1 00:00:00,570 --> 00:00:05,420 Obfuscation is the process of hiding or masking meaningful information. 2 00:00:06,700 --> 00:00:11,290 In binaries, obfuscation makes it harder to understand the program. 3 00:00:12,890 --> 00:00:15,020 Here is how a typical binary would look like. 4 00:00:16,020 --> 00:00:22,440 As you notice, you still see few meaningful words which can be used to construct the functions of a malware. 5 00:00:23,760 --> 00:00:28,110 But when the same binary is obfuscated, it would look something like this. 6 00:00:29,130 --> 00:00:30,060 And we now notice. 7 00:00:30,060 --> 00:00:32,640 It is impossible to understand what has been written. 8 00:00:34,390 --> 00:00:39,550 Why do malware authors want to obfuscate their malware file? 9 00:00:40,790 --> 00:00:45,800 The main purpose is to make the detection and analysis of the malware difficult. 10 00:00:46,860 --> 00:00:55,410 Obfuscation also delays the process of malware analysis, thereby giving the malware author more time to do 11 00:00:55,560 --> 00:00:58,830 the damage or spread to more machines before being stopped. 12 00:01:00,100 --> 00:01:06,330 Sometimes the whole of the file will be obfuscated and in some cases only a part of the file like 13 00:01:06,350 --> 00:01:08,470 dot text section, can be obfuscated. 14 00:01:09,610 --> 00:01:13,060 There are different methods used by attackers to obfuscate the malware. 15 00:01:13,750 --> 00:01:15,250 Few of them are discussed here. 16 00:01:17,240 --> 00:01:23,600 First method is Packers, packer is a software used to compress the binary file. 17 00:01:24,790 --> 00:01:28,860 The file unpacks itself when a program is executed. 18 00:01:30,580 --> 00:01:34,400 One should understand that Packers were not developed for malicious purpose. 19 00:01:35,080 --> 00:01:38,200 They were used to make a executable file size smaller. 20 00:01:39,370 --> 00:01:45,160 Packers are used by malware authors to avoid detection and delay the analysis. 21 00:01:46,340 --> 00:01:50,720 Packers are also called as runtime packers or self extracting archives. 22 00:01:52,110 --> 00:01:58,920 In the image, you would see how a binary file with a PE header and a section undergoes packing and the 23 00:01:58,920 --> 00:02:06,420 packed file will have a brand new PE header and a decompression stub which holds the instructions to unpack 24 00:02:06,480 --> 00:02:08,460 the malware while executing. 25 00:02:10,240 --> 00:02:18,310 Few of the popular packers include UPX, stands for Ultimate Packer for executables exe stealth. 26 00:02:19,280 --> 00:02:20,270 PESpin. 27 00:02:21,660 --> 00:02:23,550 Obsidium and etc.. 28 00:02:26,500 --> 00:02:34,120 The next technique is polymorphic or metamorphic Malwares, most malwares use encryption to avoid being 29 00:02:34,120 --> 00:02:35,620 detected by antivirus scanning. 30 00:02:35,620 --> 00:02:40,720 The instructions to decrypt the malware will be in the decrypter. 31 00:02:42,040 --> 00:02:48,700 In polymorphic, the malware constantly changes its identifiable features to evade detection. 32 00:02:49,680 --> 00:02:55,920 However, it keeps changing only one part of the malware, for example, it could be a decrypter. 33 00:02:57,840 --> 00:03:04,680 However, in metamorphic malware, the malware completely rewrites the code, as you see in the image 34 00:03:05,040 --> 00:03:08,010 Both the malware code, and the decrypter keeps changing. 35 00:03:09,090 --> 00:03:13,860 other name for such malware is called Self Modifying Malwares. 36 00:03:15,810 --> 00:03:20,020 Next method of obfuscating malwares is dead code insertion. 37 00:03:21,260 --> 00:03:27,680 This is a simple technique of adding a few useless instructions in the program to change its appearance, 38 00:03:28,280 --> 00:03:30,440 but the behavior will remain the same. 39 00:03:31,570 --> 00:03:38,500 Here it shows how a dead or a non-functional code can be inserted, it might look very obvious now as 40 00:03:38,500 --> 00:03:44,530 I have highlighted the lines, but imagine understanding and identifying these lines in hundreds of lines 41 00:03:44,530 --> 00:03:44,950 of code. 42 00:03:47,530 --> 00:03:56,020 Next, we have a technique called subroutine reordering a subroutine is a part of a program that does a specific 43 00:03:56,020 --> 00:03:56,380 part. 44 00:03:57,440 --> 00:03:59,390 It is sometimes referred to as function. 45 00:04:00,770 --> 00:04:06,600 In subroutine reordering method, the malware author just changes the order in which the functions are 46 00:04:06,600 --> 00:04:09,200 written, thereby changing the file hash. 47 00:04:10,230 --> 00:04:14,040 Consider an example where a program has seven subroutines. 48 00:04:15,190 --> 00:04:21,640 In the second version, the malware authors just changes the order of the subroutine, thereby having multiple 49 00:04:21,640 --> 00:04:23,560 variants of the same malware. 50 00:04:25,120 --> 00:04:28,510 Consider an example where a program has seven subroutines. 51 00:04:30,330 --> 00:04:36,300 In the further versions, the malware order just keeps changing the order of the subroutine, thereby 52 00:04:36,540 --> 00:04:39,900 having multiple variants of the same malware. 53 00:04:43,040 --> 00:04:46,220 Another method is called instruction substitution. 54 00:04:47,540 --> 00:04:53,570 This method changes an original code by replacing some instructions with other equivalent ones. 55 00:04:54,540 --> 00:04:58,590 In programming, one result can be achieved by various logic. 56 00:05:00,450 --> 00:05:06,450 In the instructions substitution method, the malware author achieve the same malicious task by changing 57 00:05:06,450 --> 00:05:10,160 the logic of the code, thereby changing the file hash. 58 00:05:11,900 --> 00:05:19,370 Few of the other popular obfuscation techniques include exclusive or method, simply referred to as 59 00:05:19,370 --> 00:05:20,030 XOR. 60 00:05:21,340 --> 00:05:29,260 Base64 encoding and Rot13, it stands for rotate by 13.