Every day, new malware samples are uncovered ranging from zero-day exploits to ransomware variants.
With malware now so common and successful cyberattacks offering potentially high -- albeit criminal -- returns, there is little need for garden-variety hackers to learn how to develop exotic, custom malicious code.
Instead, off-the-shelf malware can be purchased easily by anyone. While some of the most sophisticated forms of malware out there can fetch prices of $7,000 and more, it is also possible to pick up exploit kits and more for far less, or even for free.
The problem with this so-called "commodity" malware is that antivirus companies are well aware of their existence and so prepare their solutions accordingly with signatures that detect the malware families before they can cause damage.
So, how do threat actors circumvent such protection?
This is known as obfuscation.
The goal of obfuscation is to anonymize cyberattackers, reduce the risk of exposure, and hide malware by changing the overall signature and fingerprint of malicious code -- despite the payload being a known threat.
In a Threat Intelligence Bulletin, cybersecurity firm Cylance has explained how the technique works.
"The signature is just a hash," the researchers note. "In this context, a hash refers to a unique, alphanumeric representation of a piece of malware. Signatures very often are hashes, but they can also be some other brief representation of a unique bit of code inside a piece of malware."
Rather than attempt to create a new signature through changing malware itself, obfuscation instead focuses on delivery mechanisms in an attempt to dupe antivirus solutions which rely heavily on signatures. (In comparison to the use of machine learning, predictive analytics, and AI to bolster AV, some researchers argue this has the potential to become obsolete.)
Obfuscation can include a variety of techniques to hide malware, creating layers of obscurity which Cylance compares to "nested figures in a Russian doll."
These techniques include:
- Packers: These software packages will compress malware programs to hide their presence, making original code unreadable.
- Crypters: Crypters may encrypt malware programs, or portions of software, to restrict access to code which could alarm an antivirus product to familiar signatures.
- Dead code insertion: Ineffective, useless code can be added to malware to disguise a program's appearance.
- Instruction changes: Threat actors may alter instruction codes in malware from original samples that end up changing the appearance of the code -- but not the behavior -- as well as change the order and sequence of scripts.
- Exclusive or operation (XOR): This common method of obfuscation hides data so it cannot be read unless trained eyes apply XOR values of 0x55 to code.
- ROT13: This technique is an ASM instruction for "rotate" which substitutes code for random letters.
"While some antivirus products search for common obfuscating techniques so that they too may be blacklisted, this practice is not nearly as well established as the blacklisting of malware payload signatures," the researchers say.
In one interesting example of obfuscation which has recently come under the radar, Cylance found that a Microsoft Windows tool called PowerShell is being abused by attackers.
A malware sample obtained by the company was a .ZIP file containing a PDF document and VBS script which used rudimentary Base64 encoding to obfuscate one layer.
This was followed by the use of string splitting, tick marks, and random letter capitalizations to split and alter the signature.
One particular file in the package, 1cr.dat, revealed the use of another obfuscation method. This was a string encryption setup, called SecureString, which is commonly used by legitimate applications to encrypt sensitive strings of code within applications using Microsoft's built-in DPAPI.
The payload also contained instructions to avoid sandboxes, which are used by security researchers to unpack and analyze malware.
At the time of discovery, only three antivirus signature engines detected the attempt at obfuscation and only two registered the malware at first deployment. This has now increased to 18 products.
For as long as malware exists, so too will obfuscation. While there is little that everyday users can do about the attack method, cybersecurity firms are taking notice -- as now, it is not just zero-days which are of concern, but the increasing use of common malware in creative ways.
"Threat actors are increasingly using obfuscation techniques in combination with commodity malware.
This trend runs counter to a widely-held assumption in the information security space which holds that highly customized malware paired with zero-day exploits are deserving of the most attention.
And while use of those tools is concerning and should be monitored, attention should not be completely divested from those threat actors - including advanced threat actors - who are succeeding right now at bypassing antivirus products with tools that are not "zero- day" but "every day."