The one-in-four occurrence rate of obfuscation puts a solid number to the growing ease with which attackers apply software-packing methods to their malicious code to make it harder to read, debug, and, consequently, be analyzed and detected by cybersecurity tools.
“It’s obviously a widely used technique, and it is so easy to do today. There are online services where you can put in your source code and the service will create obfuscated code,” Katz says. “It’s a challenge for us defenders because these are not text-based or hash-based files that we can easily find and detect. We have to do much more intensive work on them to better understand what really happened behind the scenes on these files.”
Katz will go more in-depth at SecTor 2021 about how his tooling aids the process, though his post this week highlights how similar four widely different payload samples look when they go through the same unique packer functionality.
While packers are not anything new, Katz believes they deserve continued observation and monitoring because they still work so well for adversaries — not only to evade detection but to buy the bad guys time during attacks, as methods for analyzing and detecting these files are traditionally time-consuming.
“Going over obfuscated code takes more computational resources and more human resources. In that sense, that can lead to longer life spans for these scams and higher success rates and more revenue for them,” he says.
This was the drive behind the creation of his tooling and why he believes it’s worth the look — with the caveat, of course, that like most detection methods in security, it’s no silver bullet. One of the interesting findings he plans to discuss in his presentation is the fact that obfuscation is not necessarily an automatic red flag for a website.
“Looking on the benign side of things, I was able to see that obfuscation is being used for legitimate websites. That surprised me a bit because I didn’t anticipate that,” he says, explaining that 0.5% of legitimate websites use the technique to hide code functionality on their sites.
Digging into these, he found that obfuscation is frequently used for a number of valid reasons, including to conceal client-side functionality, hide code developed by a third-party provider, or hide sensitive information like email addresses.