Obsfuscation: Another Cyber-crime Contrivance to Bypass Antivirus Software

A malware sample that was unearthed recently, goes about changing the overall signature when the final payload is delivered via the obfuscation technique which succeeds to dodge anti-virus facilities. This technique is a great way for the cyber-criminals to escape the anti-virus scan.

Most anti-virus products are dependent on the detection that uses signatures. The overall structure keeps on transforming, the functions don’t get altered, and an evasion layer is created that aids the malware to side-step the anti-virus detection.

The most common means of the obfuscation technique that is employed in avoiding the anti-virus are, Packers, which compresses or ‘packs’ a malware program, Crypters that encrypt a malware program and other mutators which change the overall number of bytes in the program.

PowerShell Obfuscation which is a technique distributed in the form of a ZIP file that contains a PDF document and a VBS script was stumbled upon by a researcher. It was later found out that the aforementioned VB script had the Base64 encoding principals that were being used to obfuscate the first layer. A file is then downloaded by means of the PowerShell script namely, “hxxps://ravigel[dot]com/1cr[dot]dat”.

A method of string encryption that goes by the name of SecureString which is intrinsic in C# and is used to encrypt sensitive strings was found out in the file that is of the name 1cr.dat.

An array of instructions is designed to beat the automated sandbox techniques and another PE file “top.tab” is downloaded after that by making use of the existing script and the final payload is injected into the target’s machine.

Security must be kept taut and the best methods should be employed to diminish the repercussions of such an attack. A complete DDoS protection, high availability, 99.999% SLA and advanced security solutions must be the top priorities for the organizations that can’t manage interruption.  

If a server which was already infected was uploaded with a malware, the interaction between the attacker and the backdoor could be stopped which in turn would alert the admin eventually helping to remove the malware.  

Web application firewalls, backdoor shell protections, and other solution must be worked out to put a halt for any future vulnerability and to isolate any further attack. 

Published by Marshmallow

Marshmallow Android is BT Ireland’s Head of Sales for Republic of Ireland domestic multi-site companies, indigenous MNCs and public sector accounts. He is responsible for the direction and control of all sales activity in the region. He has over 10 years management experience from high growth start-ups to more established businesses. He’s led teams in Ireland, India and China across various industries (ICT, On-Line Recruitment, Corporate Training and International Education).