The Kings in Your Castle, Pt #4


Oftentimes, there is talk about a "sophisticated" malware-based attack against an individual or an organization. The prevalent assumption is that a great deal of development work has gone into the attack tools. In the 4th part of the article series, Marion Marschalek and Raphael Vinot will demonstrate what 'sophistication' means and what it actually looks like.

Attackers naturally try their best to disguise their real intentions. To this end, malware authors have an array of tools at their disposal to help with this. A frequently used way of making an analyst's life a tad more difficult is code obfuscation. When looking at a file, the analyst only sees a garbled mess of characters that he needs to sift through first. Some of this can be automated, some cannot. One desirable side effect from the use of obfuscation and crypters is that malware authors can reuse their code without having to rewrite it.

To put it in more provocative terms: packers, crypters and obfuscation allows attackers to be lazy. This laziness also has its reasons, which are purely of an economic nature. Writing and testing new code costs time and money, neither of which is invested if an attacker can just as well reuse what they have. According to Marion Marschalek and Raphael Vinot, this is exactly what happens in the majority of cases (see part #3 of the article series).

The 'Perfect Attack': if it's worth doing at all, it's worth doing it right

You would be wrong, however, if you expected to see massive layers of obfuscation and other means of obscuring and protecting a malicious file's intentions when looking at a targeted attack with a custom toolset. The real challenge is the complete absence of such features. For this type of attacks, the motto applies that if something is worth doing (like creating an expensive custom toolset), it is worth doing it right. Properly planned and designed malware applications are an analyst's nightmare come true. The absence of certain tell-tale indicators such as runtime packers, crypters and whatnot forces an analyst to rethink his or her approach. 

Soft metrics, new indicators and shades of grey

It becomes increasingly clear that 'sophistication' is a very soft criterion for describing malware. In reality, what media outlets consider 'sophisticated' is in fact rather crude and uses off-the-shelf tools that are readily available. On the other hand, this does not mean that those tools should be discounted as harmless, on the contrary.One should just be careful when using the word 'sophisticated', when it is discovered that a Remote Access Trojan (RAT) has been sitting in a network for an extended period of time: persistence and sophistication should not be confused.


Analysts need to find ways of discovering malicious binaries more reliably, especially if they come with protective features. There are tools for detecting features such as the use of a packer, but those tools are outdated and prone to false negative detections. Plus, the use of a packer does not necessarily signify the presence of a malicious executable. Therefore, other indicators must be added to come up with a more reliable detection.

More information

If you are curious about how analysts refine their methods to leverage modern APT detection, head over to the blog of G DATA Advanced Analytics.