Obfuscation

Obfuscation is the process of making code or data harder to understand, usually to protect intellectual property or to prevent reverse engineering.

Packers

This usually is short for “runtime packers” which are also known as "self-extracting archives". Software that unpacks itself in memory when the “packed file” is executed. Sometimes this technique is also called “executable compression”. This type of compression was invented to make files smaller. So users wouldn't have to unpack them manually before they could be executed. But given the current size of portable media and internet speeds, the need for smaller files is not that urgent anymore. So when you see some packers being used nowadays, it is almost always for malicious purposes. In essence to make reverse engineering more difficult, with the added benefit of a smaller footprint on the infected machine.

Crypters

The crudest technique for crypters is usually called obfuscation. A more elaborate blog post on that is Obfuscation: Malware’s best friend. Obfuscation is also used often in scripts, like javascripts and vbscripts. But most of the time these are not very hard to bypass or de-obfuscate. More complex methods use actual encryption. Most crypters do not only encrypt the file, but the crypter software offers the user many other options to make the hidden executable as hard to detect by security vendors as possible The same is true for some packers. An in-depth analysis of one crypter (as an example) can be found in our blog post Malware Crypters – the Deceptive First Layer. Another thing you will find in that post is the expression FUD (Fully Undetectable) which is the ultimate goal for malware authors. Being able to go undetected by any security vendor is the holy grail for malware authors. But if they can go undetected for a while and then easily change their files again once they are detected, they will settle for that.

Protectors

A protector in this context is software that is intended to prevent tampering and reverse engineering of programs. The methods used can, and usually will, include both packing and encrypting. That combination plus some added features makes what is usually referred to as a protector. So a researcher will be faced with protective layers around the payload, making reverse engineering difficult.

A completely different approach, which also falls under the umbrella of protectors, is code virtualization, which uses a customized and different virtual instruction set every time you use it to protect your application. Of these protectors there are professional versions that are used in the gaming industry against piracy. But the technique itself has also made its way into malware, more specifically ransomware. Which enables ransomware that doesn’t need a C&C server to communicate the encryption key. The protection is so efficient that the encryption key can be hardcoded into the ransomware. An example is Locky Bart that uses WProtect, an open-source code-virtualization project.

Comprehensive Catalog of Code Obfuscation Techniques

Logic/Control Flow Obfuscation:

Modifies the control flow structure of the program to make it more complex and harder to follow.

NOP Obfuscation:

Involves inserting a large number of "no-operation" instructions to introduce noise and complicate code analysis.

Anti-Disassemblers Obfuscation:

Adds code specifically designed to confuse or thwart disassemblers or decompilers, making reverse engineering more difficult.

Trampolines Obfuscation:

Adds small pieces of code (trampolines) to obscure the control flow of the program, making it more challenging to analyze.

Instruction Permutations:

Involves changing the order or structure of individual instructions to make it harder to identify important parts of the code.

Code Obfuscation:

Modifies the source code to make it harder to understand, often by renaming variables, changing statement order, or adding meaningless code.

Data Obfuscation:

Encodes or encrypts data to make it difficult to read or understand, for example, converting text into numbers or symbols.

Anti-Debugging Obfuscation:

Adds code to detect and resist debugging attempts, making it more challenging for analysts to understand the program's behavior.

String Obfuscation:

Converts strings of text into different formats to make them harder to recognize, such as splitting them into smaller strings or using custom algorithms.

Runtime Obfuscation:

Involves changing code or data during runtime, adding complexity to analysis or modification attempts. For example, using self-modifying code or encrypting data on the fly.

Tools and Resrouces

• Awesome Code Obfuscation

• Obfuscator.io

• Deobfuscate.io

• Beginners Guide to Obfuscation

• Email Obfuscation

• PyOb (Python Obfuscator)

• PyArmor

• AMSI.Fail

• Invoke-Obfuscation

• Invoke-Stealth

• Chimera

• PHP Minify - PHP Obfuscator

• PHP Minify - JavaScript Obfuscator

• Picheta.me Obfuscator

• Obfuscar

• Deobfuscate.relative.im

• WillNode Deobfuscator

• InvisibilityCloak

• PyFuscation