Virus Pieces Together Inside System

Friday, August 24, 2012 @ 04:08 PM gHale


Antivirus can detect plenty of malware and viruses just because they have identifiable marks that show they are up to no good.

What if pieces of clean code were able to sneak in through antivirus protection and then reassemble and transform into a mean piece of malware?

RELATED STORIES
Crisis Malware Goes Virtual
Popular Malware for July
New Trojans Covering Tracks
Trojans Learn New Infection Path

Vishwath Mohan and Kevin Hamlen at the University of Texas at Dallas are interested in how malware disguises itself in order to propagate more widely. With virus detectors and operating systems getting updates, any virus will quickly disappear after discovery.

Malware authors and security experts have tried different ways to camouflage malicious code, like encrypting it or adding garbage data to confuse the scanners. But Mohan and Hamlen take it a step further: Their virus builds itself out of pieces your computer knows to be safe — bits of applications like your word processor, image editor or Web browser.

While nothing is iron clad yet, they call their proof of concept Frankenstein, and it shows one avenue hackers might take in the future. Why bother sending out a whole application stuffed full of code that antivirus could identify, when you can send a “blueprint” of what it needs, and let it assemble itself on-site?

Their Frankenstein does not propagate itself onto other computers, but it can make variants of itself by stealing different code from different programs. That means that every version it creates of itself will be significantly different, but it will still check out when looked at piece by piece for suspicious functions. And there’s no shortage of the snippets of code.

“The results show that even with the limited capacity of our prototype, 2–3 binaries are sufficient to bring the number of gadgets above 100,000. On average we discovered about 46 gadgets per KB of code, finding approximately 2338 gadgets per second,” they said in a paper on the subject.
https://www.usenix.org/conference/woot12/frankenstein-stitching-malware-benign-binaries

“In other words, just a few basic applications rendered thousands of pieces to use. That many spare parts could keep the virus scanners busy for quite some time, though there is always the risk that they could be trained to look for the ‘blueprint’ instead of the resultant patched-together virus. But that too could be made to look legitimate.”

Mohan and Hamlen hope that being aware of camouflaging systems like this will make virus detection stronger and better; after all, if they didn’t invent it, some less well-meaning person might have instead, and it would be at large instead of in a paper.



Leave a Reply

You must be logged in to post a comment.