Security.com

obfuscation

By Ben Lutkevich

What is obfuscation?

Obfuscation means to make something difficult to understand. Programming code is often obfuscated to protect intellectual property or trade secrets, and to prevent an attacker from reverse engineering a proprietary software program.

Encrypting some or all of a program's code is one obfuscation method. Other approaches include stripping out potentially revealing metadata, replacing class and variable names with meaningless labels and adding unused or meaningless code to an application script. A tool called an obfuscator will automatically convert straightforward source code into a program that works the same way, but is more difficult to read and understand.

Unfortunately, malicious code writers also use these methods to prevent their attack mechanisms from being detected by antimalware tools. The 2020 SolarWinds attack is an example of hackers using obfuscation to evade defenses.

Deobfuscation techniques can be used to reverse engineer -- or undo -- obfuscation. These techniques include program slicing, which involves narrowing the program code to just the relevant statements at a particular point in the program. Compiler optimization and program synthesis are two other deobfuscation techniques. Obfuscation aims to make reverse engineering difficult and not worth the trouble.

How does obfuscation work?

Obfuscation in computer code uses complex roundabout phrases and redundant logic to make the code difficult for the reader to understand. The goal is to distract the reader with the complicated syntax of what they are reading and make it difficult for them to determine the true content of the message.

With computer code, the reader may be a person, a computing device or another program. Obfuscation is also used to fool antivirus tools and other programs that rely heavily on digital signatures to interpret code. Decompilers are available for languages such as Java, operating systems such as Android and iOS, and development platforms like .NET. They can automatically reverse engineer source code; obfuscation aims to make it difficult for these programs to do their decompiling as well.

Code obfuscation is not about changing the content of a program's original code, but rather about making the delivery method and presentation of that code more confusing. Obfuscation does not alter how the program works or its end output.

What follows is an example snippet of normal JavaScript code:

var greeting = 'Hello World';
greeting = 10;
var product = greeting * greeting;

That same snippet in obfuscated form looks like this:

var _0x154f=['98303fgKsLC','9koptJz','1LFqeWV','13XCjYtB','6990QlzuJn','87260lXoUxl','2HvrLBZ','15619aDPIAh','1kfyliT','80232AOCrXj','2jZAgwY','182593oBiMFy','1lNvUId','131791JfrpUY'];var _0x52df=function(_0x159d61,_0x12b953){_0x159d61=_0x159d61-0x122;var _0x154f4b=_0x154f[_0x159d61];return _0x154f4b;};(function(_0x19e682,_0x2b7215){var _0x5e377c=_0x52df;while(!![]){try{var _0x2d3a87=-parseInt(_0x5e377c(0x129))*parseInt(_0x5e377c(0x123))+-parseInt(_0x5e377c(0x125))*parseInt(_0x5e377c(0x12e))+parseInt(_0x5e377c(0x127))*-parseInt(_0x5e377c(0x126))+-parseInt(_0x5e377c(0x124))*-parseInt(_0x5e377c(0x12f))+-parseInt(_0x5e377c(0x128))*-parseInt(_0x5e377c(0x12b))+parseInt(_0x5e377c(0x12a))*parseInt(_0x5e377c(0x12d))+parseInt(_0x5e377c(0x12c))*parseInt(_0x5e377c(0x122));if(_0x2d3a87===_0x2b7215)break;else _0x19e682['push'](_0x19e682['shift']());}catch(_0x22c179){_0x19e682['push'](_0x19e682['shift']());}}}(_0x154f,0x1918c));var greeting='Hello\x20World';greeting=0xa;var product=greeting*greeting;

The obfuscated version is nearly impossible to follow using the human eye.

Obfuscation techniques

Obfuscation involves several different methods. Often, multiple techniques are used to create a layered effect.

Programs written in software languages that are compiled, such as C# and Java, are easier to obfuscate. This is because they create intermediate-level instructions that are generally easier to read. In contrast, C++ is more difficult to obfuscate, because it compiles to machine code, which is more difficult for people to work with.

Some common obfuscation techniques include the following:

How to measure obfuscation success

The success of obfuscation methods can be measured using the following criteria:

Advantages of obfuscation

The main advantages of obfuscation are as follows:

Disadvantages of obfuscation

One of the main disadvantages of obfuscation is it is also used in malware. Malware writers use it to evade antivirus programs that scan code for specific features. By obscuring those features, the malware appears legitimate to the antivirus software.

Common techniques malware authors use include:

With obfuscation, instead of developing new malware, authors repackage commonly used, commodity attack methods to disguise their features. In some cases, malicious actors include vendor-specific techniques.

Another disadvantage of obfuscation is it can make code more difficult to read. For example, code that uses the string encryption obfuscation method requires decryption of the strings at runtime, which slows performance.

Obfuscation and SolarWinds

An attack on SolarWinds, an Austin, Texas, IT management and monitoring software maker, which is thought to have started as far back as September 2019, resulted in a host of other companies and government agencies being breached. The attack was discovered in December 2020 and is attributed to Russian hackers. It initially compromised SolarWinds' Orion IT management platform.

More on the SolarWinds attack

SolarWinds hack explained: Everything you need to know

SolarWinds breach news center

How SolarWinds attack will change CISOs 2021 priorities

5 cybersecurity lessons from the SolarWinds breach

The attackers used Sunburst malware, which combined obfuscation, machine learning and AI techniques to plant a backdoor in software updates for the Orion platform. To disguise their efforts and bypass defenses, they altered audit logs, deleted files and programs after use and faked activity to make it appear as legitimate applications on the network.

This supply chain attack is suspected to have remained undetected for more than a year. The malware inserted in the Orion code lay dormant and hidden until users downloaded the infected updates. It then spread through the network undetected and infected a long list of organizations using Orion.

Obfuscation is one of many techniques hackers employ to break into IT systems. Learn more about defending against various types of cybersecurity attacks in TechTarget's in-depth cybersecurity planning guide.

08 Apr 2021

All Rights Reserved, Copyright 2000 - 2024, TechTarget | Read our Privacy Statement