3 hours 41 minutes
Hello, everyone. And welcome to this session about obfuscation. Here we're continuing our discussion about Mauer challenges. So in this session, we're going to learn about Mauer obfuscation, techniques and data and coding. So let's get started
when we're analyzing malware. Often we are presented with the challenge of obfuscation,
obfuscation from aim. Our perspective means that these Mauer authors are implementing various techniques toe hide information and to make Mauer harder to detect and analyze.
Now, obvious cation means the process of obscuring information
toe hide the malicious intent of their programs. Mauer authors employ various optimization techniques, such as encoding, encryption and packers, which we've discussed in the last session.
They employ these methods for many reasons, several of which are to hide the strings and a binary so that you can't perform any static analysis on them.
To encrypt information that's being moved from a victim system to hide the content of configuration files
and to hide malware from host and network based security appliances. Generally, malware authors use encoding or encryption to obscure their data.
But what's the real difference between encoding and encryption?
The difference is that the purpose of encoding is to make sure that the data can be consumed by another system. So typically, the encoding transforms data into another format so it can be easily reversed.
Encryptions purpose, on the other hand, is to keep data secret from others.
Encryption takes data in formats. It in a way that Onley a specific individual or system can decrypt the data.
The other key differences that you don't need a key to reverse data that is encoded. You just need the algorithm that was used to encode it
to decrypt data that has been encrypted. However, you need a key, which is kept secret in conjunction with the plain text and the algorithm.
Simple encoding methods have been around for a long time as computer power has increased. You may think that now we're authors really wouldn't use these simple methods anymore. However, when your purpose is just too high content so that it evades security appliances,
simple encoding techniques are small. They're less complex than encryption, and they're fast, so they continue to use them. This is especially true for Base 64 X, or encoding.
One of the oldest encoding methods around is called the Caesar Cipher. We call it encoding now, but technically it's one of the simplest and most widely known encryption techniques. The Caesar cipher is what we call a substitution cipher,
where each letter in our plain text character set
our character set in this case is the alphabet letters. A through Z
is replaced by some fixed number of positions down the alphabet.
Wait, what would you say if you're not a cryptographer? The idea behind the Caesar cipher is quite simple.
As an exercise. Pick a number. Let's say three. This is your key.
Now let's take a word,
Brian. All right, this is your plain text. So to implement the cipher,
the first thing you want to dio is replaced the first plain text character by shifting the letters of the alphabet three characters to the left because three is your key.
The resulting character is the first letter of your cipher text.
Repeat these steps for every letter in your plain text to output cipher text. So to implement our algorithm, the first letter of our cipher text is E because B shifted three positions over is e
are shifted. Three positions to the right is you. I shifted as l
a shifted is D and N Shifted is cute.
So the string Brian encrypted by our Caesar cipher is e U L D. Q.
While simple Caesar ciphers are still implemented, more prevalent is the X, or obfuscation technique, which is coming up in the next session.
Advanced Malware Analysis: Redux
In this course, we introduce new techniques to help speed up analysis and transition students from malware analyst to reverse engineer. We skip the malware analysis lab set up and put participants hands on with malware analysis.