Code obfuscation: benefit or risk in the field of information security

Currently, information security is a question that interests many users. Individuals, those who actively work online, think about how to organize everything correctly when connecting to the Internet. Information security is also very important for companies of various levels, from small to large corporations. Loss of important information, theft of customer data, business partners, leakage of financial data — this is something that can cause serious harm not only to the company's image, but also to its material well-being.

To ensure high security indicators, the modern market offers various solutions. Now we will focus on one of these options, namely obfuscation. Today, this technology can rightfully be called one of the most powerful tools in this niche. But there is one significant BUT: the technology can be used both by those who would like to ensure the protection of corporate networks and personal devices, and directly by attackers.

The very essence of obfuscation is to increase the length of the code, due to which the information becomes more difficult to perceive. On the one hand, such a solution can protect even fairly sensitive information data, intellectual property, significantly complicating the work of attackers. In some cases, such a solution will force them to abandon their plans and look for easier targets. But on the other hand, obfuscation can mask malware quite well and make it invisible to your security system.

In today's review, we will look in more detail at what this technology is and what it conceals more: benefits for business or risks? Let's consider the main obfuscation methods that hackers actively use in practice today. We will tell you about the main tools that will help minimize risks and provide reliable protection against both this attack and other actions of intruders.

Obfuscation: getting acquainted with the concept

Obfuscation is a special technique aimed at forcibly complicating information in order to make it more problematic to read. This technique has received especially wide application in program code. Today, in practice, the most common cases are when obfuscation is used to make confidential and especially sensitive information impossible to recognize. This ensures its reliable protection in case of unauthorized access. Even if hackers manage to gain access to such data, they will not be able to identify it and use it for their own purposes.

There are many options for implementing this technique in practice and there are no strict recommendations, standards, or requirements. As an option, you can hide the middle digits in a bank card number, while the first and last few will be replaced with asterisks or some other signs. This is the simplest example of obfuscation, which is widely used in practice today. But if we talk directly about the software sphere, then everything is somewhat more complicated in terms of visual data concealment. In particular, in practice today, a fairly common option for obfuscation can be considered complete encryption of data by transforming it into an unreadable form. It turns out that the program itself transforms the information into an unrecognizable set of characters, and in order to return it to its original form, it will be necessary to use a special key. Only with its help can decryption be performed.

Obfuscation is also used to ensure high levels of protection of program codes from theft. To implement such tasks, advanced language constructs are used in combination with redundant logic. As a result, it is possible to transform the code into something impossible to perceive and understand as a whole. Here, certain elements of the code are fed to the encryption: meaningful elements are replaced with meaningless ones. Also, metadata is mostly completely removed. In order to confuse intruders, completely third-party elements can be added to the working code, or even a completely incomprehensible set of characters. That is, there are many options for implementing obfuscation, but the essence in each case will be absolutely the same: maximum masking of the real content of the program code.

All these works are performed using special applications. That is, the process is fully automated. With their help, you literally change the source code of the software product in a couple of clicks so that it becomes completely impossible to understand, perceive, but at the same time continues to work without any failures and problems. That is, in this case, an external change in information occurs, while the essence itself is preserved. This is the basis for ensuring the security of applications using obfuscation.

Among other methods that are used in practice today within the framework of this technique, we can also highlight program compression, making adjustments to the control flow, which makes information disordered, deprives it of structure. Whatever obfuscation methods are used in practice, the result is the same: information, including program code, becomes completely unreadable, devoid of logic. When working with particularly sensitive information, combinations of different techniques are often used, which allows you to get guaranteed code security and a multi-level protective effect. But again, let us repeat that with all these transformations, the code remains readable for the system itself, that is, the program continues to work.

What obfuscation can be used for in practice

Using obfuscation in practice is a practical and reliable solution that many representatives of modern business should use. By using this method, you can:

• protect your idea from being copied by more nimble competitors;
• make sure that only your company uses this code, and you receive a stable income for the application;
• create a reliable system for protecting algorithms from hacking: having access to the program code, hackers will be able to study it, identify the part that is responsible for the license, and then bypass it and gain access to your program and its free use;
• hide important actions and parameters from prying eyes: as an option, you can build a backdoor or password check into the program.

Whatever the reasons are that you personally plan to use obfuscation in practice, all actions will still come down to hiding the logic of the source program code from third parties.

