Getting under the skin: an in-depth look at MSIL malware obfuscation techniques and strategies for deobfuscation

Wednesday 4 October 12:00 - 12:30, Red room

Kaarthik Muthukrishnan (K7 Computing)

The volume of MSIL malware in the wild is high and rising. This is because MSIL binaries run within the .NET Framework with their byte code interpreted by a virtual machine, and AV engines have been relatively slow to support MSIL emulation and deobfuscation. This might be because any binary written in C#, for example, and compiled to MSIL can typically be disassembled easily to retrieve the original source code, even complete with the original variables. However, commercial and custom MSIL protectors are now very commonly used to hide the source code. These protectors, which introduce varying levels of obfuscation in the compiled MSIL binaries, are heavily employed by malware authors to evade AV detection.

MSIL protectors have adopted two main approaches, the first being the disruption of ILDasm, a tool used to disassemble .NET code, and the second being the obfuscation or even corruption of MSIL metadata. This paper explores the entire gamut of obfuscation techniques employed on MSIL binaries, with a focus on the newest ones, explaining how they would affect signature-based AV detections. We will then go on to discuss a few deobfuscation methods, including a look at the possibilities of handling these in an automated fashion to facilitate family-wise grouping.



Kaarthik Muthukrishnan

Kaarthik graduated from SSN College of Engineering (Chennai, INDIA) in 2007 with a Master's degree in computer applications. He began his career as a threat research analyst at Technosoft Corporation, where he worked for three years. Since December 2010 he has been working as a threat researcher in K7 Computing's Threat Control Lab. Kaarthik co-authored a paper for AVAR 2013, and he occasionally writes on the K7 Computing blog site. Kaarthik's personal interests include reading, photography and image processing.






Other VB2017 papers

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.