.

Is obfuscated code good or bad

<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Sun Apr 19, 2009 2:06 pm

Is obfuscated code good or bad

An interesting article discussing the attrition war of authors vs reverse engineers and Anti-Virus/Anti-Malware.

Sun Tzu counseled a strategy of maneuver warfare, and that is the doctrine followed by modern militaries. We need to find something different than the attrition warfare that sustains the malware ecosystem in the state it is in today.

Obfuscation, the deliberate hiding of the software's behavior, is used by malware authors as well as legitimate software developers. They both use code obfuscation techniques to keep curious souls from understanding how their software works and what it is doing to the computer on which it runs.

Good Obfuscation, Bad Code
http://www.securityfocus.com/columnists/498/1
twitter.com/timmedin | http://blog.securitywhole.com
<<

NickFnord

User avatar

Full Member
Full Member

Posts: 117

Joined: Fri Sep 05, 2008 5:25 am

Post Mon Apr 20, 2009 4:58 am

Re: Is obfuscated code good or bad

Danny Quist also has something to say about it.  interesting how anti-virus software is reporting obfuscation as potential malware

http://www.offensivecomputing.net/?q=node/1165
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Apr 20, 2009 7:22 am

Re: Is obfuscated code good or bad

This is only my opinion, but I believe that AntiVirus makers are so far behind the curve, they are just grasping at straws.  They are not capable of catching anything remotely unfamiliar with signatures, so they are expanding "detection" to include legitimate software to "be on the safe side."
~~~~~~~~~~~~~~
Ketchup
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Mon Apr 20, 2009 8:19 am

Re: Is obfuscated code good or bad

Yup, you can see the same thing with keygens. Most antimalware tools will flag them as malware.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Apr 20, 2009 11:49 am

Re: Is obfuscated code good or bad

I know nothing of these "keygens" you speak of  ;)
~~~~~~~~~~~~~~
Ketchup
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Mon Apr 20, 2009 12:07 pm

Re: Is obfuscated code good or bad

Educational use only of course :)
<<

NickFnord

User avatar

Full Member
Full Member

Posts: 117

Joined: Fri Sep 05, 2008 5:25 am

Post Tue Apr 21, 2009 3:22 am

Re: Is obfuscated code good or bad

I don't understand why they would do this - a keygen is just a reproduction of the algorithm used to produce a registration key.

unless they used the program itself to self-keygen and that somehow flagged it....
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Apr 21, 2009 7:06 am

Re: Is obfuscated code good or bad

They are usually packed with something.
~~~~~~~~~~~~~~
Ketchup
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Tue Apr 21, 2009 7:25 am

Re: Is obfuscated code good or bad

Ketchup wrote:They are usually packed with something.


Indeed, they usually are. I saw this youtube video one of a researcher downloading keygens and monitoring them with wireshark, PortMon, ProcessExplorer, and Process Monitor.

It dropped some stealthy and blatantly malicious stuff of its own. wish i had bookmarked it.

His solution? (assuming these keygens were legal pices of code) Use a VM machine to run them.

If they use patch-like function to insert a key (a la registry injection), stay away.

If you have to replace files manually (aka an .exe), run for the hills.
<<

NickFnord

User avatar

Full Member
Full Member

Posts: 117

Joined: Fri Sep 05, 2008 5:25 am

Post Tue Apr 21, 2009 8:04 am

Re: Is obfuscated code good or bad

back in the day we had to patch the .exe to make it not run from the HD, not the CD.  but I guess that's not so much a problem now days with virtual CD's etc.  not that I engage in this kind of nefarious stuff at all.

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software