Code Obfuscation

Dynamic code obfuscation techniques are used by cybercriminals in their constant battle of wits against security vendors. In response to security vendors’ efforts to detect encrypted malicious code, these criminals have developed dynamic code obfuscation techniques, which basically scramble malicious code in a different way each time a new visitor enters the malicious website.

While code obfuscation has been around for some time, dynamic code obfuscation has reached a level of sophistication and prevalence "in the wild". It has become a favorite weapon for propagating malicious code due to its effectiveness in bypassing traditional signature-based solutions. Dynamic code obfuscation, automated code obfuscation utilities and other encoding methods enable cybercriminals to plant "invisible" malicious code that infects a user’s machine as soon as he/she visits the malicious site.

The widespread proliferation of dynamic code obfuscation was clearly illustrated in an analysis conducted by M86 Security Labs in 2007. In this analysis of live end-user traffic in the UK (including more than 10 million (>10,000,000) unique URLs), M86 found that over 80% of the detected malicious code was obfuscated in an attempt to evade signature-based products like Anti-Virus, IDS/IPS and URL filtering.

Sophisticated Ploy to Evade Signature-based Security Tools

One of the earlier methods used by security vendors to detect malicious code was lexical analysis, which screens code and identifies "tokens" that perform malicious actions (e.g., delete file, access registry). Once cybercriminals became aware of this security method, they began to hide/obfuscate the malicious code using encryption, string concatenations and other methods. The obfuscated code appears as no more than a random set of benign characters to the Anti-Virus scanners, and therefore cannot be detected. The malicious actions only become apparent after the code is decoded upon execution.

In order to detect obfuscated code, Anti-Virus vendors developed a signature known as "js/wonka" that would generically detect static web pages that contain a certain functionality for obfuscating scripts that may have malicious intent. The response to this defensive strategy was dynamic obfuscation techniques. In other words, each visitor to a malicious site will receive a different instance of the obfuscated malicious code, based on random functions and parameter name changes, etc. Theoretically, a signature-based security solution would need millions of signatures just to detect the existence of this particular piece of malicious code and to block it. As a result, dynamic code obfuscation "revived" a plethora of older attacks that can now be obfuscated and reused to bypass anti-virus systems on unpatched PCs.

Consider the following example of dynamically obfuscated malicious code, as detected "in the wild" by M86 Security Labs researchers on a Russian website. As soon as the user enters this website, the script decodes the obfuscated malicious code and executes it without any user intervention.

Figure 1 - Obfuscated code on Russian website

One familiar with the JavaScript language may notice that the functions and parameter names are random. This type of attack easily bypasses signature-based solutions, which are simply not capable of handing the infinite number of possibilities in trying to detect obfuscated code. The decrypted code appears in Figure 2.

Figure 2 - Decoded example of malicious code on Russian website

Real-Time Code Inspection Addresses Dynamic Web Threats

The only way to stop dynamically obfuscated code and similar types of advanced hacking techniques is to analyze and understand the code embedded within web content in real time before it reaches the end users (active real-time content inspection).

Proactive, behavior-based security performs in-depth analysis of each and every piece of content, regardless of its original source. This analysis breaks the code into parts, understands what the code intends to do before it does it. As a result, these solutions can identify code that is about to perform a malicious or suspicious operation, and block it at the perimeter, rather than allowing it to enter the network and relying on desktop security.

Read more about code obfuscation in M86 Security Labs Reports Web Security Trends Reports.

Read about our secure web gateway.