Dynamic code obfuscation… what a mouthful! What does it mean anyway? Well, let's define what plain ol' code obfuscation...
is first, then we'll look at dynamic obfuscation and the danger it poses.
Code obfuscation is when script or program source code is made intentionally difficult to read. This can be done in various ways, such as using encryption, or by adding extra tabs, random comments or variable names. The main legitimate reason someone might want to do this is to prevent reverse engineering. By making source code awkward to read and understand, vendors can frustrate those trying to gain unauthorized access to their source code. For example, Microsoft recommends developers use its Script Encoder to obfuscate their final scripts.
In a way, it's a crude form of access control, used to manage the risks that result from the loss of intellectual property and revenue. There are actually code obfuscation programming contests, such as the International Obfuscated C Code Contest, where the aim is to write the most obscure and obfuscated C program.
Fortunately, antivirus vendors aren't just sitting still and letting the code obfuscators have their way with the Internet. They are now employing a range of emulators and heuristic analyzers on obfuscated code, along with databases of signatures of known malware. Signatures are digital fingerprints that are derived from the malicious code and used to identify it.
Although antivirus software will still play a role, the online world must look to alternative technologies to identify this growing threat. Virus signatures are virtually useless against dynamically altered code, since the randomization element virtually ensures antivirus programs would never find a match. Protection technologies must make use of behavior-based analysis techniques -- without the use of signatures -- to analyze what a program is going to do. If any actions look potentially suspicious, such as the deletion of a file, warnings can be issued. This analysis will obviously consume processing cycles and have some impact on productivity and user experience. This means that gateway analysis is probably the best route as opposed to desktop solutions.
In the meantime, as social engineering is still a key element in many of these attacks, security awareness will continue to grow in importance in order to combat this latest attack vector.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.