Obfuscation techniques for Malwares

O

An obfuscation technique (also called Polymorphism) is a way of constructing a malware that make it more difficult to detect. If a malware is hard to detect, it is likely to spread more widely.

The following are commonly used obfuscation techniques:

  • Self-Encryption and Self-Decryption. Some viruses can encrypt and decrypt their virus code bodies, concealing them from direct examination. Viruses that employ encryption might use multiple layers of encryption or randomcryptographic keys, which make each instance of the virus appear to be different, even though the underlying codeis the same.
  • Polymorphism. Polymorphism is a particularly robust form of self-encryption. A polymorphic virus generally makes several changes to the default encryption settings, as well as altering the decryption code. In a polymorphic virus, the content of the underlying virus code body does not change; encryption alters its appearance only.
  • Metamorphism. The idea behind metamorphism is to alter the content of the virus itself, rather than hiding the content with encryption. The virus can be altered in several ways — for example, by adding unneeded codesequences to the source code or changing the sequence of pieces of the source code. The altered code is thenrecompiled to create a virus executable that looks fundamentally different from the original.
  • Stealth. A stealth virus uses various techniques to conceal the characteristics of an infection. For example, many stealth viruses interfere with operating system file listings so that the reported file sizes reflect the original values and do not include the size of the virus added to each infected file.
  • Armoring. The intent of armoring is to write a virus so that it attempts to prevent anti-virus software or human experts from analyzing the virus’s functions through disassembly, traces, and other means.
  • Tunneling. A virus that employs tunneling inserts itself into a low level of the operating system so that it can intercept low-level operating system calls. By placing itself below the anti-virus software, the virus attempts to manipulate the operating system to prevent detection by anti-virus software.

Anti-virus software vendors design their products to attempt to compensate for the use of any combination of obfuscation techniques. Older obfuscation techniques, including self-encryption, polymorphism, and stealth, are generally handled effectively by anti-virus software. However, newer, more complex obfuscation techniques, such as metamorphism, are still emerging and can be considerably more difficult for anti-virus software to overcome.

Disclaimer: The present content may not be used for training artificial intelligence or machine learning algorithms. All other uses, including search, entertainment, and commercial use, are permitted.

Categories

Tags