As cyber attacks become more sophisticated, it only makes sense decoding the methods in malicious code is becoming that much more difficult.
Attacks no longer scramble simple function names, but encrypt entire blocks of code, security experts said.
Attackers use obfuscation to make it harder to analyze malicious software and stymie security tools, such as intrusion-detection systems, from recognizing the attack. At first, obfuscation merely scrambled the names of the functions called by a program, complicating analysis of the binary code.
As automated reverse engineering makes progress, however, malware authors are increasingly scrambling entire blocks of code and using better obfuscation techniques to make analysis and detection that much harder, said Adam Meyers, director of cybersecurity operations for SRA International.
Part of the problem is attackers use so many different ways of getting onto systems, experts say. Attacks that use social engineering will use obfuscated Web addresses and code. Drive-by downloads, which infect people when they visit a website, will encrypt their payloads. And more direct measures aimed at servers will scramble the code to evade intrusion-detection systems, experts said.
That is reverse engineering comes into play.
In March, Google bought reverse-engineering firm Zynamics, the maker of a tools to help analyze binary executables. Reverse engineering mainly works in analyzing software such as malware for which there is no source code.
Currently, most obfuscation is simple, using operations such as XOR-ing bits or rotating through alphanumeric characters. Increasingly, however, the attackers are using better encryption or customized functions to make reverse engineering more difficult.