A few words about how it works obfuscation

Most modern obfuscation methods are aimed at changing certain groups of program code, in particular:

1. Data. What information, thanks to the use of technology, radically changes its display format, becomes similar to something that in essence is not at all.
2. Code flow. We are talking about such a construction of the executable logic of a software product, which makes it non-deterministic, absurd.
3. Format structure. Various options for formatting data are used, including setting other identifier names, deleting those comments that were written in addition to the code, etc.

We would like to draw your attention to the fact that modern obfuscation tools can work with different code options: source, byte, binary. But in the implementation, the processing of binary files will be more complex and will require individual solutions depending on what kind of system architecture you have. In any case, when performing a task, it is important to correctly identify those code elements that, in practice, will be most appropriate to change.

However, this method also has its drawbacks. In particular, you should understand that the programs to which obfuscation will be applied will work slower than their analogs. The fact is that the modified version can execute up to 5 similar commands instead of one. Accordingly, the computer will need much more time to process them. Therefore, when choosing those code elements that will be subject to change, it is important to exclude critical nodes in terms of performance.

And one more warning: all changes must be made extremely carefully and consistently. If you accidentally delete the source code of the program while performing these works, it will be easier for you to write everything again than to try to restore the lost element. This means that a specialist who is very well versed in all the nuances should be responsible for performing these works.

Modern obfuscation methods

We have already mentioned above that today in practice different obfuscation methods can be used. Here are just the most common solutions:

• Information transformation. This is one of the key elements of the entire technology, which involves transforming data into a completely different format. At the same time, the impact on the performance of the program code is minimal. It is impossible to completely exclude reverse engineering by attackers here, but still, the work in this case will be complicated as much as possible. In some cases, this will force attackers to abandon the idea altogether.
• Modifying the code control flow. These works can be performed by making adjustments to the sequence of operators participating in the execution of the command. This is done by adding additions, completely arbitrary transition structures, including the transformation of conditional tree blocks into flat switching operators.
• Changing addresses. This method involves making changes to the very structure of information storage so as to complicate, or even completely reduce to zero, the possibility of its use by third parties. Alternatively, working algorithms can retrieve random data addresses from memory, change the distance between individual data elements. In this case, even if a hacker manages to decrypt the classified application data located on a particular device, it will still not be possible to spread these successes to other gadgets.
• Correcting assembler instructions. This technique is also aimed at complicating work within the framework of reverse engineering. Alternatively, overlapping structures can be used here, which will lead to the disassembler reproducing the wrong output. In the event that you add a number of other garbage elements to the code, including useless control operators, you can further strengthen the protection of the assembler code from unauthorized penetration.
• Regularly updating the program code. This obfuscation method involves preventing hacker attacks by regularly launching updates to the corresponding software. By replacing elements of the existing program code with new parts that have been obfuscated in a timely manner, protection against hackers is ensured. In some cases, all the efforts that they will have to make to implement their idea will be many times greater than the potential value obtained.
• Changes in debug information. We are talking about data that can be used to reverse engineer the application. That is, your task will be to prevent any unauthorized access to debug information. Modern obfuscation tools can ensure this by making adjustments to file names, line numbers, and in some cases by completely removing debug information from the application.

In practice, other obfuscation methods can be used today, as well as combinations of different solutions. Here, in the selection process, it is necessary to take into account the specifics of your software product.

But, at the beginning of this review, we talked about the fact that obfuscation has 2 sides. One of them, which we have already considered above, provides quite impressive opportunities for hiding particularly sensitive elements of program code from unauthorized access. The second, on the contrary, opens a loophole for intruders. What exactly is being discussed below.

What is the other side of obfuscation?

Practice has already shown that obfuscation is not only a means of protecting software products, but also a serious challenge for employees of the information security department of companies. The fact is that such methods are used in practice not only by official software developers, that is, those who have the appropriate licenses, but also by creators of malicious software. In the latter case, this tool allows you to reduce the risk of detecting malicious software and even preserve the anonymity of hackers. This is ensured by making adjustments to the fingerprint of the malicious code and the general signature. It turns out that such an action hides an already known threat that could be detected by ordinary anti-virus software.

At its core, the signature is a hash, that is, a unique alphanumeric display of malicious software. But if you add obfuscation to this code, then the already known hash literally disappears, is displayed in a completely different way and, as a result, is not identified at all. This means that modern hackers do not necessarily have to create new signatures every time to increase the effectiveness of malicious software products. It will be enough to take the same software, and then use different obfuscation methods on it over and over again.

