Malware detection is simple, right?

 

Wrong.  Day after day millions of computers are attacked by malware. As the number of malicious software attacks has been growing over years, the types of malware detection and antivirus solutions also grow. Yet, the attackers have the upperhand as there is no protection against zero-day attacks, or something which has just been invented. Malware developers use this to their advantage by leveraging heavy obfuscation techniques to veil the intended behavior of their software. Without deobfuscation, an antivirus solution can only detect the presence of obfuscation, but not the actual malicious activity.  Undetected malware can spread within an organization and do more harm if it cannot be detected by normal investigative response techniques.

 

In this blog we explore two key reasons why deobfuscation is necessary for malware detection:

Analyzing behavior isn’t practical:

Using a sandbox to analyze the behavior of a possible malware sample is a valid idea, but it has several disadvantages. The first is running automated malware analysis is costly and time consuming.  Secondly, if we take a look at the news malware detectors can have vulnerabilities, which can allow a hacker to take over the analysis system and the local environment.  This was recently experienced with Window Defender when an unpatched exploit left most Windows PCs at risk for a short period of time.  Using step-by-step deobfuscation of malware, the analyzer can detect malicious behavior as soon as it is unveiled, without having to fear that it could infect the system.

Used alone, obfuscation isn’t enough:

Obfusction has legitimate purposes. Taking a look at the code of one of the most popular web pages www.google.de we find heavily obfuscated JavaScript. Obfuscation is not only used to veil malware, but also to protect company assets.

 

CSPi’s Deobfuscation Algorithm

Using a scientific approach of analyzing the capabilities of JavaScript, Sebastian Rosenkranz, Malware Analyst, at CSPi, has developed a reliable solution methodology to remove static obfuscation techniques from any kind of software. Using a patented algorithm, CSPi can provide a new kind of rule-based framework that can deobfuscate zero-day malware and reenable the malware detection capabilities of existing antivirus solutions.

Contact us, for more information about the advantages and a demonstration of our Deobfuscator’s capabilities!

To gain further insight into CSPi’s deobfuscation algorithm, download our Deobfuscator Management Brief.

 

No Comments

Be the first to start a conversation

Leave a Reply

  • (will not be published)

Interested in an Encryption Key Solution? Check out our ARIA™ KMS overview video.
Watch Now