Researchers create 'Frankenstein' malware made up of common gadgets

Aug 21, 2012 by Bob Yirka weblog
High-level architecture of Frankenstein. Image: Kevin W. Hamlen

(Phys.org)—In the ever ongoing struggle between good and evil, or in this case, the battle between those that create malware and those that seek to detect and destroy it, the good guys appear to have mimicked the bad by creating a computer virus that can evade detection by building itself from pieces of code that normally reside harmlessly on people's computers. The result, the team of Vishwath Mohan and Kevin Hamlen of the University of Texas, say, is a cyber version of Frankenstein's monster.

The research, which was partly funded by the US Air Force, was described to attendees at this year's USENIX Workshop on Offensive Technologies. There the team said their aim in creating the malware was to see if it might be possible to create a virus that is made up of nothing but gadgets, snippets of code used by such commonly installed programs as Internet Explorer or Notepad. Theoretical research over the past several years suggested it could be done. The overall purpose of such a project would be to see if using the technique could result in the creation of a virus that could not be detected by conventional anti-virus programs. And it seems the answer is yes, though the malware the team created isn't a virus in the technical sense because it doesn't cause any harm, it's merely a proof of concept. Their code resulted in the creation of new code made from gadgets that ran two harmless algorithms. But, of course, those algorithms could just as easily been very, very harmful. One of the more clever aspects of the code the team created was the part where the original kernel, the part that infects the computer, was itself modified and caused to look like part of a normal gadget, thus, leaving no trace of itself to be found.

The point, of course, in creating new kinds of malware is to help people on the right side of the law stay one step ahead of those that hide in the dark toiling in earnest to conceive and construct ever more malevolent software that once unleashed might prey on others and do their bidding. Getting there first allows researchers time to build ways to circumvent such malware before the bad guys figure out how to do it themselves. In this case, some have suggested the best way to detect the new so-called undetectable is by creating security software that is able to detect objectionable behavior by , rather than scanning it for identifying markers, which is how virtually all anti-virus software currently find infections on computer systems.

Explore further: Growing app industry has developers racing to keep up

More information: Kevin W. Hamlen's page: www.utdallas.edu/~hamlen/research.html

Press release

Related Stories

New Duqu virus linked to Microsoft Word Documents

Nov 04, 2011

I new virus has cropped up in various countries across the world and its target appears to be corporate networks. The Duqu virus, first noted last month by a laboratory at Budapest University, has now been ...

Apple out to kill widespread Macintosh virus

Apr 11, 2012

Apple said it is crafting a weapon to vanquish a Flashback virus from Macintosh computers and working to disrupt the command network being used by hackers behind the infections. ...

Recommended for you

Growing app industry has developers racing to keep up

14 hours ago

Smartphone application developers say they are challenged by the glut of apps as well as the need to update their software to keep up with evolving phone technology, making creative pricing strategies essential to finding ...

Android gains in US, basic phones almost extinct

Apr 18, 2014

The Google Android platform grabbed the majority of mobile phones in the US market in early 2014, as consumers all but abandoned non-smartphone handsets, a survey showed Friday.

Hackathon team's GoogolPlex gives Siri extra powers

Apr 17, 2014

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Microsoft CEO is driving data-culture mindset

Apr 16, 2014

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

User comments : 10

Adjust slider to filter visible comments by rank

Display comments: newest first

Vendicar_Decarian
not rated yet Aug 21, 2012
Software entry points need to be protected by a ridged conventions. In this case a reserved bit is needed in the instruction set that defines an opcode to be a valid entry point.

A jump or call from one application to another that goes to a destination opcode that does not have this bit set should generate an exception, allowing the calling application to be shut down.

axemaster
not rated yet Aug 21, 2012
Well, this is a scary prospect. Unfortunately, even if antivirus programs can be modified to detect this, it will probably require a LOT more scanning and thus waste even more CPU resources than it does already. At least that's my guess.
Eikka
not rated yet Aug 21, 2012
The overall purpose of such a project would be to see if using the technique could result in the creation of a virus that could not be detected by conventional anti-virus programs.


