service for aiding malware analysis.

"The attackers are making it as hard as possible," he says. "If you have obfuscated code and it is a custom packer or encryptor, you have to load it into the debugger, set the break points, and try and figure out the encryption code. And not every organization has someone that can reverse engineer, who has the time to run the analysis and pull out what needs to be blocked each day."

[Malware writers go low-tech in their latest attempt to escape detection, waiting for human input -- a mouse click -- before running their code. See Automated Malware Analysis Under Attack.]

The malware analyzed by CrowdStrike used five times as much junk code in some sections of the program as legitimate code to hide functionality, CrowdStrike's Geffner says. The tool to be released by CrowdStrike will automatically remove the junk code from malware that uses this particular obfuscation technique.

While attackers will likely quickly modify their tools and malware to make automated deobfuscation more difficult, forcing attackers to change their habits is another way to raise the cost to attackers, Geffner says.

"If attackers have to keep changing their ways, then that increases the effort that they have to put in," he says. "So if you can't reduce the reward, at least you are able to increase the risk -- in terms of time and effort -- that the attackers put in."

Yet if the attackers find better ways of hiding their code and making analysis more difficult for defenders, it could result is less intelligence on attackers tools and techniques, ThreatGRID's De Beer says.

"Ultimately, all of these things can be decoded and decrypted and figured out over time, whether it be through dynamic or static means, but the goal on the attackers' side is to increase the workload to the extent where it becomes a very difficult thing to scale," De Beer says. "If you can't scale your analysis and you can't scale your ability to produce actionable content and threat intelligence, then they have an advantage over you at any point in time."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31476
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.3.37598. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
CVE-2021-31477
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
CVE-2021-32690
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
CVE-2021-32691
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).