June 16, 2017

Malware detection is simple, right?


Wrong.  Day after day millions of computers are attacked by malware. As the number of malicious software attacks has been growing over years, the types of malware detection and antivirus solutions also grow. Yet, the attackers have the upperhand as there is no protection against zero-day attacks, or something which has just been invented. Malware developers use this to their advantage by leveraging heavy obfuscation techniques to veil the intended behavior of their software. Without deobfuscation, an antivirus solution can only detect the presence of obfuscation, but not the actual malicious activity.  Undetected malware can spread within an organization and do more harm if it cannot be detected by normal investigative response techniques.


In this blog we explore two key reasons why deobfuscation is necessary for malware detection:

Analyzing behavior isn’t practical:

Using a sandbox to analyze the behavior of a possible malware sample is a valid idea, but it has several disadvantages. The first is running automated malware analysis is costly and time consuming.  Secondly, if we take a look at the news malware detectors can have vulnerabilities, which can allow a hacker to take over the analysis system and the local environment.  This was recently experienced with Window Defender when an unpatched exploit left most Windows PCs at risk for a short period of time.  Using step-by-step deobfuscation of malware, the analyzer can detect malicious behavior as soon as it is unveiled, without having to fear that it could infect the system.

Used alone, obfuscation isn’t enough:

Obfusction has legitimate purposes. Taking a look at the code of one of the most popular web pages we find heavily obfuscated JavaScript. Obfuscation is not only used to veil malware, but also to protect company assets.



Tags: data breach, cybersecurity, ransomware, Malware