Frankenstein virus creates malware by pilfering code

Frankenstein virus creates malware by pilfering code - tech - 20 August 2012 - New Scientist@import "/css/gridmain.css"; @import "/css/article.css";@import "/css/comlist.css";@import "/data/images/ns/haas/haas.css";/* specific to this article view */#maincol {border-top:solid #A7A7A7 1px; padding-top:15px;}/* Basic commenting CSS*/.combx {margin:10px 0 0 0;padding:10px 20px 10px 10px;}#compnl {border-top:solid #A7A7A7 1px;}/* comment styles for article page only *//* form styles */#comform {margin:20px 50px 20px 10px;}#comform label{width: 90px;text-align: right;}#comform div.userhelp {margin:0 0 2px 115px;}#comform input.textinput, #comform textarea {width:300px;}#comform div.floatclear, #comformlogin div.floatclear {margin-bottom:10px;}#comform input#comcancel{margin:0 10px 0 0;}#comform input#compreview{margin:0 10px 0 0;}#comform textarea {height:95px;}#comformlogin {margin:20px 100px 20px 100px;}#comformlogin label{width: 120px;}#comformlogin input.textinput {width:150px;}#snv_tech a {background: url('/img/bg/snv_tech.jpg') no-repeat; color:#fff;}/* article social media */#sharebtns {width:440px; margin-left:10px; margin-bottom:20px; padding:15px 0 15px 10px; background:#F2F2F2;}#sharebtns div.floatleft {margin-right:10px;}#sharebtns .stumble {margin-top:1px;}.grpTools img {margin-right:8px; margin-top:9px;}#fblike {margin-top:41px;} Tech    Log in

EmailPassword Remember me

Your login is case sensitive

I have forgotten my password

Register nowActivate my subscriptionInstitutional loginAthens loginclose

My New ScientistHomeNewsIn-Depth ArticlesBlogsOpinionTVGalleriesTopic GuidesLast WordSubscribeDatingLook for Science JobsSPACETECHENVIRONMENTHEALTHLIFEPHYSICS&MATHSCIENCE IN SOCIETYCookies & Privacy

Home|Tech|News

Frankenstein virus creates malware by pilfering code20 August 2012 byJacob AronMagazine issue 2878. Subscribe and saveFor similar stories, visit theComputer crimeTopic Guide

By hunting through benign bits of code on your computer, the Frankenstein virus can turn itself into something rather nasty

MARY SHELLEY'S Victor Frankenstein stitched together the body parts of ordinary individuals and created a monster. Now computer scientists have done the same with software, demonstrating the potential for hard-to-detect viruses that are stitched together from benign code pilfered from ordinary programs.

The monstrous virus software, dubbed Frankenstein, was created by Vishwath Mohan and Kevin Hamlen at the University of Texas at Dallas. Having infected a computer, it searches the bits and bytes of common software such as Internet Explorer and Notepad for snippets of code called gadgets - short instructions that perform a particular kind of small task.

Previous research has shown that it is theoretically possible, given enough gadgets, to construct any computer program. Mohan and Hamlen set out to show that Frankenstein could build working malware code by having it create two simple algorithms purely from gadgets. "The two test algorithms we chose are simpler than full malware, but they are representative of the sort of core logic that real malware uses to unpack itself," says Hamlen. "We consider this a strong indication that this could be scaled up to full malware."

Frankenstein follows pre-written blueprints that specify certain tasks - such as copying pieces of data - and swaps in gadgets capable of performing those tasks. Such swaps repeat each time Frankenstein infects a new computer, but with different gadgets, meaning that the malware always looks different to antivirus software, even if its ultimate effects are the same.

The research was part-funded by the US air force, and Hamlen says that Frankenstein could be particularly useful for national security agencies attempting to infiltrate enemy computer systems with unknown antivirus defences. "It essentially infers what the [target computer's] defences deem permissible from the existing files on the system to help it blend in with the crowd," he says.

Existing malware already attempts to randomly mutate its code to some extent, but antivirus software can still recognise them as something nasty.

Frankenstein is different because all of its code, including the blueprints and gadget-finder, can adapt to look like parts of regular software, making it harder to detect. Just three pieces of such software are enough to provide over 100,000 gadgets, so there are a huge number of ways for Frankenstein to build its monster, but it needs blueprints that find the right balance. If the blueprint is too specific, it leaves Frankenstein little choice in which gadgets to use, leading to less variation and making it easier to detect. Looser blueprints, which only specify the end effects of the malware, are too vague for Frankenstein to follow, for now.

The researchers presented the work at the USENIX Workshop on Offensive Technologies in Bellevue, Washington, this month.

Marco Cova at the University of Birmingham, UK, says that fighting Frankenstein could be a challenge for current antivirus software that relies on identifying various distinctive signatures of malware, but some defence is possible. Antivirus software could either look for signatures that match sequences of gadgets, or they would look at the behaviour of a program, rather than its specific code. "If the definition of maliciousness is 'a program reads my keystrokes and sends them to a remote website' then you don't care about the specific byte sequences that implement this behaviour," Cova says.

