Many malware and viruses can be identified by detection software because of known bits of malicious code. But what if there was a virus compiled from little bits of programs you already had installed? That's just what two security researchers are looking into.
Frankenstein or The Modern Prometheus is a classic story in which a doctor creates life through technology in the form of a creature assembled from the parts of dead men. While this biological idea exists only in fiction, researchers have recently used it to craft a very ingenious piece of malware.
Vishwath Mohan and Kevin Hamlen at the University of Texas at Dallas are interested in how malware disguises itself in order to propagate more widely. In Windows Explorer alone, Frankenstein found nearly 90,000 gadgets in just over 40 seconds, which means that malware created by the system would have a huge number of possible variations, work quickly, and be very difficult to detect.
Frankenstein follows pre-written blueprints that specify certain tasks - such as copying pieces of data - and swaps in gadgets capable of performing those tasks. Such swaps repeat each time Frankenstein infects a new computer, but with different gadgets, meaning that the malware always looks different to antivirus software, even if its ultimate effects are the same.
Malware authors and security experts have tried different ways to camouflage malicious code, like encrypting it or adding garbage data to confuse the scanners. As they remark in the paper describing their work "The results show that even with the limited capacity of our prototype, 2–3 binaries are sufﬁcient to bring the number of gadgets above 100,000. On average we discovered about 46 gadgets per KB of code, ﬁnding approximately 2338 gadgets per second."
The research was presented at the USENIX Workshop on Offensive Technologies earlier this month and highlights the need for a new approach for virus detection software, one that is able to find malware that morphs and is disguised in the trappings of legitimate code. The US Air Force partially funded the project, the findings of which may be used to influence future state-sponsored cyber attacks.