Test your knowledge!Take a quiz to access yourself.

Obfuscation – Base of Packers (Malware Analysis – Chapter 3)

Obfuscation is another important term that one needs to understand once one chooses the adventurous path to become a malware analyst. So, obfuscation in software development world means what? In simple words, Obfuscation is a programming technique which aims to shadow the real application code. But why? Obviously, to prevent it from people out there who’d love to crack your beloved program into more understandable bits and pieces by reverse engineering and then, your own product no more belongs to you. Okay, Good!! Well, that was scary, wasn’t it? And if this didn’t scare you, the next news will do just fine enough.

In Cyber Security world, It’s a well known artistry that malware authors use to cover up their malicious codes from anti-viruses using various tools available online and sometimes their own created algorithms to keep them undetected for a longer time and prosper. Each day their malware lives, thousands of systems and networks are compromised. Big deal, huh? We shall read more about it later, just stick with me here.

Now, let me give a brief intro to Packers. A technique to obfuscate the file by compressing it along with a decompression program is called packing and the tool responsible for it is called a Packer. Well, I am sure you are here not to limit yourself to layman understandings, Right? Yeah, I thought so too. Let’s explore each and every bit of it.

But before I proceed, one question still remains, How is it at all relevant to Malware analysis?

Well, the answer is simple. The person behind authoring the malware doesn’t want to show all it’s stuff. It will be a heartbreaking news to him if his malware gets exposed to a security analyst, then analyzed and easily reverse engineered. He got to do something about it, shouldn’t he? So, what he does, he starts obfuscation his stuff. All the strings and other important data residing right there in binary form is made sure to stay covered up by an algorithm which demands a key to get it back to it’s normal form and then, simply execute. If anyone else except the author of malware tries to open them in his protected setup using well known paid or unpaid reverse engineering tools out there, what he sees is just false faced code which means nothing to him.

Let’s talk on some history…

The Old Times of Obfuscations in Cyber Crime

I went through multiple sites to look for the actual time when it all started, I mean obfuscating files. Trust me, it was hell of a time for me. It just seems like its history is obfuscated as well. Different authors telling different stories when it all started. All of them started in between 1986-1990. I’ll tell you one of them that i found interesting one:

Story of Brain Virus: The name sounds interesting. Well, the mess it created in that old time is more interesting. Believe it or not, It’s still popular in World Cyber Crime history as first computer virus for MS-DOS developed in January, 1986 by two brothers Basit Farooq Alvi and Amjad Farooq Alvi from Pakistan. The plan was straight, infect the boot sector of media storage formatted with DOS FAT file format and cover up itself by showing some miscellaneous data.  Later, I found out it was just an accident. They were trying to save their own medical software from piracy.

Let’s hear some old ways of Malware obfuscation…

Known Methods of Obfuscation:

Exclusion XOR

It’s a very common method of obfuscation, some might call it a start to learn obfuscate stuff. If you know already how binary operations work, give a praise to yourself and start this small walk with me. The other set, please go through the following link first: Bitwise Operations. And don’t worry about the walk, you’ll always find me here.

So, a review on XOR – output is 1(true) when inputs differs. Malware authors out there somewhere still use this approach, just in more advanced form like double XOR or triple. It is effective in avoid detection from tools like XORSearch. There can be multiple ways of XORing the file. Like another way of using it could be increasing the XOR value for each next byte it operates.

Base64 Encoding

It’s one of the most used obfuscations around the world at the moment. Don’t believe me, check it being used in every other mails in your inboxes. So, what exactly it does? Again, here is another link to read: Base64 Encoding.

A review on Base64 – text is converted into encoded text consisting of 64 characters(a-z, A-Z, +, /). Malware authors still use it, they encode using a different set of 64 characters(Eg. Ç-ascii value 128 to └ – ascii value 192) to avoid various tools available online like Base64Decoder.

Below pictures shows two files, first one is original file before encoding:

Original File Before Encoding

and the second one is Base64 Encoded file:

Same file after Base64 Encoding

ROT13

ROT13, also referred as Rotation of 13, is an example of most simple algorithm used in the history of obfuscation till now. Like it says, replace the input letter with the letter 13 places next to it. For example, If input is A then A + 13 = N is the output. It’s easy to crack as there tools available online to decrypt ROT<Digit> encoding, here <Digit> means the rotation can be done using any digit.

Above mentioned 3 types are simple, most common obfuscation technique. There are many advanced ones as well which are not easy to crack and contains some complex algorithms to encode and compress the files.

 

Well, talk about the luck! While I was writing this article, YouTube.com was going through a mess up and my day couldn’t get better. The error page it is showing contains obfuscated text. Wanna have a look? see the below pic:

 

Obfuscation Youtube Error 22-06-2016

Can you see the encoded text and the funny error message? It happened for real. I am not going to hide it that I tried to decode it by various tools but couldn’t. But I will keep on trying and will tell you about it if I could make something meaningful out of it.

Some of the well known tools to obfuscate the codes are KlassMaster, Progaurd, Jode, Jarg. Though, these days malware authors like to obfuscate the entire file and use run-time packers to obfuscate their files. Don’t worry, we’ll understand them in deep soon enough in my next post.

It was fun walking with you. Hope you like it too and would love more in future. Walk gets more and more interesting when there comes a discussion. So, I have initiated a topic, now it’s your turn to give your opinion. Please comment whatever comes in your mind after reading this post.

Kindly like our page Talent Cookie on Facebook, be a part of our Facebook group to keep yourself updated and also, you can follow us on Twitter.

One Comment

Add a Comment

Your email address will not be published. Required fields are marked *