How Attackers Thwart Malware Investigation

Black-hat budgeting -- attempting to skew the economics of hacking against attackers by raising the cost of compromise -- has become a common defensive strategy for companies.

Yet attackers have also focused on making defenders pay dearly for gathering digital intelligence on their attacks: From domain-name generation to more subtle code obfuscation, attackers are adopting techniques to raise the cost to defenders of detecting attacks, analyzing malware, and gathering intelligence.

In a presentation at the Black Hat Security Briefings in Las Vegas, Jason Geffner, a senior security researcher with security-services firm CrowdStrike, plans to perform an end-to-end analysis of a recent malware sample showing off some of the latest techniques that attackers use to make malware analysis and identification more difficult. As part of the presentation, Geffner plans to release a tool to help analysts remove the junk code used by attackers to camouflage the inner workings of malware.

"When it comes to obfuscation -- whether for obfuscating malware or for DRM purposes -- it is always going to be a cat-and-mouse game," Geffner says. "The people who apply obfuscation know that, given enough time, a researcher will be able to get around the techniques."

The malware whose analysis Geffner will present at the conference comes from a mass customized attack, likely created by a criminal organization, aimed at stealing money and information from corporate victims. The attack used a domain-generation algorithm -- a method for making malware communications difficult to cut off -- and padded parts of the program with junk code to make analysis more difficult.

The general level of obfuscation is getting better, Geffner says. Encrypting or packing too much of a program can tip off automated systems that the software is likely malicious. Instead, judicious obfuscation can avoid setting alarms and still make reverse engineering the code much more difficult. Such techniques are part of the movement on the part of attackers toward making analysis harder to do, which then raises the time and cost required by the defenders to respond to attack, said Dean De Beer, chief technology officer for ThreatGRID, which provides a cloud service for aiding malware analysis.

"The attackers are making it as hard as possible," he says. "If you have obfuscated code and it is a custom packer or encryptor, you have to load it into the debugger, set the break points, and try and figure out the encryption code. And not every organization has someone that can reverse engineer, who has the time to run the analysis and pull out what needs to be blocked each day."

[Malware writers go low-tech in their latest attempt to escape detection, waiting for human input -- a mouse click -- before running their code. See Automated Malware Analysis Under Attack.]

The malware analyzed by CrowdStrike used five times as much junk code in some sections of the program as legitimate code to hide functionality, CrowdStrike's Geffner says. The tool to be released by CrowdStrike will automatically remove the junk code from malware that uses this particular obfuscation technique.

While attackers will likely quickly modify their tools and malware to make automated deobfuscation more difficult, forcing attackers to change their habits is another way to raise the cost to attackers, Geffner says.

"If attackers have to keep changing their ways, then that increases the effort that they have to put in," he says. "So if you can't reduce the reward, at least you are able to increase the risk -- in terms of time and effort -- that the attackers put in."

Yet if the attackers find better ways of hiding their code and making analysis more difficult for defenders, it could result is less intelligence on attackers tools and techniques, ThreatGRID's De Beer says.

"Ultimately, all of these things can be decoded and decrypted and figured out over time, whether it be through dynamic or static means, but the goal on the attackers' side is to increase the workload to the extent where it becomes a very difficult thing to scale," De Beer says. "If you can't scale your analysis and you can't scale your ability to produce actionable content and threat intelligence, then they have an advantage over you at any point in time."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.