What obfuscation methods are most often used by hackers in practice

If above we talked about what obfuscation methods are used to protect program code from hacking, now we will highlight those methods that are actively used by attackers in practice. Here, combinations of different techniques are also often encountered that allow you to hide malicious software as effectively as possible, forming literally several layers of disguise. As an option, so-called “packers” are very often used today or “software packages”. They are able to compress a malicious program so much that it is practically not identified on the user's device. In addition to everything, its original code becomes completely unreadable.

At the next stage, cryptographers come into play. They encrypt individual elements of the software containing the malicious code or individual elements of it. Thanks to this, the information that antivirus programs could identify is reliably hidden.

Another version of malicious obfuscation involves inserting the so-called “dead code”. This is a completely useless set of characters that does not carry any semantic load. Its purpose is to visually disguise the actual code. Modified commands are often used in practice. This includes changing the command codes in all malware programs. In this case, not only the external display of the code changes, but also its behavior itself.

The obfuscation itself, which is used to make changes to the code, is only one stage of the overall process of masking malware. By the way, these works are quite lengthy, that is, they cannot be implemented literally here and now. Along with the fact that in order to effectively bypass EDR in practice, it is also very important for hackers to ensure that their software product with malicious code can interact with external sources to exchange information and commands with the C2 server. This means that all these communications, and not just the program itself, must be adjusted and hidden. If this is not provided for, then modern anti-virus software will easily identify the interaction process itself, which will cause additional suspicions and corresponding checks, significantly increasing the likelihood of identifying a malicious application.

Not long ago, cybercriminals felt more at ease and confident. They did not have to limit themselves in scanning networks, unloading impressive amounts of data. Today, the situation has changed dramatically due to the emergence of specialized security tools. Now hackers are forced to act as covertly, quietly, and unnoticed as possible. This is the only way they can minimize visible anomalies around their target network, thereby hiding their own actions and increasing the effectiveness of their plan.

Yes, hacker attacks using obfuscation have been used in practice for quite a long time. Examples include the actions of attackers against SolarWinds, where this technique was used to bypass protection and hide malicious actions. The XLS.HTML phishing attack also used complex obfuscation techniques: the encryption methods of the malware changed literally every month, which allowed it to avoid detection for a fairly long period of time. Here, screening coding, Morse code, plain texts, and Base64 coding were used. There are also known cases where vulnerabilities in ThinkPHP were used during obfuscation in order to execute remote code on servers.

Unfortunately, such cases are not isolated. Technology continues to develop and improve. And in order not to become a victim of Internet intruders, it is important to know how to protect yourself and use appropriate solutions.

Will the signature method be sufficient to ensure protection?

Detecting intruder actions using signatures is a fairly good and reliable solution, but only if we are talking directly about known threats. But if intruders use fairly new solutions in practice that have not yet found an appropriate reflection in protection methods, then this method, unfortunately, will not give any serious results. Moreover, attackers can easily generate a new hash and launch the next stage of obfuscation without making any changes to the malicious code itself.

The skill of modern malware developers literally knows no bounds:

• Using such advanced techniques in practice to disguise their software products that it is almost impossible to identify them.
• Using metamorphic and polymorphic malware that can flexibly change its own code and structure, which literally nullifies the work of signature scanning. That is, its effectiveness will be close to zero.
• Launching zero-level exploits. This is a solution that is also not subject to signature-based protection systems. And the whole problem here is that they are simply not in the relevant databases.

And we must not forget about the huge number of false positives. This is the solution that also reduces the effectiveness of detecting malware using signatures. The fact is that in the case when false positives follow one after another, information security specialists will be forced to constantly be distracted by them. At the same time, serious problems can literally pass them by.

That is, despite the fact that detecting intruders' actions using the signature method can rightfully be considered a fairly useful and reliable tool, its capabilities for repelling such threats will clearly be insufficient. A much more comprehensive and voluminous security strategy is required here, including various advanced tools, such as machine learning, behavioral analysis, etc.

Using NDR tools to combat hacker attacks

Along with the development of Internet attackers' capabilities, developers of security software solutions are not lagging behind them. Thus, today Intrusion Detection System (IDS solutions) are actively used in practice, capable of detecting the slightest anomalies in the operation of software. They study the behavior of the system day after day, identifying for themselves those parameters that will indicate normal and stable operation. In the event that even minor third-party activity appears, they immediately send appropriate notifications. And such a solution in practice gives good results for protection against various malicious software, including that which uses obfuscation. But their effectiveness is still limited.

