Application Authentication - First Line Of Defense Against Obfuscation

Obfuscation helps malware writers to hide the malicious code on their programs. There are different types of obfuscation techniques like polymorphism, runtime packing, junk code injection etc. Obfuscation can also be as simple as code transposition or renaming the variable.

Obfuscation makes it time-consuming for an Antivirus program to analyze a malware program and when obfuscation is combined with encryption, it makes the malware more resistant to analysis. And it would be difficult for an Antivirus program to detect malicious code in an obfuscated program.

When we analyze the latest malware threats, what we can see is most of the recent malwares are variants of old malware programs. When you insert junk code into a malware program, the pattern and execution methods might change but the functionality would be the same. And an Antivirus scan engine would find it difficult to detect any matching patterns in the signature database.

A malware writer can create a malware program and then by inserting junk code into it he can create 100 unique malwares with the same functionality. And when you use encryption and runtime packaging, it makes more difficult for an anti virus scan engine to detect matching patterns in the malware code. Some Antivirus software use sandboxing technique to detect malicious functions in a obfuscated programs. But we should also understand that new malwares are intelligent enough to detect a sandbox environment and they can change the behavior during runtime.

Instead of analyzing the code patterns, Antivirus software should be using application fingerprinting and authentication methods to identify genuine applications.

The simple rule of security should always be - Deny every thing and only allow authenticated/authorized applications to execute and access the data. Application authentication should be the first line of defense against malwares.