Cisco Blogs

Cisco Blog > Security

A Brief History of Malware Obfuscation: Part 2 of 2

We parted ways last time with a discussion of polymorphism that left you tantalized and on the heels of a malware revolution…


From the Greek meta meaning about or self.

From the Greek morphe meaning shape or form.

In 1998, a virus was found in the wild that was able to conceal itself in a different way. Called the Win95/Regswap virus, it was notable because it didn’t use polymorphic decryptors to thwart detection as it evolved. It would actually switch CPU registers from generation to generation (but otherwise retain the same codebase). This would prevent conventional pattern matching from working, but the technique of wildcard pattern matching, which would soon be implemented, would later catch up and nab this guy. This technique of register swapping was a basic form of metamorphism, and it was going to set the stage for an epic battle in the growing malware arms race.

Metamorphism, which can be thought of as “body-polymorphism,” was a major leap forward. Quite simply, the malware is able to reprogram itself as it evolves across generations. This was a quantum leap in viral programing, as the code is effectively becoming pseudo-self-aware, able to parse and mutate its own body as it spreads.

Read More »

A New Year and New Opportunity for Security

Reflections on 2009

Just over a year ago, I was invited to join ongoing discussions with retired Lt. General Harry Raduege, Scott Charney and Representatives Langevin and McCaul and other industry, academia, and government representatives, and engaged in an impassioned debate. The topic? Cybersecurity strategy and direction for the next President. How would we advise the incoming President about protecting and securing our country’s information systems?

Formulated within the Center for Strategic and International Studies (CSIS), we discussed the evolving online threats, how our current approaches and technologies stack up against these threats, and how these factors – and others – impact the online world in ways that affect U.S. critical infrastructure and our way of life. In late December 2008, we completed and delivered the Securing Cyberspace for the 44th Presidency report, which outlined our recommendations.

When President Barack Obama came into office, he appointed Melissa Hathaway – who chaired a multiagency group called the “National Cyber Study Group” that was instrumental in developing the Comprehensive National Cyber Security Initiative to direct U.S. Federal cybersecurity efforts – leading to a comprehensive “60-Day Review” of the U.S. cybersecurity infrastructure. The ensuing Cyberspace Policy Review published in May 2009 by the Obama administration includes key findings and recommendations from the 60-Day Review. This report examines important cybersecurity challenges and sets the focus and path toward increasing the security of government, critical infrastructure and consumer systems, both domestically and globally.

Fast-forward to this past December 22. President Obama’s appointment of Howard Schmidt as U.S. Cybersecurity Coordinator should regenerate the momentum needed for the U.S. – and the world – to protect national and economic interests online. Mr. Schmidt is faced with the arduous task of reinvigorating and building upon the significant efforts to date, forging new relationships while expanding upon collaborations already underway between the private and public sectors, and international leaders.


Read More »


Automated Clearinghouse Attacks

The Town of Poughkeepsie, NY was in the news this past week because the municipality’s bank account was targeted by international computer thieves. This is a prime example of the warning issued by the FS-ISAC last August, which I discussed here. In light of the incident that cost Poughkeepsie’s government nearly US$300,000, I thought it would be prudent to revisit automated clearinghouse (ACH) wire fraud.

Read More »

A Brief History of Malware Obfuscation: Part 1 of 2

To Hide is to Thrive

Malware is just plain insidious. It can do very wicked things on a very large scale. Ostensibly, to do the dirt, malware must fly under the radar of the good guys’ defenses. When it comes to the art and science of detecting and concealing malware, for decades an escalating war of complexity has raged on betwixt the benevolent and the malevolent. This article aims to be a 98% assembly language free (mov al, 61h) examination of that arms race, with a specific focus on a brief history of malware obfuscation.

Obfuscation of malware serves the one ultimate purpose: Survival.

Early on, malware authors learned that for their dark little creations to spread and prosper, they must be kept hidden from the sentinels of light. The longer a piece of malware can stay undetected, the longer it has to spread and evolve. If malware didn’t take measures to conceal itself, it would be easy pickins for the front-line troops in the AV vendors’ armies, the pattern matchers. Additionally, as malware stays enshrouded, it eschews analysis by the experts, which further complicates efforts to scrutinize its internal yum-yumness (and subsequently come up with methods to detect and destroy).

Read More »

Reidentification Using Social Networks

Recently, the Electronic Frontier Foundation (EFF) and the International Secure Systems Lab (iSec Lab) have publicized methods of de-anonymization. The EFF released a tool to demonstrate de-anonymization via browser fingerprinting, while a iSec Lab paper was featured in Heise Security that discusses the authors’ attempts to use browser history and the unique properties of social networks to identify individuals. The threats to user privacy continue to grow more evident and sophisticated.

Read More »