In my experience, none of the conventional anti-virus suites actually manage to detect malware intrusions. They only seem to work in trivial cases like email attachments or infected thumbdrives that they can scan before any of the contents are activated.

Most of the time the viruses and malware come in from the internet through bugs in the browser plugins or other network software, and the first thing it does is hide from the AV or disable it quietly. You'll only notice them later when the system starts to behave strangely, and then it's too late anyways.

Vendicar_Decarian
not rated yet Aug 21, 2012
That is my experience as well.

"In my experience, none of the conventional anti-virus suites actually manage to detect malware intrusions. They only seem to work in trivial cases like email attachments or infected thumbdrives that they can scan before any of the contents are activated." - Eikka
ValeriaT
not rated yet Aug 21, 2012
Technically speaking the worms, i.e. scripted viruses are mostly utilizing the built-in functionality of operational system, mail program or even common office applications and nothing groundbreaking is about it. Whole script is just few kilobytes long, because it utilizes many other components from outside.
Eikka
not rated yet Aug 21, 2012
That is my experience as well.


And in light of that experience, it seems completely pointless to be running any virus scanners. They don't stop the viruses or worms, and they act like viruses and worms to make your computer slower and more prone to crash, or develop some odd conflict with system/software updates.

The only time you need them is the occasional system scan, and checking new files from untrusted sources. I run a passive scanner program for that.
ziphead
not rated yet Aug 21, 2012
1. Have regular backup of your system image on detacheable external drive.
2. Disable scripting/activeX etc. on the browser for the internet zone, then enable it for sites you explicitly trust. Over time you will find that there aren't as many as you think.
3. Restrict your email client to text only mode; just 'cause there is url in an email don't mean you have to follow it.
4. Do not install random crap and browser add-ons from the net. There is a reason why it is free.
5. Browse/run through VMware guest if you do have to visit funny sites or install funny apps.
6. Do not get promiscuous with USB keys; think before you stick it in.
7. Finally: dump the anti-virus kernel hogs. If you really think you need it, try Windows Essentials.

When in doubt, restore from the latest trusted system image.
alfie_null
not rated yet Aug 22, 2012
Browse/run through VMware guest

Confers protection not only because of the isolation, but also because the sophisticated variety of viruses, those that try hard to elude detection, deliberately don't activate themselves in virtual environments (again, to avoid the sort of live observation and analysis that's possible in a virtual environment).

If sandboxing your browser in a VM becomes typical behavior, future virus writers will have a hard choice to make.
antialias_physorg
not rated yet Aug 22, 2012
If sandboxing your browser in a VM becomes typical behavior

Many browsers already employ sandboxing (or similar features). The chrome sandbox has already been circumvented.

http://www.zdnet....ll/10588

I used to run Sandboxie, but it, too, has already been circumvented (via forging the whitelist it uses IIRC. BIOS hacks can also circumvent it.)
So now I don't bother anymore. Sandboxing was a nice concept (so was VM), but it's not foolproof.
Eikka
not rated yet Aug 25, 2012
6. Do not get promiscuous with USB keys; think before you stick it in.


Press the Shift key while inserting to stop autorun from launching any suspicious programs. Disable autorun on all drives.

Some thumbdrives come with U3 or StartKey software which is designed to autorun in Windows to run some "helpful" gadgets, and are granted special permissions like access to the registry which makes them malware-magnets and generally obnoxious.

If you have one, there's software available online that lets you nuke it free of the stuff.

More news stories

TCS, Mitsubishi to create new Japan IT services firm

India's biggest outsourcing firm Tata Consultancy Services (TCS) and Japan's Mitsubishi Corp said Monday they are teaming up to create a Japanese software services provider with annual revenues of $600 million.

Finnish inventor rethinks design of the axe

(Phys.org) —Finnish inventor Heikki Kärnä is the man behind the Vipukirves Leveraxe, which is a precision tool for splitting firewood. He designed the tool to make the job easier and more efficient, with ...

Atom probe assisted dating of oldest piece of earth

(Phys.org) —It's a scientific axiom: big claims require extra-solid evidence. So there were skeptics in 2001 when University of Wisconsin-Madison geoscience professor John Valley dated an ancient crystal ...