Dynamic code obfuscation: New threat requires innovative defenses

Code obfuscation is when script or program source code is made intentionally difficult to read. This can be done in various ways, such as using encryption, or by adding extra tabs, random comments or variable names. The main legitimate reason someone might want to do this is to prevent reverse engineering. By making source code awkward to read and understand, vendors can frustrate those trying to gain unauthorized access to their source code. For example, Microsoft recommends developers use its Script Encoder to obfuscate their final scripts.

In a way, it's a crude form of access control, used to manage the risks that result from the loss of intellectual property and revenue. There are actually code obfuscation programming contests, such as the International Obfuscated C Code Contest, where the aim is to write the most obscure and obfuscated C program.

More information on malicious code In this Security Wire Weekly podcast, Finjan's chief technology officer, Yuval Ben-Itzhak, explains the growth of dymanic code obfuscation. Learn how attackers can use Google Code Search to find vulnerabilities in open source software.

Sadly, code obfuscation also works for malicious code writers who want to hide or disguise their code's true purpose. Its use by hackers is nothing new. In the 90s, stealth and polymorphic viruses hid or changed their signatures. These were binary code-based viruses, not scripts, but hackers are adapting these techniques to obfuscate scripts. Spammers commonly use obfuscated JavaScript or HTML code to obscure where URLs lead, or what their script code does. With the advent of Web 2.0 technologies and their liberal use of JavaScript and HTML, obfuscated code is a great tool for concealing browser exploits, redirect functions and cross-site scripting attacks.

Fortunately, antivirus vendors aren't just sitting still and letting the code obfuscators have their way with the Internet. They are now employing a range of emulators and heuristic analyzers on obfuscated code, along with databases of signatures of known malware. Signatures are digital fingerprints that are derived from the malicious code and used to identify it.

So let's get to the dynamic part of dynamic code obfuscation. Hackers are now encrypting their malicious code on the fly, modifying function names and using discrete encryption keys to encrypt their code. This means that each visitor to a malicious Web site, for example, will receive a virus unique to his or her machine, as the malicious code is altered dynamically. This fundamentally changes not only the threat of malicious code, but also the pace at which attackers can spread it via unsuspecting victims. For example, the VoMM (eVade-o-Matic Module) module is to be added to the widely-used Metasploit hacking toolkit. Initially designed for JavaScript-based exploits, it will no doubt expand to encompass other non-binary exploits. This tool will mean even malicious hackers in training will be able to automate the dynamic code obfuscation process.

Although antivirus software will still play a role, the online world must look to alternative technologies to identify this growing threat. Virus signatures are virtually useless against dynamically altered code, since the randomization element virtually ensures antivirus programs would never find a match. Protection technologies must make use of behavior-based analysis techniques -- without the use of signatures -- to analyze what a program is going to do. If any actions look potentially suspicious, such as the deletion of a file, warnings can be issued. This analysis will obviously consume processing cycles and have some impact on productivity and user experience. This means that gateway analysis is probably the best route as opposed to desktop solutions.

In the meantime, as social engineering is still a key element in many of these attacks, security awareness will continue to grow in importance in order to combat this latest attack vector.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Web Security Advisor DNS rebinding defenses still necessary, thanks to Web 2.0 New defenses for automated SQL injection attacks PCI compliance and Web applications: Code review or firewalls? Worst practices: Bad security incidents to avoid Web scanning and reporting best practices Social networking Web site threats manageable with good enterprise policy Enterprise security in 2008: Building trust into the application development process PCI DSS Section 6: A plan for tackling application security Making the case for Web application vulnerability scanners Preparing for uniform resource identifier (URI) exploits Secure Software Development Vista functionality still wins over security Mozilla to release Firefox threat-modeling data Security issues found in the Spring Framework Software still plagued with security holes, researcher says Microsoft tools won't be quick fix for SQL injection attacks Which automated quality assurance tools can be used to test software? Gary McGraw on secure software development Product review: Mu-4000 Security Analyzer Product review: Klocwork Insight 8.0 HP aims at IBM with application vulnerability scanning as service Emerging Information Security Threats Linux systems actively targeted using SSH key attacks What warning signs will indicate the presence of a P2P botnet? Adobe investigates clipboard hijackings How to patch Kaminsky's DNS vulnerability Researchers use browser to elude Vista memory protections Hacking techniques compromise Windows Vista heap Kaminsky: DNS flaw capable of attacks on many fronts Hoffman to demonstrate new hacking techniques Black Hat Las Vegas 2008: News, podcasts and videos DNS flaw handling leaves Kaminsky pleased RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.