Frankenstein computer virus
In New Scientist Jacob Aron reports on a new type of computer virus:
ARY SHELLEY’S Victor Frankenstein stitched together the body parts of ordinary individuals and created a monster. Now computer scientists have done the same with software, demonstrating the potential for hard-to-detect viruses that are stitched together from benign code pilfered from ordinary programs.
The monstrous virus software, dubbed Frankenstein, was created by Vishwath Mohan and Kevin Hamlen at the University of Texas at Dallas. Having infected a computer, it searches the bits and bytes of common software such as Internet Explorer and Notepad for snippets of code called gadgets – short instructions that perform a particular kind of small task.
Previous research has shown that it is theoretically possible, given enough gadgets, to construct any computer program. Mohan and Hamlen set out to show that Frankenstein could build working malware code by having it create two simple algorithms purely from gadgets. “The two test algorithms we chose are simpler than full malware, but they are representative of the sort of core logic that real malware uses to unpack itself,” says Hamlen. “We consider this a strong indication that this could be scaled up to full malware.”
Frankenstein follows pre-written blueprints that specify certain tasks – such as copying pieces of data – and swaps in gadgets capable of performing those tasks. Such swaps repeat each time Frankenstein infects a new computer, but with different gadgets, meaning that the malware always looks different to antivirus software, even if its ultimate effects are the same.
The research was part-funded by the US air force, and Hamlen says that Frankenstein could be particularly useful for national security agencies attempting to infiltrate enemy computer systems with unknown antivirus defences. “It essentially infers what the [target computer’s] defences deem permissible from the existing files on the system to help it blend in with the crowd,” he says. . .
The sidebar is chilling:
Defending against malware able to build itself from other bits of code is never easy. Last month, Microsoft released an updated version of its Enhanced Mitigation Experience Toolkit (EMET), which provides extra protection for some PC users. It features a new defence designed to stop malware from executing other software’s code, just as Frankenstein does (see main story). It works by wrapping key software in a layer of code that checks whether parts of the software are being repurposed.
Microsoft paid $50,000 in a recent security prize to the creator of the technique, but just two weeks later an Iranian security researcher called Shahriyar Jalayeri claims to have bypassed EMET’s protective wrapper.