Saturday, February 17, 2007

Dynamic Code Obfuscation

Yet another way for malicious software to spawn, spread and infect.

According to Finjan, Dynamic Code Obfuscation (DCO) also known as Dynamic Code Mutation is "A method for hackers to place malicious software onto computers, keeping the code hidden from antivirus software. Infected computers contain software with a unique set of functions and parameter names. Since the code exists differently on each infected machine, antivirus vendors cannot issue a single virus signature to disrupt the malicious code."

What does this mean in practical terms? Let's pretend I wanted to write a virus (I don't but play along) I would write something like the following (I'll use C to do this, but it appears that Java Script/Java is the leading language for self obfuscation):



void malicious_function_that_will_delete_files(void)
{
// do something evil...
}

int main(void)
{
malicious_function_that_will_delete_files();
return 0;
}



Now if I wanted to defeat this 'virus' I would need an antivirus (AV) vendor like Symantic - Norton Antivirus or McCafee VirusScan Plus or AVG Anti Virus to create a definition file and have it uploaded, in the latest online update, to my antivirus software database, and tell the AV software to scan files for the character string malicious_function_that_will_delete_files();.

Now, no self respecting virus author (oxymoron?) would write a virus like this because an AV product would be able to easily scan a file for the telltale signature of malicious_function_that_will_delete_files(); and quarantine the program.

What DCO brings to the table is the ability for the software to mutate, like a real virus, in an attempt to avoid detection. Imagine that the same 'virus' written above could mutate into:


void ed83ff2005016de843553f10e65ce617()
{
// do something evil
}

int main(void)
{
ed83ff2005016de843553f10e65ce617()
return 0;
}


and ship this new version, through your infected computer, to another computer on your network.

The AV is now defeated with an outdated definition file because the AV is looking for the character string malicious_function_that_will_delete_files(); and now has to also scan files for ed83ff2005016de843553f10e65ce617();

What is needed, and is available, is behavioural code analysis antivirus software. However, the cost of running this new type of behavioural analysis is speed. It takes CPU cycles and delays packets being sent out over the wire. Will most 'normal' users notice this? Perhaps not. Those of us who make a living writing high performance, low latency networked applications will feel the impact.

Do we need better antivirus software, better desktop operating systems or better hardware (routers, switches, etc)?

No comments: