What is obfuscation?

On its own, the term obfuscation broadly refers to the act of making any information more obscure or difficult to understand. If, for example, the subject of a live TV interview was giving convoluted, roundabout answers to clearly stated questions, we might say that this subject was using obfuscation techniques to throw off the interviewer’s efforts to uncover important information.

Context is critical for understanding if obfuscation has innocent or malicious intentions. In the above example, the interview subject’s reasons for obfuscating information could be innocent (e.g., to protect information about the subject’s personal life from leaking to the public), and they could also be malicious (e.g., to mask incriminating information from coming out to the public).

What is code obfuscation?

The obfuscation of code follows a similar logic. Code obfuscation is the act of making any piece of code more difficult to read, understand, and reverse engineer by external persons or programs.

While code obfuscation is commonly used for legitimate, innocent purposes – such as making a software product’s program code more difficult for industry competitors or cyber criminals to reverse engineer – it’s also frequently used by malware authors as a way of making malicious programs more difficult for antivirus solutions to detect.

Why do malware authors obfuscate malicious code?

The effective obfuscation of malicious code simply makes it difficult for antivirus software and/or security administrators to determine the purpose of that code. Not only does this help obscure malware properties from traditional signature-based methods, but it also helps throw off predictive detection methods that attempt to identify malware by analyzing the underlying program’s intended behavior.

Obfuscated malicious code might not be readable at all, or it might just be too immensely resource intensive for a person or program to realistically deobfuscate. For example, a comprehensive obfuscation technique like ROT-13 can be used to completely substitute code for random characters, while a more convoluted obfuscation technique like XOR can be used to encrypt code in a way that's only legible to a well-trained eye. These techniques make code obfuscation an effective method for reusing established, normally recognizable malware strains in new cyber-attacks.

For a sophisticated malware author, obfuscating unique, custom-built malicious scripts and executables (i.e., indented for use in a targeted cyber-attack) tends to require minimal effort while significantly increasing their chances of successfully bypassing antivirus software. These disguised scripts and executables can be polymorphic, come in many diverse types, and cover a large potential attack surface. They can root an entire system, crash a system, or generate high latency events (e.g., Denial of Service).

In one relatively recent & prominent real-world example, a reputable IT Infrastructure Management Software company was breached by a complex, clandestine cyber-attack in which well obfuscated malware was used to create a backdoor in software updates for the company’s core platform. The attack wasn’t discovered for more than a year when platform users began downloading malware-infected platform updates.

How can obfuscated threats be averted?

While there’s no silver bullet solution for detecting effectively obfuscated malware, many attacks involving obfuscation methods can be averted by incorporating shrewd content restrictions at vulnerable entry points to our system.

Rather than attempt to scan executable files or script files for malicious programs, for example, we can simply restrict executables and scripts from entering our system altogether, thus avoiding the risk that these files might contain obfuscated malicious programs. This is particularly effective in scenarios where those file types are unnecessary or irrelevant to begin with.

Avoiding obfuscated threats with the Cloudmersive Virus Scan API

The advanced iteration of the Cloudmersive Virus Scan API performs a dynamic, thorough malware scan while simultaneously offering a variety of no-nonsense content restriction parameters to help security administrators avoid obfuscated content threats.

Using minimal, ready-to-run code examples or a no-code Cloudmersive account management portal, security administrators can set custom restrictions against executables, macros, invalid files, scripts, unsafe archives, password-protected files, and more. In addition, administrators can elect to whitelist acceptable file types and block all files that fail to pass rigorous content verification checks against that list. All files are verified in-depth against the extension they present, ensuring invalid and/or spoofed malicious files can’t enter a system undetected.

For more information about content scanning with the Cloudmersive Virus Scan API, please do not hesitate to reach out to a member of our sales team.