From Automation to Obfuscation

Many of the people that create the bulk of our work do so by writing hundreds of variations on a similar theme, usually written at a high level. This takes a lot of the drudgery out of their work and enables malware authors to churn out variation upon variation each one more different than the last. These lazy authors often turn to automation software to do their work for them, “click here” they say, “open this program, type this, then hit <Enter>”.

The automation is handled by a scripting language, similar to Javascript. Like Javascript it is clear and very simple to comprehend for those that know where (and how) to look.

Today saw a marked change from the norm, when I stumbled across an automation utility with an obfuscated script attached. The script is already encrypted by default but the fact that the malware author had gone to the extra trouble of obfuscating the script seemed rather curious to me, perhaps we were doing too good a job at detecting his previous attempts :).

Obfuscation literally means “to make obscure or unclear”, in the case of computer programming, perhaps an example best illustrates. Take this innocent code, its obvious what it does and you can easily calculate its result:

int a = 2;
int b = 10 + a ;
MessageBox.Show("My Number is " + b);

Here is an example of one way to possibly obfuscate its purpose:

int a01342 = 346747+23635-266646+33-103767;
int a01347 = 85+35553+a01342-35628;
string a01348 = "Nz Ovncfs jt ";
string a01346(string a01347) {
string a01348=";
for (int a01345=0;a01345<a01347.length();a01345++)
a01348+=a01347[a01345]==0x20?" ":a01347[a01345]+1;
return a01348;

The obfuscated code can be, as above, quite literally incomprehensible to the human eye. The script’s immediate purpose is unknown yet it shows the exact same result as its counterpart above. This is a common technique of malware authors, though it didn’t stop me from analysing and detecting todays attempt – W32/Hakag-A.