silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,210
A new obfuscation technique has been spotted that uses the features of PowerShell, a tool that comes built in to Microsoft Windows. Analysis from Cylance shows that the tactic succeeds in bypassing most antivirus products.
Cylance researchers stumbled across a malware file using a PowerShell obfuscation method while looking into a set of malicious scripts that had low antivirus detection. The file was a ZIP file containing both a PDF document and VBS script, and it was flagged by just three antivirus products.
It takes a page from other common obfuscation techniques, which include using packers to compress a malware program; encryption to hide its unique strings of code; or techniques that mutate malware cosmetics, such as the overall number of bytes in the program. All of these alter the hash and the signature of the malware so that common antivirus tools won’t flag it as a known malicious agent.
“Obfuscation is a term of art that describes a set of techniques used to evade antivirus products that rely heavily on signatures,” explained researchers at Cylance, in a technical analysis posted Wednesday on the tactic. “These techniques change the overall structure of a piece of malware without altering its function. Often, this has the overall result of creating layers which act to bury the ultimate payload, like the nested figures in a Russian doll.”