Dynamic code obfuscation: New threat requires innovative defenses

Dynamic code obfuscation… what a mouthful! What does it mean anyway? Well, let's define what plain ol' code obfuscation is first, then we'll look at dynamic obfuscation and the danger it poses.

Code obfuscation is

    Requires Free Membership to View

when script or program source code is made intentionally difficult to read. This can be done in various ways, such as using encryption, or by adding extra tabs, random comments or variable names. The main legitimate reason someone might want to do this is to prevent reverse engineering. By making source code awkward to read and understand, vendors can frustrate those trying to gain unauthorized access to their source code. For example, Microsoft recommends developers use its Script Encoder to obfuscate their final scripts.

In a way, it's a crude form of access control, used to manage the risks that result from the loss of intellectual property and revenue. There are actually code obfuscation programming contests, such as the International Obfuscated C Code Contest, where the aim is to write the most obscure and obfuscated C program.

More information on malicious code

In this Security Wire Weekly podcast, Finjan's chief technology officer, Yuval Ben-Itzhak, explains the growth of dymanic code obfuscation.

Learn how attackers can use Google Code Search to find vulnerabilities in open source software.

Sadly, code obfuscation also works for malicious code writers who want to hide or disguise their code's true purpose. Its use by hackers is nothing new. In the 90s, stealth and polymorphic viruses hid or changed their signatures. These were binary code-based viruses, not scripts, but hackers are adapting these techniques to obfuscate scripts. Spammers commonly use obfuscated JavaScript or HTML code to obscure where URLs lead, or what their script code does. With the advent of Web 2.0 technologies and their liberal use of JavaScript and HTML, obfuscated code is a great tool for concealing browser exploits, redirect functions and cross-site scripting attacks.

Fortunately, antivirus vendors aren't just sitting still and letting the code obfuscators have their way with the Internet. They are now employing a range of emulators and heuristic analyzers on obfuscated code, along with databases of signatures of known malware. Signatures are digital fingerprints that are derived from the malicious code and used to identify it.

So let's get to the dynamic part of dynamic code obfuscation. Hackers are now encrypting their malicious code on the fly, modifying function names and using discrete encryption keys to encrypt their code. This means that each visitor to a malicious Web site, for example, will receive a virus unique to his or her machine, as the malicious code is altered dynamically. This fundamentally changes not only the threat of malicious code, but also the pace at which attackers can spread it via unsuspecting victims. For example, the VoMM (eVade-o-Matic Module) module is to be added to the widely-used Metasploit hacking toolkit. Initially designed for JavaScript-based exploits, it will no doubt expand to encompass other non-binary exploits. This tool will mean even malicious hackers in training will be able to automate the dynamic code obfuscation process.

Although antivirus software will still play a role, the online world must look to alternative technologies to identify this growing threat. Virus signatures are virtually useless against dynamically altered code, since the randomization element virtually ensures antivirus programs would never find a match. Protection technologies must make use of behavior-based analysis techniques -- without the use of signatures -- to analyze what a program is going to do. If any actions look potentially suspicious, such as the deletion of a file, warnings can be issued. This analysis will obviously consume processing cycles and have some impact on productivity and user experience. This means that gateway analysis is probably the best route as opposed to desktop solutions.

In the meantime, as social engineering is still a key element in many of these attacks, security awareness will continue to grow in importance in order to combat this latest attack vector.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

This was first published in March 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.