A much more advanced tool can be called modern NDR solutions (Network Detection and Response). Their distinctive feature is the ability to easily adapt to current conditions, which allows them to literally go one step ahead of all cyber threats, taking into account their specifics. In practice, such a solution provides higher security indicators, which will be especially relevant in the case of comparison with the signature method. Advanced integration analysis tools have already been implemented here, which allows identifying not only known, but also fairly new threats, as well as providing reliable protection against them.

Here are just the main advantages of using NDR tools to protect against various hacker attacks:

1. Ability to analyze behavioral factors. Among other things, NDR tools are capable of monitoring network traffic and analyzing its behavior. This is what allows you to quickly identify unusual activity. This could be untimely or irregular data transfer. And this, by the way, is one of the key indicators that a hidden connection to C2 servers is being conducted.
2. Monitoring working protocols. The tools available to NDR technology are capable of monitoring DNS traffic, HTTP and other requests, which will allow you to identify suspicious communications, behavioral factors, among other things, directly related to malware that has been obfuscated.
3. Monitoring communication in the long term. We have already said that modern hackers strive to conduct as hidden activities as possible in order to hide from the system and all the tools that are available to information security specialists. Thanks to NDR tools, it became possible to analyze traffic over a fairly long period of time. Thanks to this, it becomes possible to identify anomalies indicating a hacker attack. In addition, all these checks are carried out as quickly as possible thanks to batch launches. This means that you will receive the relevant results in just a few minutes. At the same time, the probability of false positives, which are relevant for real-time work, is reduced to a minimum.
4. Comprehensive metadata analysis. This work is also performed by the tool by detecting atypical behavioral factors. It uses advanced machine learning solutions that allow you to identify fairly typical obfuscation techniques that manifest themselves through suspicious activities in network traffic.
5. Exchange of threat information. The practical use of NDR solutions implies the ability to exchange data on potential problems with other tools that a particular business uses to ensure high security indicators. Such a comprehensive approach allows you to identify the most common obfuscation methods and atypical behavior in general. Alternatively, if you use NDR and EDR together, you can monitor suspicious activity at the endpoints of network traffic. And this is what will allow you to control security.
6. Mitre ATT&CK. This tool is capable of providing the most detailed information about all threats using obfuscation methods. If it is integrated into the NDR system, the chances of identifying all kinds of threats will be significantly increased.

In comparison with other security methods, including those related to the use of obfuscation techniques, modern NDR solutions have proven themselves in practice as some of the most reliable, effective and functional. This means that they should be used by anyone looking for maximum protection against any unauthorized access.

Summing Up

Today, in the era of digital transformation, obfuscation can be considered one of the key elements in the confrontation between attackers and those who resist these threats. It is a kind of symbol of the constant evolution of cyber threats, and along with it, the methods of ensuring protection. The situation that has developed in this niche today once again indicates that this market is far from stable, that it is constantly at the stage of transformation, modification. New threats appear, and tools for protection against them are immediately developed. And vice versa: as soon as additional security levels appear, attackers try to find ways to bypass them.

A similar trend will most likely be observed in the future. At the same time, one of the best methods for ensuring decent cybersecurity indicators can be called not only the formation of impenetrable digital walls, but also the development of advanced protection ecosystems based on machine learning. We are talking about solutions that will be able to learn on their own, will be able to predict potential threats.

In the context of all this, we can say that modern NDR solutions are just a preparatory stage for the development and launch of such tools. But still, there are no analogues to them in modern practice. In any case, the task is not only to protect against potential threats, but also to form a digital environment for which security can become a natural state.

Mobile proxies from the MobileProxy.Space service can provide significant assistance in ensuring such ideas. We are talking about an intermediary server that can replace the real technical parameters of the user device with its own data. Thanks to this, the IP-address and geolocation of the user device are reliably hidden. Without knowing this data, attackers will not be able to connect to your computer, launch malicious software on it.

Follow the link https://mobileproxy.space/en/user.html?buyproxy to get acquainted in detail with the features of mobile proxies and make sure that this is the best solution today in terms of providing functional, secure and confidential work on the Internet. Moreover, with their help you can bypass various regional restrictions, system prohibitions on multi-threaded work, the use of programs that automate actions on the network and more.

You will also have a competent technical support service at your service, which will immediately respond to user requests and solve problems that may arise in the work process.

Share this article: