Researchers create 'Frankenstein' malware made up of common gadgets

(Phys.org)—In the ever ongoing struggle between good and evil, or in this case, the battle between those that create malware and those that seek to detect and destroy it, the good guys appear to have mimicked the bad by creating a computer virus that can evade detection by building itself from pieces of code that normally reside harmlessly on people's computers. The result, the team of Vishwath Mohan and Kevin Hamlen of the University of Texas, say, is a cyber version of Frankenstein's monster.

The research, which was partly funded by the US Air Force, was described to attendees at this year's USENIX Workshop on Offensive Technologies. There the team said their aim in creating the malware was to see if it might be possible to create a virus that is made up of nothing but gadgets, snippets of code used by such commonly installed programs as Internet Explorer or Notepad. Theoretical research over the past several years suggested it could be done. The overall purpose of such a project would be to see if using the technique could result in the creation of a virus that could not be detected by conventional anti-virus programs. And it seems the answer is yes, though the malware the team created isn't a virus in the technical sense because it doesn't cause any harm, it's merely a proof of concept. Their code resulted in the creation of new code made from gadgets that ran two harmless algorithms. But, of course, those algorithms could just as easily been very, very harmful. One of the more clever aspects of the code the team created was the part where the original kernel, the part that infects the computer, was itself modified and caused to look like part of a normal gadget, thus, leaving no trace of itself to be found.

The point, of course, in creating new kinds of malware is to help people on the right side of the law stay one step ahead of those that hide in the dark toiling in earnest to conceive and construct ever more malevolent software that once unleashed might prey on others and do their bidding. Getting there first allows researchers time to build ways to circumvent such malware before the bad guys figure out how to do it themselves. In this case, some have suggested the best way to detect the new so-called undetectable malware is by creating security software that is able to detect objectionable behavior by code, rather than scanning it for identifying markers, which is how virtually all anti-virus software currently find infections on computer systems.

Explore further: Ecologists warn of overreliance on unvetted computer source code by researchers

More information: Kevin W. Hamlen's page: www.utdallas.edu/~hamlen/research.html

Press release

Meta glasses to place virtual reality worlds at fingertips (w/ Video)

(Phys.org) —Yawn. Two startup visionaries claim they have just the device to replace keyboard and mouse forever and ever. Where have you heard that before. But maybe these two have something important. ...

Hong Kong launches first electric taxis

Hong Kong saw its first electric taxis hit the streets on Saturday in a step towards reducing the city's high levels of roadside pollution.

US seizes Bitcoin operator accounts

US authorities seized the accounts of a Bitcoin digital currency exchange operator, claiming it was functioning as an "unlicensed money service business," court documents showed Friday.

Morocco to harness the wind in energy hunt

Morocco is ploughing ahead with a programme to boost wind energy production, particularly in the southern Tarfaya region, where Africa's largest wind farm is set to open in 2014.

Pakistan adopts Chinese rival GPS satellite system

Pakistan is set to become the fifth Asian country to use China's domestic satellite navigation system which was launched as a rival to the US global positioning system, a report said Saturday.

Consuming coffee linked to lower risk of detrimental liver disease, study finds

Regular consumption of coffee is associated with a reduced risk of primary sclerosing cholangitis (PSC), an autoimmune liver disease, Mayo Clinic research shows. The findings were being presented at the Digestive Disease ...

Research examines new methods for managing digestive health

Research presented at Digestive Disease Week (DDW) explores new methods for managing digestive health through diet and lifestyle.

Ketamine shows significant therapeutic benefit in people with treatment-resistant depression

Patients with treatment-resistant major depression saw dramatic improvement in their illness after treatment with ketamine, an anesthetic, according to the largest ketamine clinical trial to-date led by researchers from the ...

Mars rover Opportunity examines clay clues in rock

(Phys.org) —NASA's senior Mars rover, Opportunity, is driving to a new study area after a dramatic finish to 20 months on "Cape York" with examination of a rock intensely altered by water.

Galaxy's Ring of Fire

Johnny Cash may have preferred this galaxy's burning ring of fire to the one he sang about falling into in his popular song. The "starburst ring" seen at center in red and yellow hues is not the product of ...

Vendicar_Decarian

not rated yet Aug 21, 2012

Software entry points need to be protected by a ridged conventions. In this case a reserved bit is needed in the instruction set that defines an opcode to be a valid entry point.

A jump or call from one application to another that goes to a destination opcode that does not have this bit set should generate an exception, allowing the calling application to be shut down.

axemaster

Well, this is a scary prospect. Unfortunately, even if antivirus programs can be modified to detect this, it will probably require a LOT more scanning and thus waste even more CPU resources than it does already. At least that's my guess.

Eikka

The overall purpose of such a project would be to see if using the technique could result in the creation of a virus that could not be detected by conventional anti-virus programs.

In my experience, none of the conventional anti-virus suites actually manage to detect malware intrusions. They only seem to work in trivial cases like email attachments or infected thumbdrives that they can scan before any of the contents are activated.

Most of the time the viruses and malware come in from the internet through bugs in the browser plugins or other network software, and the first thing it does is hide from the AV or disable it quietly. You'll only notice them later when the system starts to behave strangely, and then it's too late anyways.

That is my experience as well.

"In my experience, none of the conventional anti-virus suites actually manage to detect malware intrusions. They only seem to work in trivial cases like email attachments or infected thumbdrives that they can scan before any of the contents are activated." - Eikka

ValeriaT

Technically speaking the worms, i.e. scripted viruses are mostly utilizing the built-in functionality of operational system, mail program or even common office applications and nothing groundbreaking is about it. Whole script is just few kilobytes long, because it utilizes many other components from outside.

That is my experience as well.

And in light of that experience, it seems completely pointless to be running any virus scanners. They don't stop the viruses or worms, and they act like viruses and worms to make your computer slower and more prone to crash, or develop some odd conflict with system/software updates.

The only time you need them is the occasional system scan, and checking new files from untrusted sources. I run a passive scanner program for that.

ziphead

1. Have regular backup of your system image on detacheable external drive.
2. Disable scripting/activeX etc. on the browser for the internet zone, then enable it for sites you explicitly trust. Over time you will find that there aren't as many as you think.
3. Restrict your email client to text only mode; just 'cause there is url in an email don't mean you have to follow it.
4. Do not install random crap and browser add-ons from the net. There is a reason why it is free.
5. Browse/run through VMware guest if you do have to visit funny sites or install funny apps.
6. Do not get promiscuous with USB keys; think before you stick it in.
7. Finally: dump the anti-virus kernel hogs. If you really think you need it, try Windows Essentials.

When in doubt, restore from the latest trusted system image.

alfie_null

not rated yet Aug 22, 2012

Browse/run through VMware guest

Confers protection not only because of the isolation, but also because the sophisticated variety of viruses, those that try hard to elude detection, deliberately don't activate themselves in virtual environments (again, to avoid the sort of live observation and analysis that's possible in a virtual environment).

If sandboxing your browser in a VM becomes typical behavior, future virus writers will have a hard choice to make.

antialias_physorg

If sandboxing your browser in a VM becomes typical behavior

Many browsers already employ sandboxing (or similar features). The chrome sandbox has already been circumvented.

http://www.zdnet....ll/10588

I used to run Sandboxie, but it, too, has already been circumvented (via forging the whitelist it uses IIRC. BIOS hacks can also circumvent it.)
So now I don't bother anymore. Sandboxing was a nice concept (so was VM), but it's not foolproof.

not rated yet Aug 25, 2012

6. Do not get promiscuous with USB keys; think before you stick it in.

Press the Shift key while inserting to stop autorun from launching any suspicious programs. Disable autorun on all drives.

Some thumbdrives come with U3 or StartKey software which is designed to autorun in Windows to run some "helpful" gadgets, and are granted special permissions like access to the registry which makes them malware-magnets and generally obnoxious.

If you have one, there's software available online that lets you nuke it free of the stuff.

More news stories