Proceedings of ISP RAS


The Application of Compiler-based Obfuscation and Diversification for Program Signature Modification

A.R. Nurmukhametov (ISP RAS, Moscow, Russia)

Abstract

Development of malware detection techniques leads to the evolution of anti-detection techniques. In this paper we discuss possibility of creating an automatic tool for signature modification. In this article we describe our experience in designing and development of such tool. For signature modification in Linux programs we implemented a tool based on LLVM compiler infrastructure and for Windows programs we used post-link instrumentation and optimization tool Syzygy. The former approach requires program source code, while the latter assumes only the presence of debug information. Diversifying and obfuscating transformations were implemented in both cases with the aim of changing the signature of program to prevent matching them the known patterns. Implemented transformations are bogus code insertion, function permutation, instruction substitution, ciphering of constant buffer. As a result we demonstrate proof-of-concept examples which confirm that it is possible to automatically change of program signature for avoiding detection by signature-based analysis. Furthermore we explain drawbacks of this technique and discuss the further ways of development.

Keywords

diversification, obfuscation, signature analysis

Edition

Proceedings of the Institute for System Programming, vol. 28, issue 5, 2016, pp. 93-104.

ISSN 2220-6426 (Online), ISSN 2079-8156 (Print).

DOI: 10.15514/ISPRAS-2016-28(5)-5

Full text of the paper in pdf (in Russian) Back to the contents of the volume