Researchers create 'Frankenstein' malware made up of common gadgets

Aug 21, 2012 by Bob Yirka weblog
High-level architecture of Frankenstein. Image: Kevin W. Hamlen

(Phys.org)—In the ever ongoing struggle between good and evil, or in this case, the battle between those that create malware and those that seek to detect and destroy it, the good guys appear to have mimicked the bad by creating a computer virus that can evade detection by building itself from pieces of code that normally reside harmlessly on people's computers. The result, the team of Vishwath Mohan and Kevin Hamlen of the University of Texas, say, is a cyber version of Frankenstein's monster.

The research, which was partly funded by the US Air Force, was described to attendees at this year's USENIX Workshop on Offensive Technologies. There the team said their aim in creating the malware was to see if it might be possible to create a virus that is made up of nothing but gadgets, snippets of code used by such commonly installed programs as Internet Explorer or Notepad. Theoretical research over the past several years suggested it could be done. The overall purpose of such a project would be to see if using the technique could result in the creation of a virus that could not be detected by conventional anti-virus programs. And it seems the answer is yes, though the malware the team created isn't a virus in the technical sense because it doesn't cause any harm, it's merely a proof of concept. Their code resulted in the creation of new code made from gadgets that ran two harmless algorithms. But, of course, those algorithms could just as easily been very, very harmful. One of the more clever aspects of the code the team created was the part where the original kernel, the part that infects the computer, was itself modified and caused to look like part of a normal gadget, thus, leaving no trace of itself to be found.

The point, of course, in creating new kinds of malware is to help people on the right side of the law stay one step ahead of those that hide in the dark toiling in earnest to conceive and construct ever more malevolent software that once unleashed might prey on others and do their bidding. Getting there first allows researchers time to build ways to circumvent such malware before the bad guys figure out how to do it themselves. In this case, some have suggested the best way to detect the new so-called undetectable is by creating security software that is able to detect objectionable behavior by , rather than scanning it for identifying markers, which is how virtually all anti-virus software currently find infections on computer systems.

Explore further: Watching others play video games is the new spectator sport

More information: Kevin W. Hamlen's page: www.utdallas.edu/~hamlen/research.html

Press release

Related Stories

New Duqu virus linked to Microsoft Word Documents

Nov 04, 2011

I new virus has cropped up in various countries across the world and its target appears to be corporate networks. The Duqu virus, first noted last month by a laboratory at Budapest University, has now been ...

Apple out to kill widespread Macintosh virus

Apr 11, 2012

Apple said it is crafting a weapon to vanquish a Flashback virus from Macintosh computers and working to disrupt the command network being used by hackers behind the infections. ...

Recommended for you

FIXD tells car drivers via smartphone what is wrong

11 hours ago

A key source of anxiety while driving solo, when even a bothersome back-seat driver's comments would have made you listen: the "check engine" light is on but you do not feel, smell or see anything wrong. ...

Watching others play video games is the new spectator sport

17 hours ago

As the UK's largest gaming festival, Insomnia, wrapped up its latest event on August 25, I watched a short piece of BBC Breakfast news reporting from the festival. The reporter and some of the interviewees appeared baff ...

User comments : 10

Adjust slider to filter visible comments by rank

Display comments: newest first

Vendicar_Decarian
not rated yet Aug 21, 2012
Software entry points need to be protected by a ridged conventions. In this case a reserved bit is needed in the instruction set that defines an opcode to be a valid entry point.

A jump or call from one application to another that goes to a destination opcode that does not have this bit set should generate an exception, allowing the calling application to be shut down.

axemaster
not rated yet Aug 21, 2012
Well, this is a scary prospect. Unfortunately, even if antivirus programs can be modified to detect this, it will probably require a LOT more scanning and thus waste even more CPU resources than it does already. At least that's my guess.
Eikka
not rated yet Aug 21, 2012
The overall purpose of such a project would be to see if using the technique could result in the creation of a virus that could not be detected by conventional anti-virus programs.


In my experience, none of the conventional anti-virus suites actually manage to detect malware intrusions. They only seem to work in trivial cases like email attachments or infected thumbdrives that they can scan before any of the contents are activated.

Most of the time the viruses and malware come in from the internet through bugs in the browser plugins or other network software, and the first thing it does is hide from the AV or disable it quietly. You'll only notice them later when the system starts to behave strangely, and then it's too late anyways.

Vendicar_Decarian
not rated yet Aug 21, 2012
That is my experience as well.

"In my experience, none of the conventional anti-virus suites actually manage to detect malware intrusions. They only seem to work in trivial cases like email attachments or infected thumbdrives that they can scan before any of the contents are activated." - Eikka
ValeriaT
not rated yet Aug 21, 2012
Technically speaking the worms, i.e. scripted viruses are mostly utilizing the built-in functionality of operational system, mail program or even common office applications and nothing groundbreaking is about it. Whole script is just few kilobytes long, because it utilizes many other components from outside.
Eikka
not rated yet Aug 21, 2012
That is my experience as well.


And in light of that experience, it seems completely pointless to be running any virus scanners. They don't stop the viruses or worms, and they act like viruses and worms to make your computer slower and more prone to crash, or develop some odd conflict with system/software updates.

The only time you need them is the occasional system scan, and checking new files from untrusted sources. I run a passive scanner program for that.
ziphead
not rated yet Aug 21, 2012
1. Have regular backup of your system image on detacheable external drive.
2. Disable scripting/activeX etc. on the browser for the internet zone, then enable it for sites you explicitly trust. Over time you will find that there aren't as many as you think.
3. Restrict your email client to text only mode; just 'cause there is url in an email don't mean you have to follow it.
4. Do not install random crap and browser add-ons from the net. There is a reason why it is free.
5. Browse/run through VMware guest if you do have to visit funny sites or install funny apps.
6. Do not get promiscuous with USB keys; think before you stick it in.
7. Finally: dump the anti-virus kernel hogs. If you really think you need it, try Windows Essentials.

When in doubt, restore from the latest trusted system image.
alfie_null
not rated yet Aug 22, 2012
Browse/run through VMware guest

Confers protection not only because of the isolation, but also because the sophisticated variety of viruses, those that try hard to elude detection, deliberately don't activate themselves in virtual environments (again, to avoid the sort of live observation and analysis that's possible in a virtual environment).

If sandboxing your browser in a VM becomes typical behavior, future virus writers will have a hard choice to make.
antialias_physorg
not rated yet Aug 22, 2012
If sandboxing your browser in a VM becomes typical behavior

Many browsers already employ sandboxing (or similar features). The chrome sandbox has already been circumvented.

http://www.zdnet....ll/10588

I used to run Sandboxie, but it, too, has already been circumvented (via forging the whitelist it uses IIRC. BIOS hacks can also circumvent it.)
So now I don't bother anymore. Sandboxing was a nice concept (so was VM), but it's not foolproof.
Eikka
not rated yet Aug 25, 2012
6. Do not get promiscuous with USB keys; think before you stick it in.


Press the Shift key while inserting to stop autorun from launching any suspicious programs. Disable autorun on all drives.

Some thumbdrives come with U3 or StartKey software which is designed to autorun in Windows to run some "helpful" gadgets, and are granted special permissions like access to the registry which makes them malware-magnets and generally obnoxious.

If you have one, there's software available online that lets you nuke it free of the stuff.