What is De-obfuscating Malware

One of the most important features of modern malware is obfuscation. Obfuscation is
the process of changing something so as to hide its main purpose. In the case of malware,
it is used to make an automated analysis of it's nearly impossible
and to frustrate manual analysis to the maximum extent possible. There are two basic
ways to deal with obfuscation. The first way is to simply ignore it, in which case your
only real option for understanding the nature of a piece of malware is to observe its
behavior in a carefully instrumented environment, as detailed in the previous chapter.
The second way to deal with it to take steps to remove it and
reveal the original “de-obfuscated” program, which can then be analyzed using traditional
tools such as disassemblers and debuggers.
Of course, malware authors understand that analysts will attempt to break through
any obfuscation, and as a result, they design it with features designed to
make de-obfuscation difficult. it can never be made truly impossible
since it must ultimately run on its target CPU; it will always be possible to
observe the sequence of instructions that execute using some combination
of hardware and software tools. In all likelihood, the author’s goal is
simply to make analysis sufficiently difficult that a window of opportunity is opened
for the malware in which it can operate without detection.