Malware creators turn code protection technique to their advantage

A technique for coding designed to protect software against reverse engineering that is being exploited by malicious code writers is growing in popularity, according to a report released this week.

According to Finjan Inc.’s Web Security Trends Report for Q4 2006, dynamic code obfuscation as a method of hiding malicious code is becoming more popular with hackers.

Code obfuscation was originally designed to protect code — sometimes a company’s most valuable asset — from intellectual property theft. It works by making it difficult to determine what a piece of code does, said Matthew Russell, a Northern Virginia-based computer scientist and defence contractor who wrote an article called “Protect Your Source Code: Obfuscation 101.” Programmers can convolute their code through a variety of different methods, such as looping statements, so that it takes several seconds or minutes to figure out what the piece of code does, he said.

Spammers are using similar techniques to hide their true intentions, said Mary Kirwan, the CEO of security consulting firm Headfry Inc. in Toronto.

“The malicious payload is hidden through obfuscation techniques,” she said. “It’s quite challenging to look beneath.”

Dynamic code obfuscation means that the code will be different each time, making it difficult to find a signature for a virus, which is what anti-virus companies rely on, said Yuval Ben-Itzhak, the CTO of San Jose, Calif.-based Finjan, which produces a tool designed to detect such code.

Technology that looks for a virus signature — a set of unique characteristics that identify a virus — won’t work with dynamic code obfuscation, he said.

To protect themselves against such techniques, companies shouldn’t be thinking about security as something they patch on at the end but something they build from the ground up, said Headfry’s Kirwan.

“You have to have security embedded from the get go when developing software,” she said.

This is especially true when developing Web sites, she said. Because developing sites is so simple, companies don’t consider all of the potential hazards that could come with it.

“People can be quite cavalier, so code can be subject to numerous attacks,” she said.

However dynamic code obfuscation is not the only type of attack companies need to be concerned about, according to Finjan’s report. Hackers are also exploiting Web 2.0 technologies. The Finjan report looked into two recent attacks, one on Wikipedia, the online encyclopedia which allows anyone to contribute, and another on MySpace, a social networking site. In the Wikipedia case, a hacker wrote an article about a virus and then provided a link — which was to the malicious code.

“We believe that Web 2.0 sites will be used to distribute malicious code,” Ben-Itzhak said.

Companies running such sites should scan all material before it goes live, he said, and the need to be vigilant will increase in general. Finjan predicts that as Microsoft’s Windows Vista and Internet Explorer 7 reach critical mass, they will trigger a new wave of attacks from hackers looking to exploit their vulnerabilities.

Comment: info@itbusiness.ca

Share on LinkedIn Share with Google+