Manage Learn to apply best practices and optimize your operations.

Dynamic code obfuscation: New threat requires innovative defenses

Dynamic code obfuscation used to be a taxing effort, but now even the most junior-level malicious hackers have learned how to effectively hide their code. In this tip, Michael Cobb examines how dynamic code obfuscation works, why it's on the rise and what's needed to keep it from becoming today's biggest threat.

Dynamic code obfuscation… what a mouthful! What does it mean anyway? Well, let's define what plain ol' code obfuscation...

is first, then we'll look at dynamic obfuscation and the danger it poses.

Code obfuscation is when script or program source code is made intentionally difficult to read. This can be done in various ways, such as using encryption, or by adding extra tabs, random comments or variable names. The main legitimate reason someone might want to do this is to prevent reverse engineering. By making source code awkward to read and understand, vendors can frustrate those trying to gain unauthorized access to their source code. For example, Microsoft recommends developers use its Script Encoder to obfuscate their final scripts.

In a way, it's a crude form of access control, used to manage the risks that result from the loss of intellectual property and revenue. There are actually code obfuscation programming contests, such as the International Obfuscated C Code Contest, where the aim is to write the most obscure and obfuscated C program.

More information on malicious code

In this Security Wire Weekly podcast, Finjan's chief technology officer, Yuval Ben-Itzhak, explains the growth of dymanic code obfuscation.

Learn how attackers can use Google Code Search to find vulnerabilities in open source software.

Sadly, code obfuscation also works for malicious code writers who want to hide or disguise their code's true purpose. Its use by hackers is nothing new. In the 90s, stealth and polymorphic viruses hid or changed their signatures. These were binary code-based viruses, not scripts, but hackers are adapting these techniques to obfuscate scripts. Spammers commonly use obfuscated JavaScript or HTML code to obscure where URLs lead, or what their script code does. With the advent of Web 2.0 technologies and their liberal use of JavaScript and HTML, obfuscated code is a great tool for concealing browser exploits, redirect functions and cross-site scripting attacks.

Fortunately, antivirus vendors aren't just sitting still and letting the code obfuscators have their way with the Internet. They are now employing a range of emulators and heuristic analyzers on obfuscated code, along with databases of signatures of known malware. Signatures are digital fingerprints that are derived from the malicious code and used to identify it.

So let's get to the dynamic part of dynamic code obfuscation. Hackers are now encrypting their malicious code on the fly, modifying function names and using discrete encryption keys to encrypt their code. This means that each visitor to a malicious Web site, for example, will receive a virus unique to his or her machine, as the malicious code is altered dynamically. This fundamentally changes not only the threat of malicious code, but also the pace at which attackers can spread it via unsuspecting victims. For example, the VoMM (eVade-o-Matic Module) module is to be added to the widely-used Metasploit hacking toolkit. Initially designed for JavaScript-based exploits, it will no doubt expand to encompass other non-binary exploits. This tool will mean even malicious hackers in training will be able to automate the dynamic code obfuscation process.

Although antivirus software will still play a role, the online world must look to alternative technologies to identify this growing threat. Virus signatures are virtually useless against dynamically altered code, since the randomization element virtually ensures antivirus programs would never find a match. Protection technologies must make use of behavior-based analysis techniques -- without the use of signatures -- to analyze what a program is going to do. If any actions look potentially suspicious, such as the deletion of a file, warnings can be issued. This analysis will obviously consume processing cycles and have some impact on productivity and user experience. This means that gateway analysis is probably the best route as opposed to desktop solutions.

In the meantime, as social engineering is still a key element in many of these attacks, security awareness will continue to grow in importance in order to combat this latest attack vector.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity Security Schools and, as a site expert, answers user questions on application security and platform security.

This was last published in March 2007

Dig Deeper on Secure software development