Normal Java JAR or class format samples can be easily analyzed with Java decompiler tools, such as JAD and JD-GUI. Not so with those obfuscated ones, where decompiling results may be empty or not clear. When this happens, we need to then analyze the JVM (Java Virtual Machine) p-code. Nowadays, more and more Java malware use anti-decompiling techniques to increase the difficulty of analysis. In this blog post, we will analyze a new JAR obfuscated packer that is being used by Java malware, using a sample that we detect as Java/Obfus.CI!tr as an example. Decompiling... [Read More]
by RSS Ruhai Zhang  |  Dec 01, 2014  |  Filed in: Security Research
If you have any interest in Android packers, or how to reverse mobile malware that use such packers, please don't miss Ruchna's upcoming talk at Hacktivity . Android Packers: Separating from the Pack - 11. October 2014. 11:20 - 12:05 If you feel like reading on this topic before, I suggest: our joint paper in Virus Bulletin : "Obfuscation in Android malware and how to fight back" (July 2014). With tools and tips to reverse obfuscated samples. Rowland Yu, "Android Packers: Facing the Challenges, Building the Solutions" at Virus Bulletin Conference,... [Read More]
by RSS Axelle Apvrille  |  Oct 09, 2014  |  Filed in: Security Research
Get rid of clichés: "Most of anti-virus software products detect malware pieces only through simple checksums. This is often the case for the anti-virus engines which are integrated into network gateways." People mainly believe that the main reason is that network gateways have limited resources to process the sheer amount of data exchanged through it "in real time". And also due to the fact that their OS is "embedded" thus limited. So people think that the bottom line is: "Too easy to bypass !" Let's be clear: reality is more... [Read More]
by RSS Alexandre Aumoine  |  Jul 30, 2012  |  Filed in: Security Research