top of page
Cerca

In malware, obfuscation is everything

  • Immagine del redattore: James
    James
  • 22 feb
  • Tempo di lettura: 2 min

Aggiornamento: 2 mar

The design and development of malware can be extremely complex, as it depends on numerous factors, such as what the malware is intended to do, which functionalities it must include, and how it should communicate with a potential C&C server.


However, in certain cases, it can also be extremely simple by deliberate choice of the attacker. Naturally, this also depends on the phase of the attack we are in, but an attacker might choose to use a simple reverse shell. This can be implemented in multiple programming languages, then compiled into an executable (EXE) and, in some way, the victim can be induced to run it on their system.


From a purely technical standpoint, and based on these considerations, carrying out a cyberattack might appear less challenging than one would initially expect.


However, in this simplified scenario, I would like to highlight a critical "issue":

the malware, given its simplicity and the fact that it would not be particularly complex to develop, would nowadays be just as easily detected by virtually any antivirus solution.


This highlights how the main challenge in malware development shifts from the functionality itself to how that functionality is “concealed.”


This scenario involves several well-established techniques that I have found extremely interesting to study. For example, I have always been fascinated by the fact that malware can encrypt part of itself in order to make the analysis of its functionality more difficult. However, there is a significant obstacle: although only a few lines of code in a language such as Python are sufficient to create a reverse shell, obfuscation techniques become far more complex.


Some tools come to the “rescue” by simplifying this process.


In particular, I would like to introduce PEzor, developed by Francesco Soncina, a security researcher living in Amsterdam, NL.



I installed the software on a Kali Linux virtual machine hosted on my Windows system. The installation process was somewhat cumbersome, but after some troubleshooting, I managed to obtain a working setup.


At this point, we have a wide range of options available. We have discussed encryption, which can be implemented in an extremely simple manner, and we could also introduce an N-second delay before unpacking the code.

ezor.sh -xorkey=MY-FQDN-COMPUTER-NAME -sleep=120 myexe.exe


 
 
bottom of page