Usage of commercial grade software protectors/cryptors/obfuscators is a very common trend in desktop malware landscape. They are mainly used to make the analyst’s life tough by adding extra layers of protection. Similarly, there have been quite a few open source obfuscators and professional obfuscators used in the malware families implemented in Java as well for a long time.
While processing the sample collections of the past month, we have seen increase in the number of samples that shows spaghetti structure which was quite similar to the once seen in samples obfuscated using a commercial obfuscator called “Allatori.” Indeed the obfuscation is quite powerful, much more so than the normal obfuscated samples we generally see in the collections. This is not the first time we have seen the Java samples being obfuscated using Allatori. However what makes it interesting is that we see a stark rise in the trend as more and more new variants are obfuscated using this method. This gives an impression that the Malware authors are becoming very serious about obfuscating the plain byte code. A likely response to the fact that generally the vanilla Java byte code decompilation is a straight forward task.
Though most of the samples in the current collection seem to use the demo version of Allatori, it achieves the purpose of obfuscating their payload; posing problems to most of the common disassembly and decompiling tools.
Fig.1 : Screenshot of obfuscated sample.
Fig.2 shows the unusual cyclomatic metrics for an otherwise very simple payload.
Fig.2: Unusual Cyclomatic metrics for a very simple payload.
Fig.4 and Fig. 5 shows snapshots of the call graphs
Given that the Java platform has already been established as a convenient vehicle for most of the malware groups, we can only expect this trend of using professional obfuscators to grow. Needless to say we recommend practicing safe browsing habits such as using a browser with Java disabled for the majority of your Internet surfing needs. A second and different browser can be used with Java enabled for only those trusted and known sites that require it. As always keep your systems patched and your security software up to date to best avoid being victimized.
Leave a reply