Unstoppable gadget cannibalism

Defending against malware able to build itself from other bits of code is never easy. Last month, Microsoft released an updated version of its Enhanced Mitigation Experience Toolkit (EMET), which provides extra protection for some PC users. It features a new defence designed to stop malware from executing other software's code, just as Frankenstein does (see main story). It works by wrapping key software in a layer of code that checks whether parts of the software are being repurposed.

Microsoft paid $50,000 in a recent security prize to the creator of the technique, but just two weeks later an Iranian security researcher called Shahriyar Jalayeri claims to have bypassed EMET's protective wrapper.

New ScientistNot just a website!Subscribe to New Scientist and get:New Scientist magazine delivered every weekUnlimited online access to articles from over 500 back issuesSubscribe Now and SaveIf you would like to reuse any content from New Scientist, either in print or online, please contact the syndication department first for permission. New Scientist does not own rights to photos, but there are a variety of licensing options available for use of articles and graphics we own the copyright to.

Have your say

Only subscribers may leave comments on this article. Please log in.

email:password:Remember me  

Only personal subscribers may leave comments on this article

Subscribe now to comment.

All comments should respect the New Scientist House Rules. If you think a particular comment breaks these rules then please use the "Report" link in that comment to report it to us.

If you are having a technical problem posting a comment, please contact technical support.

What could possibly go wrong? (Image: SNAP/Rex Features)

ADVERTISEMENT

MoreLatest newsWaste water harnessed to make electricity and plastics09:00 03 September 2012

The treatment of waste water can be used to create energy and biodegradable plastics

Unsure robots make better teachers than know-alls16:41 31 August 2012

Students learn best from a robot when it makes mistakes that they can correct

Bendy battery lets you wear gadgets' power supply11:08 30 August 2012

Flexible battery design lets you wear your gadget's power source on the wrist, neck or any part of the body you fancy

Let's get lost: Apps that help you wander to happiness08:00 30 August 2012

From GPS to book recommendations, technology is eradicating uncertainty from life. But what if happiness depends on taking chances?

see all related stories

MoreLatest newsMoon's magnetic umbrellas may shield future spaceships18:43 03 September 2012

New insights into lunar anomalies could inspire deflector shields for spaceships that would protect astronauts against solar storms

Today on New Scientist: 3 September 201218:00 03 September 2012

All today's stories on newscientist.com, including: stem cells return some feeling to paralysed patients, satellite images of Brazil's ravaged rainforests, the ultimate food scare, and more

Retracing the stardust trail17:34 03 September 2012

In The Stardust Revolution, Jacob Berkowitz explains how stars have shaped the universe and asks if we may soon discover life outside the solar system

Brain diabetes: the ultimate food scare15:51 03 September 2012

Big trouble lies ahead if Alzheimer's is proven to be a form of diabetes

see all latest news

Most readMost commented Epigenetics gives clues to human cancer susceptibility Two dead stars provide low-tech way to test Einstein Rosacea may be caused by mite faeces in your pores Mirrors take root in pitch-black nanotube forest Protein discovery could lead to 'genomic debuggers' Most readMost commented Fracking could be combined with carbon capture plans Rosacea may be caused by mite faeces in your pores Big burn theory: Why humans spontaneously combust Bonobo genius makes stone tools like early humans did Food for thought: Eat your way to dementia TWITTERNew Scientist is on Twitter

Get the latest from New Scientist: sign up to our Twitter feed

LATEST JOBS PIC: Laboratory Technician SEC Recruitment: Senior Statistical Programmers | Perm | UK or Germany SEC Recruitment: Senior Lead Programmer |Germany |Global Company Meet Recruitment: Regulatory Affairs Publisher, Vienna Meet Recruitment: Fantastic Senior Regulatory Affairs function @ top Pharma, Berks/Bucks This week's issueSubscribe

For exclusive news and expert analysis, subscribe to New Scientist.

Gain full online accessCurrent issue contentContent of past issues01 September 2012

ADVERTISEMENT

Back to top

Login

EmailPassword Remember me

Your login is case sensitive

I have forgotten my password

Register nowActivate my subscriptionInstitutional loginAthens loginclose

About usNew ScientistSyndicationRecruitment AdvertisingStaff at New ScientistAdvertiseRBI JobsUser HelpContact UsFAQ / HelpDisclaimerTs & CsCookiesPrivacy PolicySubscriptionsSubscribeRenewGift subscriptionMy accountBack issuesCustomer ServiceLinksSite MapBrowse all articlesMagazine archiveNewScientistJobsThe LastWordRSS FeedsOnline StoreAndroid AppMobile site homeScience JobsBiology JobsChemistry JobsClinical JobsSales JobsEarth & Environment JobsEngineering JobsMaths & IT JobsGraduate Jobs© Copyright Reed Business Information Ltd.

View the original article here