Transformation-based Evasion Strategy
2025-02-12
Research
Malware
/
Evasion
/
Obfuscation
/
Packing
/
Metamorphism

Malware developers have continuously evolved their techniques to bypass antivirus systems. Their evasion strategies primarily fall into three categories: Transformation-based, Concealment-based, and Attack-based 1, as illustrated in the image below: Transformation-based Evasion Strategy To effectively counter these evasion strategies, it is crucial to understand how they work. For example, some malware variants insert excessive NOP instructions to increase their file size, helping them bypass size-based detection thresholds used by antivirus scanners.

Transformation-based stategy#

The transformation-based strategy involves modifying the structural and behavioral characteristics of malware to evade detection. This can be achieved by altering either the static structure or the dynamic behavior of malware during runtime. Static modifications help avoid signature-based detection, while dynamic changes help evade behavior-based analysis.

Examples of transformation-based evasion techniques include:

Packers#

Packers use encryption and compression techniques to modify the original executable, making it harder to analyze. Some packers utilize virtual machine-based execution, where they alter the program’s opcode to run within a custom virtual environment, further complicating detection. For this demonstration, I used UPX 2, a widely used tool among malware developers for packing binary files 3 (as noted in a 2012 survey). To illustrate, I selected a single malware sample and created multiple packed variants. The original SHA-256 hash of the sample is: e56e4f523e0a013820d3201995073401df92402b60a1d94a105f99381e7d3499. This sample has been analyzed on VirusTotal (Here) and flagged as malware by 44 different antivirus engines: image However, after using UPX, only 10 antivirus engines successfully detected it: image

Code Obfuscation#

Code obfuscation modifies the structure and control flow of a program to make analysis more difficult while preserving functionality. Common techniques include:

  • Garbage code insertion: Injecting redundant instructions that do not affect program execution.
  • Register substitution: Replacing register names to confuse disassemblers.
  • Control flow obfuscation: Modifying execution paths to make analysis harder.

For this test, I used the free version of Obfuscator Executive 4 to obfuscate the sample. The results are shown below: image Obfuscator Executive works by obscuring critical components within executables and binary files, such as class names, functions, subroutines, objects, variables, constants, and UI elements. It replaces meaningful identifiers with indistinguishable placeholders, making it harder for attackers to understand and reverse engineer your software. Before obscuring: image After obscuring: image

Metamorphism#

Metamorphic malware undergoes extensive transformations, rewriting its own code to generate unique variants while maintaining its malicious behavior. For instance, the Frankenstein framework 5 assembles malware by combining code fragments from legitimate software, making it resistant to signature-based detection.

Behavioral Obfuscation#

Behavioral obfuscation techniques manipulate execution patterns to avoid detection. These include:

  • Multi-threaded execution: Splitting malicious operations across multiple threads.
  • API obfuscation: Masking API calls to evade detection.
  • Process injection: Running malicious code inside legitimate processes.

A notable example is the Shadow Attack 6, which creates multiple processes to perform malicious tasks while evading system call-based detection methods.

Conclusion#

As malware continues to evolve, security researchers must stay updated on evasion techniques to improve detection mechanisms. Transformation-based evasion alters malware’s structure, concealment-based evasion hides malicious behavior, and attack-based evasion directly targets security solutions or uses adversarial techniques to deceive them. Understanding these methods is essential for developing robust countermeasures against modern malware threats.

Footnotes#

  1. Jiaxuan Geng, Junfeng Wang, Zhiyang Fang, Yingjie Zhou, Di Wu, and Wenhan Ge. 2024. A survey of strategy-driven evasion methods for PE malware: Transformation, concealment, and attack. Comput. Secur. 137, C (Feb 2024). https://doi.org/10.1016/j.cose.2023.103595

  2. Upx. (n.d.). GitHub - upx/upx: UPX - the Ultimate Packer for eXecutables. GitHub. Retrieved March 1, 2025, from https://github.com/upx/upx

  3. Branco, R.R., Barbosa, G.N., & Drimel, P. (2012). Scientific but Not Academical Overview of Malware Anti-Debugging , Anti-Disassembly and Anti-VM Technologies.

  4. Executive, O. (2024, December 1). Obfuscator Executive – secure EXE and binary files. (C) Obfuscator Executive 2025. Retrieved March 1, 2025, from https://obfuscator-executive.com/

  5. Mohan, V., & Hamlen, K. W. (2012). Frankenstein: Stitching Malware from Benign Binaries. WOOT, 12, 77-84.

  6. Ma, W., Duan, P., Liu, S., Gu, G., & Liu, J. C. (2012). Shadow attacks: automatically evading system-call-behavior based malware detection. Journal in Computer Virology, 8, 1-13.

© 2026 Hao Tien Duc Anh. All Rights Reserved.
Powered by Astro & Fuwari