Malware is a very present problem in our day to day and that puts the security of our devices and systems at risk. There are many types of threats that in one way or another can affect us and this means that we must always take the necessary precautions. We must have security tools and adequate means. In this article we are going to explain what is obfuscation malware on a server and what we can do to detect it.
What is obfuscation malware on a server
First, we will explain what malware obfuscation is on a server. In this way we will understand how you can put us at risk. Basically we can say that it means to convert a clean code into a new one. The obfuscation code will give exactly the same result as the original code, however in this way the source code will not be readable to human eyes. Usually used for exit codes, banking, licenses, etc.
This already gives us an idea of the danger of obfuscation on a server. What it does is that a user does not really know if that code can be malicious and put us at risk or is actually something legitimate. After all, it is somewhat hidden, without us being able to really read what it means and how it can affect us.
Security tools have been refining the way in which they detect this type of malware. However, it is not always effective, since it is common to encounter false positives. Of course, with the passage of time the programs and methods that we can use are increasingly appropriate and reduce the number of false positives.
How to detect obfuscation malware on a server
We have explained what obfuscation malware is and now we are going to talk about what we can do to detect it on a server. We already know that security is a fundamental factor and it is something that we must take care of at all levels.
As we have indicated the traditional methods, such as an antivirus, they are not always effective in finding these types of problems. The source code in many occasions is not detected as a real threat and that means a reduction in detections.
One option is file signature-based detection techniques. What it does is crawl the file system using PHP functions that are often used in malware. In this way we can detect lists of obfuscators that may compromise security.
There’s also the option of the hash function , which was created as an enhancement. It emerged as finding exact matches between collecting clean malware code and files requires a lot of resources. So a similar solution was created, but faster. With the hash function we could give a string or a file and it will generate a string of fixed length. Every time the code is the same, it will generate the same hash from that code. The best known hashing techniques are MD5 and SHAx.
But of course the problem is that hackers realized that it is quite easy to find the back doors with these detection methods. It is enough to change 1 byte, for example, add a space and the hash will be completely different so that the anti-malware tools do not recognize it.
Another alternative is pattern matching. This technique is based on creating some strings and trying to match them in the file. However it is easy to come across false positives.
This is where BitNinja Server Security comes in to solve all these problems. He experimented a lot with this topic and developed a new detection method unlike any other solution. This new method is based on the structure of the source code. When we trust the structure of the malware, we can expect a very low false positive rate because the structure of a malware cannot be the same as the structure of a legitimate file. Otherwise, valid codes could be used for malicious purposes.
Basically what the BitNinja technique does is detect if the obfuscation method was used in a file. The next step is based on the behavior when executing the code in a sandbox. You can see more information related to BitNinja .
