Introduction

Obfuscation is the new ‘sexy’ in all things having to do with security these days.  Thank God for that, as I thought people would never stop talking about PCI!.  Take a look at the news and you will see ample examples which point out Adobe’s ActionScript and JavaScript in this context.  It seems that everyone (even those who ought not to) are commenting on ‘obfuscation’, ‘obfuscated code’, ‘obfuscated attacks’ ad nausea so what is all the noise about?

Obfuscation: One Shot, Many Kills

For regular readers of this blog, I doubt sincerely that obfuscation is a new concept however in the event you are new to this blog and the concept of obfuscated attacks here is a very short précis: 

• Many times programmers feel the need to ensure the posture and state of their code
• This need is often driven by the desire to conceal the existence and / or purpose of said code in its entirety from all parties not connected to it
• Doing so allows the programmer to ensure a ‘need to know’ basis from which activity related to said code can be conducted
• Furthermore, obfuscation enables programmers to mitigate the risks associated with reverse engineering by third parties
• Obfuscation can be achieved manually or via programs known as (are you ready for this) obfuscators
• These tools employ an assortment of techniques to achieve the mission of obfuscation.  

The end game is to achieve a piece of code whose logic is purposefully complex and hard to follow.  The syntax of said code will be unclear at best provided proper obfuscation has occurred.  For the purpose of this blog, obfuscation will remain a mechanism to veil attacks.  Through the process of obfuscation, the appearance of the malicious code in question will morph allowing for it to evade detection.  Various tools used within the underground such as IcePack and MPack support this functionality.  When encountered in the milieu of a spear phishing campaign, malicious code & content obfuscated in such a manner can introduce an unprecedented amount of risk into an enterprise.  Such was the case during the ZeuS Botnet and Kneber ZeuS attacks noted in the report generated by NetWitness.

An Ounce of Prevention is Worth a Pound of Cure

There is no easy answer for combating obfuscated code though as Benjamin Franklin once said “An ounce of prevention is worth a pound of cure”.  With this in mind we can take measures to minimize our exposure to and thus mitigate the risk presented by such threats by following a course such as that which is defined below:

1.  Make every attempt possible to be aware of what is occurring throughout our enterprises from layers 2 through 7
2. Seek out authoritative answers for questions related to security, or anomalous behavior seen & identified within your enterprise no matter how intricate
3. Strive to achieve 24x7x365 real-time situational awareness with respect to your to your enterprise and the geographic locations your business is active within
4. Adopt and build upon the precision and detail provided by automated network & host based forensics tools
5. Endeavor to integrate open and commercial threat intelligence sources in order to provide clarity and necessary detail to your enterprise risk decision makers
6.  Select and deploy a robust, feature rich, agile threat mitigation solution which can aid in combating new and emerging threats as they manifest

For more information on Obfuscation, Obfuscated code and mitigation please review the following:

HP DVLabs 2010 Top Cyber Security Risks Report

M86 Security Labs write up on code obfuscation

Nice write up by WebSense on the similarities between email and web attacks