I spy with my little eye
To the human eye, of course, there’s no dramatic difference between legitimate and malicious scripts if they’re obfuscated. An AV program might easily flag an “innocent” program as malicious because a technology normally associated with malware is being used.
The Greatest Good for the Greatest Number?
When the signature is throttled back so that the presence of the obfuscation software is not flagged as suspicious, it means that the interests of a few developers of poorly-implemented web pages are given priority over the interests of the many people whose systems are threatened by the many sites that serve obfuscator-protected malware. Indeed, malware writers sometimes go out of their way to use “popular” obfuscators in hope they remain undetected, knowing that AV vendors try to avoid detecting legitimate websites, so, increasingly, the vendors are leaning towards a more Utilitarian approach.
The Unwise and Wherefores
In fact, it’s possible for an anti-virus engine to decode a script in real time, in order to assess the malice or innocence of an object more reliably by examing the de-obfuscated script. However, this kind of in-depth analysis takes substantial time and resources, and most users would not regard the processing delay as acceptable.
Given this rich assortment of related problems, it’s hard to see how anyone could continue to recommend the use of protectors, since they don’t necessarily offer much to the developer in the way of protection against patching or reverse engineering to offset their disadvantages.
Pack It In!
As it happens, the IEEE Malware Working Group, of which ESET is a member, has been working for some time with some of the major packer companies on a system for making it possible to blacklist individual (mis)users of the software rather than the software itself. (Vendors with an approach based on whitelisting and/or reputation services may also find approach more useful.)
We hope that this will introduce some significant benefits to companies like Themida, to AV vendors, and (most importantly, some would say!) to the customer, whereas current piecemeal approaches to blacklisting and whitelisting have only limited, short-term effectiveness. Which is why, at present, AV vendors tend to favour a more generic approach that benefits the majority.