The one-in-four incidence fee of obfuscation places a strong quantity to the rising ease with which attackers apply software-packing strategies to their malicious code to make it more durable to learn, debug, and, consequently, be analyzed and detected by cybersecurity instruments.
“It is clearly a extensively used method, and it’s so straightforward to do right now. There are on-line companies the place you possibly can put in your supply code and the service will create obfuscated code,” Katz says. “It is a problem for us defenders as a result of these usually are not text-based or hash-based recordsdata that we are able to simply discover and detect. We’ve to do far more intensive work on them to raised perceive what actually occurred behind the scenes on these recordsdata.”
Katz will go extra in-depth at SecTor 2021 about how his tooling aids the method, although his put up this week highlights how comparable 4 extensively totally different payload samples look once they undergo the identical distinctive packer performance.
Whereas packers usually are not something new, Katz believes they deserve continued statement and monitoring as a result of they nonetheless work so effectively for adversaries — not solely to evade detection however to purchase the dangerous guys time throughout assaults, as strategies for analyzing and detecting these recordsdata are historically time-consuming.
“Going over obfuscated code takes extra computational sources and extra human sources. In that sense, that may result in longer life spans for these scams and better success charges and extra income for them,” he says.
This was the drive behind the creation of his tooling and why he believes it is definitely worth the look — with the caveat, after all, that like most detection strategies in safety, it is no silver bullet. One of many fascinating findings he plans to debate in his presentation is the truth that obfuscation will not be essentially an computerized purple flag for an internet site.
“Trying on the benign facet of issues, I used to be capable of see that obfuscation is getting used for reliable web sites. That shocked me a bit as a result of I didn’t anticipate that,” he says, explaining that 0.5% of reliable web sites use the method to cover code performance on their websites.
Digging into these, he discovered that obfuscation is ceaselessly used for plenty of legitimate causes, together with to hide client-side performance, cover code developed by a third-party supplier, or cover delicate data like electronic mail addresses.