Go to DBLP homepageFollowing the Obfuscation Trail: Identifying and Exploiting Obfuscation Signatures in Malicious Code
Abstract: In this paper, we delve into the intricate world of dynamic code generation in script languages. One way that malicious code authors can evade detection through static analysis is using obfuscation and relying on dynamic code generation to deobfuscate the code at runtime. These obfuscation techniques can be highly intricate, involving numerous recursive “eval” calls to ultimately reveal the payload, or requiring the deobfuscation of separately generated code segments. This complexity presents significant challenges for researchers studying such code and for tools attempting static analysis. However, the very effort invested by attackers in obfuscation and the structures they create and reuse across attacks can also serve as a distinctive signature of the attacker. In this paper, we propose leveraging the structure of these obfuscation mechanisms as a similarity metric for malicious software.
Loading